-
Notifications
You must be signed in to change notification settings - Fork 912
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[2.x] [CVE-2020-36632] Bumps flat from 4.1.1 to 5.0.2 #3419
Conversation
Signed-off-by: Zilong Xia <zilongx@amazon.com>
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## 2.x #3419 +/- ##
==========================================
+ Coverage 66.50% 66.56% +0.05%
==========================================
Files 3203 3203
Lines 61331 61331
Branches 9453 9453
==========================================
+ Hits 40787 40823 +36
+ Misses 18283 18253 -30
+ Partials 2261 2255 -6
Flags with carried forward coverage won't be shown. Click here to find out more.
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Signed-off-by: Zilong Xia <zilongx@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ZilongX Thanks for the detailed description.
I think this is probably a better link for looking at the commit diff: hughsk/flat@4.1.1...5.0.2
I have no concerns about this change for OSD core, because we've already removed all mocha tests via #215 (and still just have a lingering item to remove the scaffolding and dependency: #1572)
But because of that we don't have a great way of validating that any plugins with mocha
tests configured will be unaffected by this change. So I think we should do an extra callout in the changelog.
Co-authored-by: Josh Romero <rmerqg@amazon.com>
DCO check failed on a merge commit - will be fixed by squash and merge |
@ZilongX Any plans to backport to |
@joshuarrrr , yes backporting to 1.x/1.3 may need some manual efforts though, I'll take a look later. (maybe just 1.3 since there won't be any new minor version release s for 1.x ~) |
Signed-off-by: Zilong Xia zilongx@amazon.com
Description
flat
from4.1.1
to5.0.2
to resolve CVE-2020-36632 in branch2.x
(release candidate forOSD 2.6.0
)flat
is introduced into OSD bymocha@^7.2.0
CVE-2020-36632
is fixed frommocha@8.2.0
(https://github.com/mochajs/mocha/blob/v8.2.0/package-lock.json)mocha 8.0.0
brings in a bunch of breaking changes (https://github.com/mochajs/mocha/blob/master/CHANGELOG.md), leveragingresolutions
here instead of the major version bumpingmocha
has been bumped up to10.1.0
inmain
branch btw ([WS-2021-0638][Security] bump mocha to 10.1.0 #2711), which would be released as part ofOSD 3.0.0
flat
version bump (https://github.com/hughsk/flat/commits/master?before=7a184e7adbe06f2acafab15a9efef667cc452abb+35&branch=master&qualified_name=refs%2Fheads%2Fmaster)Issues Resolved
Check List
yarn test:jest
yarn test:jest_integration
yarn test:ftr