Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.3] Bump yo from 2.0.6 to 3.1.1 #5005

Merged
merged 1 commit into from
Sep 14, 2023
Merged

[1.3] Bump yo from 2.0.6 to 3.1.1 #5005

merged 1 commit into from
Sep 14, 2023

Conversation

ananzh
Copy link
Member

@ananzh ananzh commented Sep 13, 2023
edited
Loading

With the SemVer philosophy, when releasing a patch version, it should not introduce breaking changes, which includes bumping a dependency to its major version.

yo is a dev dependency in package @osd/ui-framework for OSD. Meanwhile, it is not included in release artifact. Therefore, bumping major versions should not break SemVer rules.

Description

Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). mem is brought into OSD by yo#fullname:

ubuntu@ip-**:~/OpenSearch-Dashboards$ yarn why mem
yarn why v1.22.19
[1/4] Why do we have the module "mem"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.8.4"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "mem@1.1.0"
info Reasons this module exists
   - "_project_#@osd#ui-framework#yo#fullname" depends on it
   - Hoisted from "_project_#@osd#ui-framework#yo#fullname#mem"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "32KB"
info Disk size with transitive dependencies: "32KB"
info Number of shared dependencies: 1
=> Found "os-locale#mem@4.0.0"
info This module exists because "_project_#@osd#pm#webpack-cli#yargs#os-locale" depends on it.
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "72KB"
info Disk size with transitive dependencies: "88KB"
info Number of shared dependencies: 3
Done in 1.05s.

There are two options to solve the issue:

No breaking changes from either option. Choose to bump yo.

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@codecov
Copy link

codecov bot commented Sep 13, 2023
edited
Loading

Codecov Report

Merging #5005 (fff504d) into 1.3 (7b922e8) will increase coverage by 0.04%.
Report is 2 commits behind head on 1.3.
The diff coverage is n/a.

❗ Current head fff504d differs from pull request most recent head 454072d. Consider uploading reports for the commit 454072d to get more accurate results

@@            Coverage Diff             @@
##              1.3    #5005      +/-   ##
==========================================
+ Coverage   67.46%   67.50%   +0.04%     
==========================================
  Files        3044     3044              
  Lines       58692    58692              
  Branches     8902     8902              
==========================================
+ Hits        39595    39619      +24     
+ Misses      16945    16925      -20     
+ Partials     2152     2148       -4
Flag Coverage Δ
Linux 67.45% <ø> (-0.01%) ⬇️
Windows 67.45% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 5 files with indirect coverage changes

@ananzh ananzh added cve Security vulnerabilities detected by Dependabot or Mend v1.3.13 labels Sep 14, 2023
joshuarrrr
joshuarrrr reviewed Sep 14, 2023
View reviewed changes
yarn.lock
integrity sha1-Xt1StIXKHZAP5kiVUFOZoN+kX3Y=
dependencies:
mimic-fn "^1.0.0"

mem@^4.0.0:
version "4.0.0"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're still including mem 4.0.0 here. I believe you'll also need to upgrade fullname, as you mentioned in the description.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). So 4.0.0 is fine. It is brought in from another package

ubuntu@ip-**:~/OpenSearch-Dashboards$ yarn why mem
yarn why v1.22.19
[1/4] Why do we have the module "mem"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.8.4"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "mem@1.1.0"
info Reasons this module exists
   - "_project_#@osd#ui-framework#yo#fullname" depends on it
   - Hoisted from "_project_#@osd#ui-framework#yo#fullname#mem"
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "32KB"
info Disk size with transitive dependencies: "32KB"
info Number of shared dependencies: 1
=> Found "os-locale#mem@4.0.0"
info This module exists because "_project_#@osd#pm#webpack-cli#yargs#os-locale" depends on it.
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "72KB"
info Disk size with transitive dependencies: "88KB"
info Number of shared dependencies: 3
Done in 1.05s.

I only resolve the affected mem@1.1.0.

@ananzh
[1.3] Bump yo from 2.0.6 to 3.1.1
454072d 
Signed-off-by: ananzh <ananzh@amazon.com>
joshuarrrr
joshuarrrr approved these changes Sep 14, 2023
View reviewed changes
Copy link
Member

@joshuarrrr joshuarrrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, assuming tests pass.

@ananzh ananzh merged commit 2a386b8 into opensearch-project:1.3 Sep 14, 2023
17 of 32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshuarrrr joshuarrrr joshuarrrr approved these changes

@manasvinibs manasvinibs manasvinibs approved these changes

@kavilla kavilla Awaiting requested review from kavilla kavilla is a code owner

@seanneumann seanneumann Awaiting requested review from seanneumann

@AMoo-Miki AMoo-Miki Awaiting requested review from AMoo-Miki AMoo-Miki is a code owner

@ashwin-pc ashwin-pc Awaiting requested review from ashwin-pc ashwin-pc is a code owner

@abbyhu2000 abbyhu2000 Awaiting requested review from abbyhu2000 abbyhu2000 is a code owner

@zengyan-amazon zengyan-amazon Awaiting requested review from zengyan-amazon zengyan-amazon is a code owner

@kristenTian kristenTian Awaiting requested review from kristenTian

@zhongnansu zhongnansu Awaiting requested review from zhongnansu zhongnansu is a code owner

@ZilongX ZilongX Awaiting requested review from ZilongX ZilongX is a code owner

@Flyingliuhub Flyingliuhub Awaiting requested review from Flyingliuhub Flyingliuhub is a code owner

@BSFishy BSFishy Awaiting requested review from BSFishy

Assignees
No one assigned
Labels
cve Security vulnerabilities detected by Dependabot or Mend v1.3.13
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ananzh @joshuarrrr @manasvinibs