Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Manual][Backport 2.x][CVE-2023-45133] Add package resolution for @babel/traverse to 7.23.2 to fix vulnerability #5320

Merged
merged 2 commits into from
Nov 7, 2023
Merged

[Manual][Backport 2.x][CVE-2023-45133] Add package resolution for @babel/traverse to 7.23.2 to fix vulnerability #5320

merged 2 commits into from
Nov 7, 2023

Conversation

manasvinibs
Copy link
Member

Backport of #5309

Issues Resolved

#5303

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@manasvinibs manasvinibs changed the title [CVE-2023-45133] Add package resolution for @babel/traverse to 7.23.2 to fix vulnerability [Manual][Backport 2.x][CVE-2023-45133] Add package resolution for @babel/traverse to 7.23.2 to fix vulnerability Oct 18, 2023
@codecov
Copy link

codecov bot commented Oct 18, 2023
edited
Loading

Codecov Report

Merging #5320 (18f08a3) into 2.x (603ecff) will increase coverage by 0.02%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##              2.x    #5320      +/-   ##
==========================================
+ Coverage   66.81%   66.83%   +0.02%     
==========================================
  Files        3284     3284              
  Lines       63149    63167      +18     
  Branches    10048    10048              
==========================================
+ Hits        42192    42219      +27     
+ Misses      18491    18470      -21     
- Partials     2466     2478      +12
Flag Coverage Δ
Linux_1 35.25% <ø> (-0.02%) ⬇️
Linux_2 55.22% <ø> (-0.04%) ⬇️
Linux_3 43.84% <ø> (-0.01%) ⬇️
Linux_4 35.48% <ø> (-0.01%) ⬇️
Windows_1 35.26% <ø> (-0.02%) ⬇️
Windows_2 55.19% <ø> (-0.04%) ⬇️
Windows_3 43.85% <ø> (-0.01%) ⬇️
Windows_4 35.48% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 23 files with indirect coverage changes

@manasvinibs manasvinibs force-pushed the backport/backport-5309-to-2.x branch from 4a7b9fc to 289c78d Compare October 26, 2023 23:21
@manasvinibs
[CVE-2023-45133] Add package resolution for @babel/traverse to `7.2…
55b2905 
…3.2` to fix vulnerability (opensearch-project#5309)

* Add package resolution for  to  to fix vulnerability

Signed-off-by: Manasvini B Suryanarayana <[email protected]>

* Further consolidate locked deps

Signed-off-by: Josh Romero <[email protected]>

* Revert "Further consolidate locked deps"

This reverts commit 4973099.

Signed-off-by: Josh Romero <[email protected]>

---------

Signed-off-by: Manasvini B Suryanarayana <[email protected]>
Signed-off-by: Josh Romero <[email protected]>
Co-authored-by: Josh Romero <[email protected]>
(cherry picked from commit a351f90)
@manasvinibs manasvinibs force-pushed the backport/backport-5309-to-2.x branch from 289c78d to 55b2905 Compare October 27, 2023 18:12
@joshuarrrr
Copy link
Member

I believe the WhiteSource check failure is spurious. I pulled this branch and verified that we're only using underscore.string version 3.3.6, which has the fix.

yarn why underscore.string
yarn why v1.22.19
[1/4] Why do we have the module "underscore.string"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "grunt#[email protected]"
info Reasons this module exists
   - "_project_#grunt#grunt-legacy-util" depends on it
   - Hoisted from "_project_#grunt#grunt-legacy-util#underscore.string"
   - in the nohoist list ["/_project_/**/@types/*","/_project_/**/@types/*/**","/_project_/**/grunt-*","/_project_/**/grunt-*/**","/_project_/@elastic/eui/rehype-react","/_project_/@elastic/eui/remark-rehype","/_project_/@elastic/eui/remark-rehype/**"]
info Disk size without dependencies: "444KB"
info Disk size with unique dependencies: "548KB"
info Disk size with transitive dependencies: "548KB"
info Number of shared dependencies: 2
Done in 1.19s.

@joshuarrrr
Copy link
Member

I'm going to try re-running the check

@manasvinibs manasvinibs merged commit ea0e856 into opensearch-project:2.x Nov 7, 2023
64 checks passed
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Nov 15, 2023
Merged
opensearch-trigger-bot bot pushed a commit that referenced this pull request Nov 15, 2023
@github-actions
[CVE-2023-45133] Add package resolution for @babel/traverse to `7.2…
cc55e29 
…3.2` to fix vulnerability (#5309) (#5320)

* Add package resolution for  to  to fix vulnerability

Signed-off-by: Manasvini B Suryanarayana <[email protected]>

* Further consolidate locked deps

Signed-off-by: Josh Romero <[email protected]>

* Revert "Further consolidate locked deps"

This reverts commit 4973099.

Signed-off-by: Josh Romero <[email protected]>

---------

Signed-off-by: Manasvini B Suryanarayana <[email protected]>
Signed-off-by: Josh Romero <[email protected]>
Co-authored-by: Josh Romero <[email protected]>
(cherry picked from commit a351f90)

Co-authored-by: Josh Romero <[email protected]>
(cherry picked from commit ea0e856)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
joshuarrrr pushed a commit that referenced this pull request Nov 16, 2023
@opensearch-trigger-bot @github-actions
[CVE-2023-45133] Add package resolution for @babel/traverse to `7.2…
034aa49 
…3.2` to fix vulnerability (#5309) (#5320) (#5480)

* Add package resolution for  to  to fix vulnerability

Signed-off-by: Manasvini B Suryanarayana <[email protected]>

* Further consolidate locked deps

Signed-off-by: Josh Romero <[email protected]>

* Revert "Further consolidate locked deps"

This reverts commit 4973099.

Signed-off-by: Josh Romero <[email protected]>

---------

Signed-off-by: Manasvini B Suryanarayana <[email protected]>
Signed-off-by: Josh Romero <[email protected]>
Co-authored-by: Josh Romero <[email protected]>
(cherry picked from commit a351f90)

Co-authored-by: Josh Romero <[email protected]>
(cherry picked from commit ea0e856)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@joshuarrrr joshuarrrr added the v2.11.1 Issues targeting release v2.11.1 label Nov 16, 2023
@manasvinibs manasvinibs mentioned this pull request Jan 31, 2024
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ananzh ananzh ananzh approved these changes

@joshuarrrr joshuarrrr joshuarrrr approved these changes

@kavilla kavilla Awaiting requested review from kavilla kavilla is a code owner

@seanneumann seanneumann Awaiting requested review from seanneumann

@AMoo-Miki AMoo-Miki Awaiting requested review from AMoo-Miki AMoo-Miki is a code owner

@ashwin-pc ashwin-pc Awaiting requested review from ashwin-pc ashwin-pc is a code owner

@abbyhu2000 abbyhu2000 Awaiting requested review from abbyhu2000 abbyhu2000 is a code owner

@zengyan-amazon zengyan-amazon Awaiting requested review from zengyan-amazon zengyan-amazon is a code owner

@kristenTian kristenTian Awaiting requested review from kristenTian

@zhongnansu zhongnansu Awaiting requested review from zhongnansu zhongnansu is a code owner

@ZilongX ZilongX Awaiting requested review from ZilongX ZilongX is a code owner

@Flyingliuhub Flyingliuhub Awaiting requested review from Flyingliuhub Flyingliuhub is a code owner

@BSFishy BSFishy Awaiting requested review from BSFishy

Assignees
No one assigned
Labels
v2.11.1 Issues targeting release v2.11.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@manasvinibs @joshuarrrr @ananzh @AMoo-Miki