Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2021-23382] Bump postcss from 8.2.10 to 8.4.24 #4403

Merged
merged 4 commits into from
Jul 1, 2023
Merged

[CVE-2021-23382] Bump postcss from 8.2.10 to 8.4.24 #4403

merged 4 commits into from
Jul 1, 2023

Conversation

ZilongX
Copy link
Collaborator

@ZilongX ZilongX commented Jun 26, 2023
edited
Loading

Description

  • This one is to fix CVE-2021-23382 in 1.3 branch targeting 1.3.12
  • The current dependency config is looking good for postcss so just did a lock file refresh to pick up the patch.
  • Here is the actual patch on postcss side postcss/postcss@2b1d04c fyi

Issues Resolved

#1094

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@ZilongX
[CVE-2021-23382] Bump postcss from 8.2.10 to 8.4.24
32efdfc 
Signed-off-by: Zilong Xia <zilongx@amazon.com>
@ZilongX
[CVE-2021-23382] Bump postcss from 8.2.10 to 8.4.24
cadb1fe 
Signed-off-by: Zilong Xia <zilongx@amazon.com>
@ZilongX ZilongX added cve Security vulnerabilities detected by Dependabot or Mend v1.3.12 labels Jun 26, 2023
@ananzh
Copy link
Member

ananzh commented Jun 26, 2023

@ZilongX thank you so much for helping on this. seems #3739 fail to backport to 1.3. I think what you did here is absolutely right. we don't have to update package.json "postcss": "^8.2.10". but 1.x has got updated, to make 1.3 and 1.x consistent, could you also use that PR to modify urs a little bit?

@codecov
Copy link

codecov bot commented Jun 26, 2023
edited
Loading

Codecov Report

Merging #4403 (40c403f) into 1.3 (4df4639) will decrease coverage by 0.05%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##              1.3    #4403      +/-   ##
==========================================
- Coverage   67.50%   67.46%   -0.05%     
==========================================
  Files        3044     3044              
  Lines       58692    58692              
  Branches     8902     8902              
==========================================
- Hits        39619    39595      -24     
- Misses      16925    16945      +20     
- Partials     2148     2152       +4
Flag Coverage Δ
Linux 67.46% <ø> (ø)
Windows ?

Flags with carried forward coverage won't be shown. Click here to find out more.

see 5 files with indirect coverage changes

@ZilongX
Copy link
Collaborator Author

ZilongX commented Jun 28, 2023

@ZilongX thank you so much for helping on this. seems #3739 fail to backport to 1.3. I think what you did here is absolutely right. we don't have to update package.json "postcss": "^8.2.10". but 1.x has got updated, to make 1.3 and 1.x consistent, could you also use that PR to modify urs a little bit?

Thanks @ananzh , just wondering are we still leveraging 1.x branch for any release purposes ? Given we're only release new patch based on 1.3 branch

@ZilongX
Copy link
Collaborator Author

ZilongX commented Jun 28, 2023

@ananzh updated devDependencies section for postcss to keep in sync with 1.x as suggested

@ananzh ananzh merged commit ccdd431 into opensearch-project:1.3 Jul 1, 2023
34 checks passed
@ZilongX ZilongX deleted the 1.3 branch July 5, 2023 23:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Flyingliuhub Flyingliuhub Flyingliuhub approved these changes

@ananzh ananzh ananzh approved these changes

@kavilla kavilla Awaiting requested review from kavilla kavilla is a code owner

@seanneumann seanneumann Awaiting requested review from seanneumann

@AMoo-Miki AMoo-Miki Awaiting requested review from AMoo-Miki AMoo-Miki is a code owner

@ashwin-pc ashwin-pc Awaiting requested review from ashwin-pc ashwin-pc is a code owner

@joshuarrrr joshuarrrr Awaiting requested review from joshuarrrr joshuarrrr is a code owner

@abbyhu2000 abbyhu2000 Awaiting requested review from abbyhu2000 abbyhu2000 is a code owner

@zengyan-amazon zengyan-amazon Awaiting requested review from zengyan-amazon zengyan-amazon is a code owner

@kristenTian kristenTian Awaiting requested review from kristenTian

@zhongnansu zhongnansu Awaiting requested review from zhongnansu zhongnansu is a code owner

@manasvinibs manasvinibs Awaiting requested review from manasvinibs manasvinibs is a code owner

Assignees

@ananzh ananzh

Labels
cve Security vulnerabilities detected by Dependabot or Mend v1.3.12
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ZilongX @ananzh @Flyingliuhub