Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve to newer versions of dependencies #107

Merged
merged 1 commit into from
Jan 6, 2023
Merged

Resolve to newer versions of dependencies #107

merged 1 commit into from
Jan 6, 2023

Conversation

msfroh
Copy link
Collaborator

@msfroh msfroh commented Jan 5, 2023

This addresses the following CVEs:

CVE-2021-3807  - Inefficient Regular Expression Complexity in
                 chalk/ansi-regex
CVE-2022-24999 - Improperly Controlled Modification of Object
                 Prototype Attributes ('Prototype Pollution'),
                 qs vulnerable to Prototype Pollution
GMS-2022-3113  - glob-parent before 6.0.1 and 5.1.2 vulnerable to
                 Regular Expression Denial of Service (ReDoS)

Signed-off-by: Michael Froh [email protected]

Description

Describe what this change achieves.

Issues Resolved

List any issues this PR will resolve, e.g. Closes [...].

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@msfroh
Resolve to newer versions of dependencies
1c945f8 
This addresses the following CVEs:

```
CVE-2021-3807  - Inefficient Regular Expression Complexity in
                 chalk/ansi-regex
CVE-2022-24999 - Improperly Controlled Modification of Object
                 Prototype Attributes ('Prototype Pollution'),
                 qs vulnerable to Prototype Pollution
GMS-2022-3113  - glob-parent before 6.0.1 and 5.1.2 vulnerable to
                 Regular Expression Denial of Service (ReDoS)
```

Signed-off-by: Michael Froh <[email protected]>
@codecov-commenter
Copy link

Codecov Report

Merging #107 (1c945f8) into main (052c593) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #107   +/-   ##
=======================================
  Coverage   81.42%   81.42%           
=======================================
  Files          13       13           
  Lines         140      140           
  Branches       27       27           
=======================================
  Hits          114      114           
  Misses         24       24           
  Partials        2        2
Flag Coverage Δ
dashboards-search-relevance 81.42% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

macohen
macohen approved these changes Jan 5, 2023
View reviewed changes
Copy link
Collaborator

@macohen macohen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. All CVEs patched with good versions.

@macohen macohen marked this pull request as ready for review January 5, 2023 21:50
@macohen macohen requested a review from a team January 5, 2023 21:50
noCharger
noCharger reviewed Jan 6, 2023
View reviewed changes
Copy link
Collaborator

@noCharger noCharger left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add more reference about these CVEs and why should resolutions in package.json be the fix. For example, OSD resolved https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2425/files for CVE-2021-3807. Should we change yarn.lock too?

Ref chalk/ansi-regex#37

@msfroh msfroh merged commit a38a5e3 into opensearch-project:main Jan 6, 2023
github-actions bot added a commit that referenced this pull request Jan 6, 2023
@github-actions
Resolve to newer versions of dependencies (#107)
ec2cffd 
(cherry picked from commit a38a5e3)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@github-actions github-actions bot mentioned this pull request Jan 6, 2023
Merged
github-actions bot added a commit that referenced this pull request Jan 6, 2023
@github-actions
Resolve to newer versions of dependencies (#107)
2600a10 
(cherry picked from commit a38a5e3)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@github-actions github-actions bot mentioned this pull request Jan 6, 2023
Merged
noCharger pushed a commit that referenced this pull request Jan 9, 2023
@github-actions
Resolve to newer versions of dependencies (#107) (#115)
496d124 
(cherry picked from commit a38a5e3)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
noCharger pushed a commit that referenced this pull request Jan 9, 2023
@github-actions
Resolve to newer versions of dependencies (#107) (#114)
8a6566b 
(cherry picked from commit a38a5e3)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
This was referenced Jan 9, 2023
Closed
Closed
@noCharger noCharger mentioned this pull request Jan 11, 2023
Merged
@mingshl mingshl mentioned this pull request Jan 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@noCharger noCharger noCharger left review comments

@macohen macohen macohen approved these changes

Assignees
No one assigned
Labels
backport 2.x backport 2.4 security v2.5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@msfroh @codecov-commenter @macohen @noCharger @mingshl