[1.3][CVE-2023-0842] Bump xml2js from 0.4.22 to 0.6.2 #5024

ananzh · 2023-09-14T18:29:25Z

With the SemVer philosophy, when releasing a patch version, it should not introduce breaking changes, which includes bumping a dependency to its major version. xml2js is a dev dependency in both OSD and package @osd/test . Meanwhile, it is not included in release artifact. Therefore, bumping major versions should not break SemVer rules.

Description

Due to Leonidas-from-XIV/node-xml2js#672 (comment) , try bump xml2js to 0.6.2 to solve cve and avoid regression errors.

Issues Resolved

CVE-2023-0842
#3793

Check List

Signed-off-by: ananzh <ananzh@amazon.com>

joshuarrrr · 2023-09-14T19:05:51Z

CHANGELOG.md

@@ -36,6 +36,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - [CVE-2022-1537] Bump grunt from `1.4.1` to `1.5.3` ([#3723](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3723))
 - [CVE-2022-0436] Bump grunt from `1.4.1` to `1.5.3` ([#3723](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3723))
 - [CVE-2023-26136] Resolve `tough-cookie` to `4.1.3` ([#4682](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4682))
+- [CVE-2023-0842] Bump `xml2js` from `0.4.22` to `0.6.2` ([#5024](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5024))


Wrong section - should be under L10.

eeeee... I need to fix others. thank you.

joshuarrrr · 2023-09-14T19:07:01Z

yarn.lock

@@ -22297,7 +22297,7 @@ xml-parse-from-string@^1.0.0:
  resolved "https://registry.yarnpkg.com/xml-parse-from-string/-/xml-parse-from-string-1.0.1.tgz#a9029e929d3dbcded169f3c6e28238d95a5d5a28"
  integrity sha1-qQKekp09vN7RafPG4oI42VpdWig=

-xml2js@^0.4.22, xml2js@^0.4.5:
+xml2js@^0.4.5:
  version "0.4.22"


It looks like we still have a sub-dep requiring 0.4.22. To resolve the CVE, do we need to force a resolution?

Yeah you are right. it is brought in by

=> Found "parse-bmfont-xml#xml2js@0.4.23" info This module exists because "_project_#jimp#@jimp#plugins#@jimp#plugin-print#load-bmfont#parse-bmfont-xml" depends on it. info Disk size without dependencies: "72KB" info Disk size with unique dependencies: "504KB" info Disk size with transitive dependencies: "504KB" info Number of shared dependencies: 2

with the latest jimp, we still see xml2js@0.4.23. have to force a resolution. Thank you for checking this carefully. ❤️

codecov · 2023-09-14T19:29:24Z

Codecov Report

Merging #5024 (ae071f0) into 1.3 (2a386b8) will increase coverage by 0.04%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##              1.3    #5024      +/-   ##
==========================================
+ Coverage   67.45%   67.50%   +0.04%     
==========================================
  Files        3044     3044              
  Lines       58692    58692              
  Branches     8902     8902              
==========================================
+ Hits        39593    39619      +26     
+ Misses      16946    16925      -21     
+ Partials     2153     2148       -5

Flag	Coverage Δ
Linux	`67.45% <ø> (ø)`
Windows	`67.45% <ø> (?)`

Flags with carried forward coverage won't be shown. Click here to find out more.

see 6 files with indirect coverage changes

Signed-off-by: ananzh <ananzh@amazon.com>

Signed-off-by: Anan Zhuang <ananzh@amazon.com>

ananzh added cve Security vulnerabilities detected by Dependabot or Mend v1.3.13 labels Sep 14, 2023

ananzh requested review from kavilla, seanneumann, AMoo-Miki, ashwin-pc, joshuarrrr, abbyhu2000, zengyan-amazon, kristenTian, zhongnansu, manasvinibs, ZilongX, Flyingliuhub and BSFishy as code owners September 14, 2023 18:29

[1.3][CVE-2023-0842] Bump xml2js from 0.4.22 to 0.6.2

80e0796

Signed-off-by: ananzh <ananzh@amazon.com>

ananzh force-pushed the 1.3-xml2js branch from 213518b to 80e0796 Compare September 14, 2023 18:30

ZilongX previously approved these changes Sep 14, 2023

View reviewed changes

joshuarrrr reviewed Sep 14, 2023

View reviewed changes

ananzh dismissed ZilongX’s stale review via d5946ef September 14, 2023 19:29

force xml2js to 0.6.2 and fix PR comment

7093096

Signed-off-by: ananzh <ananzh@amazon.com>

ananzh force-pushed the 1.3-xml2js branch from d5946ef to 7093096 Compare September 14, 2023 19:33

ananzh added 2 commits September 14, 2023 14:36

Merge branch '1.3' into 1.3-xml2js

bb8b7b3

Signed-off-by: Anan Zhuang <ananzh@amazon.com>

Merge branch '1.3' into 1.3-xml2js

ae071f0

Signed-off-by: Anan Zhuang <ananzh@amazon.com>

AMoo-Miki approved these changes Sep 15, 2023

View reviewed changes

kavilla approved these changes Sep 15, 2023

View reviewed changes

ananzh merged commit a45dea3 into opensearch-project:1.3 Sep 15, 2023
33 of 34 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[1.3][CVE-2023-0842] Bump xml2js from 0.4.22 to 0.6.2 #5024

[1.3][CVE-2023-0842] Bump xml2js from 0.4.22 to 0.6.2 #5024

ananzh commented Sep 14, 2023 •

edited

Loading

joshuarrrr Sep 14, 2023

ananzh Sep 14, 2023

joshuarrrr Sep 14, 2023

ananzh Sep 14, 2023

codecov bot commented Sep 14, 2023 •

edited

Loading

[1.3][CVE-2023-0842] Bump xml2js from 0.4.22 to 0.6.2 #5024

[1.3][CVE-2023-0842] Bump xml2js from 0.4.22 to 0.6.2 #5024

Conversation

ananzh commented Sep 14, 2023 • edited Loading

Description

Issues Resolved

Check List

joshuarrrr Sep 14, 2023

Choose a reason for hiding this comment

ananzh Sep 14, 2023

Choose a reason for hiding this comment

joshuarrrr Sep 14, 2023

Choose a reason for hiding this comment

ananzh Sep 14, 2023

Choose a reason for hiding this comment

codecov bot commented Sep 14, 2023 • edited Loading

Codecov Report

ananzh commented Sep 14, 2023 •

edited

Loading

codecov bot commented Sep 14, 2023 •

edited

Loading