From 316278fd1375f200f1ca89ad8b15ce2d06931f3b Mon Sep 17 00:00:00 2001 From: Miki Date: Tue, 2 May 2023 11:40:56 -0700 Subject: [PATCH] [2.x backport] Bump `joi` to v14 to avoid the possibility of prototype poisoning in a nested dependency Backport PR https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3952 Signed-off-by: Miki --- CHANGELOG.md | 1 + package.json | 2 +- packages/osd-config-schema/package.json | 2 +- packages/osd-test/package.json | 2 +- yarn.lock | 15 +++++---------- 5 files changed, 9 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 943bfabe107a..454a14369dc7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - [CVE-2023-26486] Bump vega from `5.22.1` to `5.23.0` ([#3533](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3533)) - [CVE-2023-26487] Bump vega from `5.22.1` to `5.23.0` ([#3533](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3533)) - [CVE-2023-0842] Bump xml2js from `0.4.23` to `0.5.0` ([#3842](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3842)) +- Bump `joi` to v14 to avoid the possibility of prototype poisoning in a nested dependency ([#3952](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3952)) ### 📈 Features/Enhancements diff --git a/package.json b/package.json index b30bf2a293c0..7e0fe2bf0855 100644 --- a/package.json +++ b/package.json @@ -188,7 +188,7 @@ "https-proxy-agent": "^5.0.0", "inline-style": "^2.0.0", "ip-cidr": "^2.1.0", - "joi": "^13.5.2", + "joi": "^14.3.1", "js-yaml": "^3.14.0", "json-stable-stringify": "^1.0.1", "json-stringify-safe": "5.0.1", diff --git a/packages/osd-config-schema/package.json b/packages/osd-config-schema/package.json index 52471e29527c..c88afe609e1f 100644 --- a/packages/osd-config-schema/package.json +++ b/packages/osd-config-schema/package.json @@ -16,7 +16,7 @@ }, "peerDependencies": { "lodash": "^4.17.21", - "joi": "^13.5.2", + "joi": "^14.3.1", "moment": "^2.24.0", "type-detect": "^4.0.8" } diff --git a/packages/osd-test/package.json b/packages/osd-test/package.json index 69fa50828fc0..c1ee4f1687cd 100644 --- a/packages/osd-test/package.json +++ b/packages/osd-test/package.json @@ -31,7 +31,7 @@ "exit-hook": "^2.2.0", "getopts": "^2.2.5", "glob": "^7.1.7", - "joi": "^13.5.2", + "joi": "^14.3.1", "lodash": "^4.17.21", "parse-link-header": "^2.0.0", "rxjs": "^6.5.5", diff --git a/yarn.lock b/yarn.lock index 85ce73dec424..0f37bb082c33 100644 --- a/yarn.lock +++ b/yarn.lock @@ -9847,11 +9847,6 @@ hmac-drbg@^1.0.1: minimalistic-assert "^1.0.0" minimalistic-crypto-utils "^1.0.1" -hoek@5.x.x: - version "5.0.4" - resolved "https://registry.yarnpkg.com/hoek/-/hoek-5.0.4.tgz#0f7fa270a1cafeb364a4b2ddfaa33f864e4157da" - integrity sha512-Alr4ZQgoMlnere5FZJsIyfIjORBqZll5POhDsF4q64dPuJR6rNxXdDxtHSQq8OXRurhmx+PWYEE8bXRROY8h0w== - hoek@6.x.x: version "6.1.3" resolved "https://registry.yarnpkg.com/hoek/-/hoek-6.1.3.tgz#73b7d33952e01fe27a38b0457294b79dd8da242c" @@ -11459,12 +11454,12 @@ jmespath@0.16.0: resolved "https://registry.yarnpkg.com/jmespath/-/jmespath-0.16.0.tgz#b15b0a85dfd4d930d43e69ed605943c802785076" integrity sha512-9FzQjJ7MATs1tSpnco1K6ayiYE3figslrXA72G2HQ/n76RzvYlofyi5QM+iX4YRs/pu3yzxlVQSST23+dMDknw== -joi@^13.5.2: - version "13.7.0" - resolved "https://registry.yarnpkg.com/joi/-/joi-13.7.0.tgz#cfd85ebfe67e8a1900432400b4d03bbd93fb879f" - integrity sha512-xuY5VkHfeOYK3Hdi91ulocfuFopwgbSORmIwzcwHKESQhC7w1kD5jaVSPnqDxS2I8t3RZ9omCKAxNwXN5zG1/Q== +joi@^14.3.1: + version "14.3.1" + resolved "https://registry.yarnpkg.com/joi/-/joi-14.3.1.tgz#164a262ec0b855466e0c35eea2a885ae8b6c703c" + integrity sha512-LQDdM+pkOrpAn4Lp+neNIFV3axv1Vna3j38bisbQhETPMANYRbFJFUyOZcOClYvM/hppMhGWuKSFEK9vjrB+bQ== dependencies: - hoek "5.x.x" + hoek "6.x.x" isemail "3.x.x" topo "3.x.x"