Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump xml2js from 0.4.23 to 0.5.0 #3842

Merged
merged 14 commits into from
Apr 15, 2023
Merged

Bump xml2js from 0.4.23 to 0.5.0 #3842

merged 14 commits into from
Apr 15, 2023

Conversation

aoguan1990
Copy link
Contributor

Description

Issues Resolved

Description:

  • Bump package xml2js from 0.4.22 to 0.5.0 to resolve CVE-2023-0842 in branch main

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@aoguan1990
Copy link
Contributor Author

@joshuarrrr We still observed the Link checker failed for the two links in below. Can you please help check on that?

Errors in src/plugins/discover/public/application/doc_views/doc_views_helpers.tsx
✗ http://roubenmeschian.com/rubo/?p=51 (HTTP status server error (500 Internal Server Error) for url (https://roubenmeschian.com/rubo/?p=51))

Errors in src/plugins/discover/public/application/angular/doc_table/create_doc_table_react.tsx
✗ http://roubenmeschian.com/rubo/?p=51 (HTTP status server error ([50](https://github.com/opensearch-project/OpenSearch-Dashboards/actions/runs/4661878096/jobs/8251639176?pr=3819#step:5:51)0 Internal Server Error) for url (https://roubenmeschian.com/rubo/?p=[51](https://github.com/opensearch-project/OpenSearch-Dashboards/actions/runs/4661878096/jobs/8251639176?pr=3819#step:5:52)))

@codecov-commenter
Copy link

codecov-commenter commented Apr 13, 2023
edited
Loading

Codecov Report

Merging #3842 (86fb708) into main (685c911) will increase coverage by 0.00%.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@           Coverage Diff           @@
##             main    #3842   +/-   ##
=======================================
  Coverage   66.41%   66.42%           
=======================================
  Files        3209     3209           
  Lines       61733    61733           
  Branches     9534     9534           
=======================================
+ Hits        41003    41004    +1     
+ Misses      18442    18441    -1     
  Partials     2288     2288
Flag Coverage Δ
Linux 66.36% <ø> (+<0.01%) ⬆️
Windows 66.37% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 1 file with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@joshuarrrr
Copy link
Member

@aoguan1990 The link that's causing the link check failure is unreachable: http://roubenmeschian.com/rubo/?p=51

Can you open an issue to find where that link is referenced and remove it?

@aoguan1990
Copy link
Contributor Author

@aoguan1990 The link that's causing the link check failure is unreachable: http://roubenmeschian.com/rubo/?p=51

Can you open an issue to find where that link is referenced and remove it?

Removed the unused url: http://roubenmeschian.com/rubo/?p=51. Thanks! @joshuarrrr

joshuarrrr
joshuarrrr reviewed Apr 14, 2023
View reviewed changes
CHANGELOG.md Outdated
@@ -21,6 +21,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
- [CVE-2023-25166] Bump formula to 3.0.1 ([#3416](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3416))
- [CVE-2023-25653] Bump node-jose to 2.2.0 ([#3445](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3445))
- [CVE-2023-26486][cve-2023-26487] Bump vega from 5.22.1 to 5.23.0 ([#3533](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3533))
- [CVE-2023-0842]Bump xml2js from 0.4.23 to 0.5.0 ([#3842](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3842))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- [CVE-2023-0842]Bump xml2js from 0.4.23 to 0.5.0 ([#3842](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3842))
- [CVE-2023-0842] Bump xml2js from 0.4.23 to 0.5.0 ([#3842](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3842))

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the comments, addressed as per comment.

