[CVE-2021-3765][1.x] bump validator from 8.2.0 to 13.9.0 (opensearch-…

…project#3725) validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity. 1.x is using "validator@8.2.0". Main has been bumped to 13.7.0 via PR opensearch-project#1106. The solution is to backport it on 1.x. Backport PR: opensearch-project#1106 Issue Resolved: opensearch-project#1063 Signed-off-by: Anan Zhuang <ananzh@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com>
ananzh · Apr 3, 2023 · 3cc3b3a · 3cc3b3a
1 parent 65deacb
commit 3cc3b3a
Show file tree

Hide file tree

Showing 3 changed files with 147 additions and 96 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
 ### 🛡 Security
 
+- [CVE-2021-3765] Update `@microsoft/api-documenter` and `@microsoft/api-extractor` versions to bump validator from `8.2.0` to `13.9.0` ([#3725](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3725))
 - [CVE-2022-1537] Bump grunt from `1.4.1` to `1.5.3` ([#3723](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3723))
 - [CVE-2022-0436] Bump grunt from `1.4.1` to `1.5.3` ([#3723](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3723))
 - [CVE-2021-23382] Bump postcss from `8.2.10` to `8.2.13` ([#3739](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3739))

diff --git a/package.json b/package.json
@@ -273,8 +273,8 @@
     "@osd/test": "1.0.0",
     "@osd/test-subj-selector": "0.2.1",
     "@osd/utility-types": "1.0.0",
-    "@microsoft/api-documenter": "7.7.2",
-    "@microsoft/api-extractor": "7.7.0",
+    "@microsoft/api-documenter": "^7.13.78",
+    "@microsoft/api-extractor": "^7.19.3",
     "@percy/agent": "^0.28.6",
     "@testing-library/dom": "^7.24.2",
     "@testing-library/jest-dom": "^5.11.4",