-
Notifications
You must be signed in to change notification settings - Fork 892
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[1.3][CVE-2022-33987] Partially fix security issues for got by bumping @elastic/makelogs from 6.0.0 to 6.1.1 and update yarn.lock #5006
Conversation
Codecov Report
@@ Coverage Diff @@
## 1.3 #5006 +/- ##
==========================================
+ Coverage 67.46% 67.49% +0.03%
==========================================
Files 3044 3044
Lines 58692 58692
Branches 8902 8902
==========================================
+ Hits 39595 39617 +22
+ Misses 16945 16926 -19
+ Partials 2152 2149 -3
Flags with carried forward coverage won't be shown. Click here to find out more. |
This CVE requires to update got to 11.8.5 or 12.1.0. got is used in multiple versions 3.3.1 5.6.0 6.7.1 7.1.0 8.3.2 9.6.0 11.8.2 For 11.8.2, we need to clean yarn.lock and bootstrap. For 3.3.1, we could bump @elastic/makelogs to 6.1.1. Other versions can't be fixed in 1.x. Signed-off-by: ananzh <ananzh@amazon.com>
CHANGELOG.md
Outdated
@@ -36,6 +36,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) | |||
- [CVE-2022-1537] Bump grunt from `1.4.1` to `1.5.3` ([#3723](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3723)) | |||
- [CVE-2022-0436] Bump grunt from `1.4.1` to `1.5.3` ([#3723](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3723)) | |||
- [CVE-2023-26136] Resolve `tough-cookie` to `4.1.3` ([#4682](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4682)) | |||
- [CVE-2022-33987] Partially fix security issues for `got` by bumping `@elastic/makelogs` from `6.0.0` to `6.1.1` and updating yarn.lock ([#5006](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5006)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be in section under L10.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah 😢
Signed-off-by: ananzh <ananzh@amazon.com>
Signed-off-by: Anan Zhuang <ananzh@amazon.com>
With the
SemVer
philosophy, when releasing a patch version, it should not introduce breaking changes, which includes bumping a dependency to its major version.got
is a not a direct dependency for OSD. Meanwhile, it is not included in release artifact. Therefore, bumping major versions should not breakSemVer
rules.Description
This CVE requires to update
got
to11.8.5
or12.1.0
.got
is used in multiple versions:3.3.1
5.6.0
6.7.1
7.1.0
8.3.2
9.6.0
11.8.2
This PR only fixed the two acceptable changes. Other versions are not fixable in 1.3.
got@6.7.1
Hoisted from dependencies "project#latest-version#package-json#got" and "project#@osd#ui-framework#yeoman-generator#github-username#gh-got#got"
got@5.6.0
This exists because "project#geckodriver" depends on it.
got@11.8.2
This exists because "project#ms-chromium-edge-driver" depends on it.
got@8.3.2
Hoisted from dependency "project#@osd#ui-framework#yo#package-json#got".
got@7.1.0
This exists because "project#@osd#ui-framework#yo#npm-keyword" depends on it.
got@3.3.1
Hoisted from dependency "project#@elastic#makelogs#update-notifier#latest-version#package-json#got".
got@9.6.0
Hoisted from dependency "project#@elastic#safer-lodash-set#tsd#update-notifier#latest-version#package-json#got".
Issues Resolved
CVE-2022-33987
#1764
Check List
yarn test:jest
yarn test:jest_integration
yarn test:ftr