[CVE-2021-23490][1.x] Bump parse-link-header from 1.0.1 to 2.0.0 #3738
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ananzh
added
cve
Issue Resolve opensearch-project#1111 Backport PR opensearch-project#1108 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh
force-pushed
the
1.x-bump-parse-link-header
branch
from
d16da3d
to
11f76ad
Compare
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## 1.x #3738 +/- ##
=======================================
Coverage 67.50% 67.50%
=======================================
Files 3044 3044
Lines 58692 58692
Branches 8902 8902
=======================================
Hits 39619 39619
Misses 16925 16925
Partials 2148 2148
Flags with carried forward coverage won't be shown. Click here to find out more. Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
|
All tests pass, whitesource failure can be ignored. |
joshuarrrr
approved these changes
Apr 10, 2023
abbyhu2000
approved these changes
Apr 11, 2023
abbyhu2000
pushed a commit
that referenced
this pull request
Apr 11, 2023
…) (#3820) Issue Resolve #1111 Backport PR #1108 Signed-off-by: Anan Zhuang <ananzh@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit 6af2ae2) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue Resolve
#1111
Backport PR
#1108
Description
The above CVE requires to bump
parse-link-headerfrom 1.0.1 to 2.0.0. If we look atparse-link-header's commit history here, we could find there are two commits. One is a doc change and the other one seems not to introduce any breaking changes to the functionality of the code. It sets two environment variables that control the behavior of theparse-link-headerfunction. It also addscheckHeaderfunction which checks the length of the input string and throws an error or returns false based on the value of thePARSE_LINK_HEADER_THROW_ON_MAXLEN_EXCEEDEDvariable. Since this new behavior is optional and can be controlled using environment variables, it should not introduce any breaking changes to existing code that uses theparse-link-headerfunction.In main, the package is bumped via this PR. Since there is no breaking changes, we should backport it to 1.x.
Check List
yarn test:jestyarn test:jest_integrationyarn test:ftr