Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2022-25758][CVE-2020-24025] Bump node-sass to 7.0.3 and sass-loader to 10.4.1 in 2.x #3455

Merged
merged 2 commits into from
Feb 18, 2023

Conversation

ananzh
Copy link
Member

@ananzh ananzh commented Feb 17, 2023

Description

Bump node-sass to 7.0.3 and sass-loader to 10.4.1

More analysis:
#1842 (comment)

Issues Resolved

#1067
#1842

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@ananzh ananzh requested a review from a team as a code owner February 17, 2023 21:11
@ananzh ananzh changed the title [CVE-2022-25758][CVE-2020-24025] Bump node-sass to 7.0.3 and sass-loader to 10.4.1 [CVE-2022-25758][CVE-2020-24025] Bump node-sass to 7.0.3 and sass-loader to 10.4.1 in 2.x Feb 17, 2023
@ananzh ananzh force-pushed the 2.x-cve-node-sass branch 2 times, most recently from c02d4de to 7e207dd Compare February 17, 2023 21:15
abbyhu2000
abbyhu2000 previously approved these changes Feb 17, 2023
…der to 10.4.1 in 2.x

Bump node-sass to 7.0.3 and sass-loader to 10.4.1

Issue Resolved:
opensearch-project#1067
opensearch-project#1842

Signed-off-by: Anan Zhuang <[email protected]>
@ananzh ananzh added cve Security vulnerabilities detected by Dependabot or Mend v2.6.0 labels Feb 17, 2023
Copy link
Member

@joshuarrrr joshuarrrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ananzh In #1118, @tmarkley said that this node-sass upgrade would require taking sass-loader to v12. Can you provide some more info on how you determined 10.4.1 was sufficient?

@@ -11,6 +11,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
- [CVE-2022-25860] Bump simple-git from 3.15.1 to 3.16.0 ([#3345](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3345))
- [CVE-2020-36632] [REQUIRES PLUGIN VALIDATION] Bump flat from 4.1.1 to 5.0.2 ([#3419](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3419)). To the best of our knowledge, this is a non-breaking change, but if your plugin relies on `mocha` tests, validate that they still work correctly (and plan to migrate them to `jest` [in preparation for `mocha` deprecation](https://github.com/opensearch-project/OpenSearch-Dashboards/issues/1572).
- [CVE-2023-25166] Bump formula from 3.0.0 to 3.0.1 ([#3416](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3416))
- [CVE-2022-25758][CVE-2020-24025] Bump node-sass to 7.0.3 and sass-loader to 10.4.1 in 2.x ([#3455](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3455))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- [CVE-2022-25758][CVE-2020-24025] Bump node-sass to 7.0.3 and sass-loader to 10.4.1 in 2.x ([#3455](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3455))
- [CVE-2022-25758][CVE-2020-24025] Bump node-sass from 6.0.1 to 7.0.3 and sass-loader from 10.2.1 to 10.4.1 ([#3455](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3455))

@joshuarrrr
Copy link
Member

Looks like the only breaking change in that node-sass bump is sass/node-sass#3149 (via https://github.com/sass/node-sass/releases/tag/v7.0.0). @ananzh Do you think we need an extra warning for plugin devs in the CHANGELOG? I don't know enough about how that breaking change would actually manifest itself.

@ananzh
Copy link
Member Author

ananzh commented Feb 18, 2023

Looks like the only breaking change in that node-sass bump is sass/node-sass#3149 (via https://github.com/sass/node-sass/releases/tag/v7.0.0). @ananzh Do you think we need an extra warning for plugin devs in the CHANGELOG? I don't know enough about how that breaking change would actually manifest itself.

I think see risks from quick glance but I think it is better to warn plugins.

@codecov-commenter
Copy link

Codecov Report

Merging #3455 (7fa8e08) into 2.x (a611452) will decrease coverage by 0.06%.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##              2.x    #3455      +/-   ##
==========================================
- Coverage   66.53%   66.48%   -0.06%     
==========================================
  Files        3203     3203              
  Lines       61397    61397              
  Branches     9453     9453              
==========================================
- Hits        40853    40821      -32     
- Misses      18288    18315      +27     
- Partials     2256     2261       +5     
Flag Coverage Δ
Linux 66.48% <ø> (+<0.01%) ⬆️
Windows ?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
src/dev/build/lib/get_build_number.ts 57.14% <0.00%> (-42.86%) ⬇️
src/setup_node_env/harden/child_process.js 38.46% <0.00%> (-38.47%) ⬇️
packages/osd-cross-platform/src/path.ts 51.21% <0.00%> (-34.15%) ⬇️
...ges/osd-apm-config-loader/src/config.test.mocks.ts 91.30% <0.00%> (-8.70%) ⬇️
src/dev/build/lib/config.ts 79.41% <0.00%> (-5.89%) ⬇️
packages/osd-optimizer/src/node/cache.ts 50.00% <0.00%> (-1.32%) ⬇️
...ic/application/models/sense_editor/sense_editor.ts 64.88% <0.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@ananzh ananzh merged commit 05a9573 into opensearch-project:2.x Feb 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cve Security vulnerabilities detected by Dependabot or Mend v2.6.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants