-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2021-23490][1.x] Bump parse-link-header from 1.0.1 to 2.0.0 #3738
[CVE-2021-23490][1.x] Bump parse-link-header from 1.0.1 to 2.0.0 #3738
Conversation
Issue Resolve opensearch-project#1111 Backport PR opensearch-project#1108 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
d16da3d
to
11f76ad
Compare
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## 1.x #3738 +/- ##
=======================================
Coverage 67.50% 67.50%
=======================================
Files 3044 3044
Lines 58692 58692
Branches 8902 8902
=======================================
Hits 39619 39619
Misses 16925 16925
Partials 2148 2148
Flags with carried forward coverage won't be shown. Click here to find out more. Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
All tests pass, whitesource failure can be ignored. |
…) (#3820) Issue Resolve #1111 Backport PR #1108 Signed-off-by: Anan Zhuang <ananzh@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit 6af2ae2) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Issue Resolve
#1111
Backport PR
#1108
Description
The above CVE requires to bump
parse-link-header
from 1.0.1 to 2.0.0. If we look atparse-link-header
's commit history here, we could find there are two commits. One is a doc change and the other one seems not to introduce any breaking changes to the functionality of the code. It sets two environment variables that control the behavior of theparse-link-header
function. It also addscheckHeader
function which checks the length of the input string and throws an error or returns false based on the value of thePARSE_LINK_HEADER_THROW_ON_MAXLEN_EXCEEDED
variable. Since this new behavior is optional and can be controlled using environment variables, it should not introduce any breaking changes to existing code that uses theparse-link-header
function.In main, the package is bumped via this PR. Since there is no breaking changes, we should backport it to 1.x.
Check List
yarn test:jest
yarn test:jest_integration
yarn test:ftr