From dceac61e7158c2078a9a4987114cb971b8f5e49f Mon Sep 17 00:00:00 2001 From: Anan Zhuang Date: Fri, 17 Feb 2023 20:03:25 +0000 Subject: [PATCH 1/2] [CVE-2022-2499][backport 1.x] Resolve qs to 6.11.0 in 1.x Issue Resolved: https://github.com/opensearch-project/OpenSearch-Dashboards/issues/3449 Signed-off-by: Anan Zhuang --- CHANGELOG.md | 2 ++ package.json | 1 + yarn.lock | 12 +----------- 3 files changed, 4 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f05ea2e6fc6..921cf2ddbd69 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,6 +23,8 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - [CVE-2022-46175] Bumps json5 version from 1.0.1 and 2.2.1 to 1.0.2 and 2.2.3 ([#3201](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3201)) - [CVE-2022-25912] Bumps simple-git from 3.4.0 to 3.15.0 ([#3036](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3036)) - [CVE-2022-25860] Bumps simple-git from 3.15.1 to 3.16.0 ([#3345](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3345)) +- [CVE-2022-2499] Resolve qs to 6.11.0 in 1.x ([#3451](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3451)) + ### 📈 Features/Enhancements diff --git a/package.json b/package.json index 4f6c91b330ef..496e46d6e68d 100644 --- a/package.json +++ b/package.json @@ -102,6 +102,7 @@ "**/node-jose/node-forge": "^0.10.0", "**/normalize-url": "^4.5.1", "**/prismjs": "^1.23.0", + "**/qs": "^6.11.0", "**/react-syntax-highlighter": "^15.3.1", "**/react-syntax-highlighter/**/highlight.js": "^10.4.1", "**/request": "^2.88.2", diff --git a/yarn.lock b/yarn.lock index 3237ad5d7f5c..8f5b5e3f470e 100644 --- a/yarn.lock +++ b/yarn.lock @@ -16979,23 +16979,13 @@ puppeteer@^5.3.1: unbzip2-stream "^1.3.3" ws "^7.2.3" -qs@6.7.0, qs@^6.4.0: - version "6.7.0" - resolved "https://registry.yarnpkg.com/qs/-/qs-6.7.0.tgz#41dc1a015e3d581f1621776be31afb2876a9b1bc" - integrity sha512-VCdBRNFTX1fyE7Nb6FYoURo/SPe62QCaAyzJvUjwRaIsc+NePBEniHlvxFmmX56+HZphIGtV0XeCirBtpDrTyQ== - -qs@^6.11.0: +qs@6.7.0, qs@^6.11.0, qs@^6.4.0, qs@~6.5.2: version "6.11.0" resolved "https://registry.yarnpkg.com/qs/-/qs-6.11.0.tgz#fd0d963446f7a65e1367e01abd85429453f0c37a" integrity sha512-MvjoMCJwEarSbUYk5O+nmoSzSutSsTwF85zcHPQ9OrlFoZOYIjaqBAJIqIXjptyD5vThxGq52Xu/MaJzRkIk4Q== dependencies: side-channel "^1.0.4" -qs@~6.5.2: - version "6.5.2" - resolved "https://registry.yarnpkg.com/qs/-/qs-6.5.2.tgz#cb3ae806e8740444584ef154ce8ee98d403f3e36" - integrity sha512-N5ZAX4/LxJmF+7wN74pUD6qAh9/wnvdQcjq9TZjevvXzSUo7bfmw91saqMjzGS2xq91/odN2dW/WOl7qQHNDGA== - query-string@^6.13.2: version "6.13.2" resolved "https://registry.yarnpkg.com/query-string/-/query-string-6.13.2.tgz#3585aa9412c957cbd358fd5eaca7466f05586dda" From 63b44a30e38e50d20c815bdb7d2cdb5108987ba9 Mon Sep 17 00:00:00 2001 From: Anan Zhuang Date: Fri, 17 Feb 2023 16:49:28 -0800 Subject: [PATCH 2/2] Update CHANGELOG.md Co-authored-by: Josh Romero --- CHANGELOG.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 921cf2ddbd69..329b77c5abe5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -23,8 +23,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - [CVE-2022-46175] Bumps json5 version from 1.0.1 and 2.2.1 to 1.0.2 and 2.2.3 ([#3201](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3201)) - [CVE-2022-25912] Bumps simple-git from 3.4.0 to 3.15.0 ([#3036](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3036)) - [CVE-2022-25860] Bumps simple-git from 3.15.1 to 3.16.0 ([#3345](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3345)) -- [CVE-2022-2499] Resolve qs to 6.11.0 in 1.x ([#3451](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3451)) - +- [CVE-2022-2499] Resolve qs from 6.5.2 and 6.7.0 to 6.11.0 in 1.x ([#3451](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3451)) ### 📈 Features/Enhancements