[Bug]: CVE items in opensearch dashboards #1358
Comments
|
For OpenSearch Dashboards we have CVE items: We try to avoid major version bumps in packages to avoid breaking plugins so for 1.3.0 we have addressed the following: https://github.com/opensearch-project/OpenSearch-Dashboards/issues?q=is%3Aissue+is%3Aclosed+label%3Acve+label%3Av1.3.0, which was just GHSA-r683-j2x4-v87g node-fetch fixed in 2.6.7, 3.1.1. For 2.0.0 OpenSearch Dashboards we have merged into main and addressed the following: https://github.com/opensearch-project/OpenSearch-Dashboards/issues?q=is%3Aissue+is%3Aclosed+label%3Acve+label%3Av2.0.0. With these still remaining: https://github.com/opensearch-project/OpenSearch-Dashboards/issues?q=is%3Aissue+is%3Aopen+label%3Acve+label%3Av2.0.0+. I believe we can close this issue as a duplicate and track the specific CVEs with https://github.com/opensearch-project/OpenSearch-Dashboards/issues?q=is%3Aopen+is%3Aissue+label%3Acve when related to OpenSearch Dashboards. What do you think @accmt? cc: @tmarkley |
|
@kavilla thanks for a really quick response. Sorry for reporting into a wrong project and not finding those tickets. This can be closed as you are tracking those well. Thanks a lot! |
|
For reference, here's where each CVE is tracked: CVE-2022-0144 - #1139 |
Describe the bug
opensearch-dashboard 1.2.0 has following security issues:
CVE-2022-0144 shelljs fixed in 0.8.5
CVE-2022-0155 follow-redirects fixed in 1.14.7
CVE-2022-23647 prismjs fixed in 1.27.0
CVE-2022-0686 url-parse fixed in 1.5.8
CVE-2022-0235 node-fetch fixed in 2.6.7, 3.1.1
Please upgrade the dependencies to fix these issues.
To reproduce
--
Expected behavior
No response
Screenshots
If applicable, add screenshots to help explain your problem.
Host / Environment
No response
Additional context
No response
Relevant log output
No response
The text was updated successfully, but these errors were encountered: