Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump typescript and axios #5470

Merged
merged 3 commits into from
Dec 12, 2023
Merged

Conversation

AMoo-Miki
Copy link
Collaborator

@AMoo-Miki AMoo-Miki commented Nov 13, 2023

Description

Bump typescript and axios

  • Bump axios due to CVE-2023-45857
  • Bump typescript, only in resolutions, to 4.6.4 - needed for newer axios

Fixes #5474

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

Copy link

codecov bot commented Nov 13, 2023

Codecov Report

Attention: 5 lines in your changes are missing coverage. Please review.

Comparison is base (f27a031) 66.98% compared to head (a131cd4) 66.97%.

Files Patch % Lines
src/dev/build/lib/fs.ts 66.66% 2 Missing ⚠️
...s/osd-test/src/failed_tests_reporter/github_api.ts 50.00% 1 Missing ⚠️
src/core/public/ui_settings/ui_settings_client.ts 0.00% 0 Missing and 1 partial ⚠️
src/core/server/http/router/response_adapter.ts 0.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #5470      +/-   ##
==========================================
- Coverage   66.98%   66.97%   -0.02%     
==========================================
  Files        3293     3293              
  Lines       63287    63289       +2     
  Branches    10062    10065       +3     
==========================================
- Hits        42394    42388       -6     
- Misses      18453    18459       +6     
- Partials     2440     2442       +2     
Flag Coverage Δ
Linux_1 35.24% <12.50%> (-0.01%) ⬇️
Linux_2 55.17% <75.00%> (-0.04%) ⬇️
Linux_3 43.79% <0.00%> (ø)
Linux_4 35.34% <36.36%> (+<0.01%) ⬆️
Windows_1 35.27% <12.50%> (-0.01%) ⬇️
Windows_2 55.14% <75.00%> (-0.04%) ⬇️
Windows_3 43.80% <0.00%> (ø)
Windows_4 35.34% <36.36%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@AMoo-Miki AMoo-Miki force-pushed the bump-axios branch 3 times, most recently from c561e72 to 1314515 Compare November 15, 2023 23:11
* Bump axios due to CVE-2023-45857

* Bump typescript, only in resolutions, to 4.6.4 - needed for newer axios

Signed-off-by: Miki <[email protected]>
@ananzh ananzh merged commit 5fabb73 into opensearch-project:main Dec 12, 2023
68 checks passed
@ps48
Copy link
Member

ps48 commented Dec 15, 2023

@AMoo-Miki @ananzh @joshuarrrr Is there a reason why this PR wasn't backported to 2.x. For dashboards-observability we suspect that this upstream change is causing our snapshots to fail. Updating the snapshots solely for main will lead to divergence between main and 2.x. This will break our 2.x backports for test updates.

Meanwhile @pjfitzgibbons is verifying that this upstream PR was the root-cause for snapshot failures.

@AMoo-Miki
Copy link
Collaborator Author

@ps48 bumping axios required a bump in typescript which contained breaking changes which propagated as breaking changes in OSD; hence the 3.0.0 label indicating it will not be backportable.

main and 2.x are bound to diverge and in fact have a lot of differences already. This is because main is allowed to have breaking changes while 2.x is not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CVE-2023-45857 (High) detected in axios-0.27.2.tgz
5 participants