Resolves async to v3.2.3
#1449
Resolves async to v3.2.3
#1449
Conversation
tmarkley
added
dependencies
* Resolves older versions: v0.9.2, v1.5.2, v2.6.3
* There are known breaking changes, so this manual resolution carries
some risk.
* [CHANGELOG](https://github.com/caolan/async/blob/v3.2.3/CHANGELOG.md)
* Addresses CVE-2021-43138.
* This requires a manual resolution because `@elastic/makelogs@6.1.0`,
`grunt-contrib-clean@2.0.0`, `ejs@3.1.6`, and
`webpack-dev-server@4.8.1` have downstream dependencies on older
versions of `async` and none of them have newer versions to fix this.
* Bumps `getos` from v3.1.0 to v3.2.1.
* Bumps `@elastic/makelogs` from v6.0.0 to v6.1.0.
* Bumps `archiver` from v3.1.1 to v5.3.0 and `@types/archiver` from
v3.1.0 to v5.3.1.
* Used in the build script, which runs successfully.
* Breaking changes include removing support for older versions of
Node.js as well as no longer supporting absolute path glob patterns,
which are not used in our repository.
* [CHANGELOG](https://github.com/archiverjs/node-archiver/blob/5.3.0/CHANGELOG.md)
* Bumps `webpack-dev-server` from v4.7.4 to v4.8.1.
* Removes `grunt-contrib-watch` dependency since it is unused.
* Removes unnecessary `@types/react` resolution.
Resolves opensearch-project#1440
Signed-off-by: Tommy Markley <markleyt@amazon.com>
|
Since code freeze for |
@kavilla good question, I think we should try to get it in to give us more time to address any problems that may come up. If it ends up being a blocker for RC1 we can revert it, but we need to address the CVE either way. |
I think the CVE was open 4 days ago? I'd rather be more defensive than reactive here unless we know we won't break plugins since the current turn around time from us checking something and plugins reacting is about a week. |
That should give us another reason to push us to resolve these CVEs sooner rather than later, right? We're less than a month away from 2.0, and our goal should be to resolve any CVEs that are found until ~2 weeks before the release date. We can't be walking on eggshells because plugins have a delayed reaction to every change; security should be our top priority. |
I don't think it's walking on eggshells as much as I'd rather we know that this PR won't break plugins days before they should be code frozen for 2.0-rc1. And if we do know it's going to break plugins and needs to go into 2.0-rc1 then we should be raising the red flag that 4/18 will be unlikely. |
I think this is a good call-out. I see that some plugin changes are going to occur after RC1 anyways, so plugins should be able to stay on top of anything that needs to be addressed because of this PR. |
tmarkley
dismissed
kavilla’s stale review
We need to merge these CVE PRs in for RC1 to address any breaking changes.
Addresses CVE-2021-43138. backport PR: opensearch-project#1449 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Description
async: v0.9.2, v1.5.2, v2.6.3@elastic/makelogs@6.1.0,grunt-contrib-clean@2.0.0,ejs@3.1.6, andwebpack-dev-server@4.8.1have downstream dependencies on older versions ofasyncand none of them have newer versions to fix this. I've documented this in Remove unnecessaryresolutionsfrom package.json #1298.getosfrom v3.1.0 to v3.2.1.@elastic/makelogsfrom v6.0.0 to v6.1.0.archiverfrom v3.1.1 to v5.3.0 and@types/archiverfrom v3.1.0 to v5.3.1.webpack-dev-serverfrom v4.7.4 to v4.8.1.grunt-contrib-watchdependency since it is unused.@types/reactresolution.Issues Resolved
Resolves #1440
Testing
Ran the build script with no flags as well as with the
--releaseflag and both built successfully.Check List
yarn test:jestyarn test:jest_integrationyarn test:ftr