src/plugins/discover/public/application/angular/doc_table/create_doc_table_react.tsx Outdated Show resolved Hide resolved
AMoo-Miki
AMoo-Miki requested changes Apr 14, 2023
View reviewed changes
yarn.lock Outdated Show resolved Hide resolved
@aoguan1990
Create 1.3.8 release notes
ad81d53 
Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
@aoguan1990
Remove unused tags
5f2c985 
Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
@aoguan1990
Remove old changelog
22160fe 
Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
@aoguan1990
Fix typo
918a4ac 
Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
@aoguan1990
Address comments
5f5f442 
Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
@aoguan1990
Add PRs
bb853ec 
Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
@aoguan1990
Remove unreleased PR
f9301b6 
Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
@aoguan1990
Remove unreleased PR
ea9ee0c 
Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
@aoguan1990
Bump xml2js from 0.4.22 to 0.5.0
9556c18 
Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
@aoguan1990
Add change log for CVE
caf3a50 
Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
@aoguan1990
Bump version for osd-test package
6b008fd 
Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
@aoguan1990
Modify PR link for changelog
4dad49e 
Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
@aoguan1990
Fix changelog and dependency package version
87e4d8f 
Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
AMoo-Miki
AMoo-Miki previously approved these changes Apr 14, 2023
View reviewed changes
@aoguan1990
Fix aws sdk version
86fb708 
Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
@AMoo-Miki AMoo-Miki merged commit c755b49 into opensearch-project:main Apr 15, 2023
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Apr 15, 2023
Merged
opensearch-trigger-bot bot pushed a commit that referenced this pull request Apr 15, 2023
@github-actions
Bump xml2js from 0.4.23 to 0.5.0 (#3842)
5317700 
* Create 1.3.8 release notes

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Remove unused tags

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Remove old changelog

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Fix typo

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Address comments

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Add PRs

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Remove unreleased PR

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Remove unreleased PR

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Bump xml2js from 0.4.22 to 0.5.0

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Add change log for CVE

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Bump version for osd-test package

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Modify PR link for changelog

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Fix changelog and dependency package version

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Fix aws sdk version

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

---------

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
(cherry picked from commit c755b49)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
abbyhu2000 pushed a commit that referenced this pull request Apr 17, 2023
@opensearch-trigger-bot @github-actions @joshuarrrr
[Backport 2.x] Bump xml2js from 0.4.23 to 0.5.0 (#3851)
15361cf 
* Bump xml2js from 0.4.23 to 0.5.0 (#3842)

* Create 1.3.8 release notes

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Remove unused tags

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Remove old changelog

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Fix typo

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Address comments

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Add PRs

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Remove unreleased PR

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Remove unreleased PR

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Bump xml2js from 0.4.22 to 0.5.0

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Add change log for CVE

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Bump version for osd-test package

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Modify PR link for changelog

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Fix changelog and dependency package version

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Fix aws sdk version

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

---------

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
(cherry picked from commit c755b49)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md

* add changelog

Signed-off-by: Josh Romero <rmerqg@amazon.com>

---------

Signed-off-by: Josh Romero <rmerqg@amazon.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
sikhote pushed a commit to sikhote/OpenSearch-Dashboards that referenced this pull request Apr 24, 2023
@aoguan1990 @sikhote
Bump xml2js from 0.4.23 to 0.5.0 (opensearch-project#3842)
c3e5270 
* Create 1.3.8 release notes

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Remove unused tags

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Remove old changelog

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Fix typo

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Address comments

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Add PRs

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Remove unreleased PR

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Remove unreleased PR

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Bump xml2js from 0.4.22 to 0.5.0

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Add change log for CVE

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Bump version for osd-test package

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Modify PR link for changelog

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Fix changelog and dependency package version

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

* Fix aws sdk version

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>

---------

Signed-off-by: Aozixuan Priscilla Guan <aoguan@amazon.com>
Signed-off-by: David Sinclair <david@sinclair.tech>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshuarrrr joshuarrrr joshuarrrr approved these changes

@AMoo-Miki AMoo-Miki AMoo-Miki approved these changes

@ananzh ananzh Awaiting requested review from ananzh ananzh is a code owner

@kavilla kavilla Awaiting requested review from kavilla kavilla is a code owner

@seanneumann seanneumann Awaiting requested review from seanneumann

@ashwin-pc ashwin-pc Awaiting requested review from ashwin-pc ashwin-pc is a code owner

@abbyhu2000 abbyhu2000 Awaiting requested review from abbyhu2000 abbyhu2000 is a code owner

@zengyan-amazon zengyan-amazon Awaiting requested review from zengyan-amazon zengyan-amazon is a code owner

@kristenTian kristenTian Awaiting requested review from kristenTian

@zhongnansu zhongnansu Awaiting requested review from zhongnansu zhongnansu is a code owner

@manasvinibs manasvinibs Awaiting requested review from manasvinibs manasvinibs is a code owner

Assignees

@AMoo-Miki AMoo-Miki

Labels
backport 2.x first-time-contributor v2.7.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2023-0842 (Medium) detected in xml2js-0.4.19.tgz, xml2js-0.4.23.tgz
4 participants
@aoguan1990 @codecov-commenter @joshuarrrr @AMoo-Miki