-
Notifications
You must be signed in to change notification settings - Fork 916
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4 #3741
Conversation
Issue Resolve opensearch-project#1725 Backport PR opensearch-project#1753 Signed-off-by: Anan Zhuang <[email protected]>
fc71d28
to
ba2f9ca
Compare
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## 1.x #3741 +/- ##
=======================================
Coverage 67.49% 67.50%
=======================================
Files 3044 3044
Lines 58692 58692
Branches 8902 8902
=======================================
+ Hits 39617 39619 +2
+ Misses 16926 16925 -1
+ Partials 2149 2148 -1
Flags with carried forward coverage won't be shown. Click here to find out more. see 1 file with indirect coverage changes Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Issue Resolve #1725 Backport PR #1753 Signed-off-by: Anan Zhuang <[email protected]> Co-authored-by: Josh Romero <[email protected]> (cherry picked from commit 637d545) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md
Issue Resolve #1725 Backport PR #1753 Signed-off-by: Anan Zhuang <[email protected]> Co-authored-by: Josh Romero <[email protected]> (cherry picked from commit 637d545) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Issue Resolve
#1725
Backport PR
#1753
Description
The package
jpeg-js
before 0.4.4 is vulnerable to Denial of Service (DoS) where a particular piece of input will cause to enter an infinite loop and never return. In 1.x, we are currently using 0.4.1.There is no breaking change between 0.4.1 and 0.4.4. Just backport this fix PR here to 1.x.
Check List
yarn test:jest
yarn test:jest_integration
yarn test:ftr