Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE] Resolves grunt to 1.5.3 #1580

Merged
merged 1 commit into from
May 13, 2022

Conversation

kavilla
Copy link
Member

@kavilla kavilla commented May 11, 2022

Description

Addresses CVE-2022-1537

Signed-off-by: Kawika Avilla kavilla414@gmail.com

Issues Resolved

#1579

Check List

  • New functionality includes testing.
    • All tests pass
      • yarn test:jest
      • yarn test:jest_integration
      • yarn test:ftr
  • New functionality has been documented.
  • Commits are signed per the DCO using --signoff

@kavilla kavilla requested a review from a team as a code owner May 11, 2022 20:11
Addresses CVE-2022-1537

Issue:
opensearch-project#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
@kavilla kavilla force-pushed the avillk/bump_grunt branch from 55edb91 to 2e4a4cd Compare May 11, 2022 20:13
@kavilla kavilla linked an issue May 11, 2022 that may be closed by this pull request
@kavilla kavilla added backport 2.x backport 2.0 v2.0.0 cve Security vulnerabilities detected by Dependabot or Mend labels May 11, 2022
@tmarkley
Copy link
Contributor

Do we want to bump the defined dependencies?

"grunt": "^1.5.2",

@kavilla
Copy link
Member Author

kavilla commented May 11, 2022

Do we want to bump the defined dependencies?

"grunt": "^1.5.2",

Good point. I'd rather go this route otherwise I won't backport to 2.0. Plus they have compatible with version ^, so to me it reads the same.

@tmarkley
Copy link
Contributor

Good point. I'd rather go this route otherwise I won't backport to 2.0. Plus they have compatible with version ^, so to me it reads the same.

Yeah agreed, just wanted to make sure we considered that.

@kavilla kavilla merged commit 1792662 into opensearch-project:main May 13, 2022
opensearch-trigger-bot bot pushed a commit that referenced this pull request May 13, 2022
Addresses CVE-2022-1537

Issue:
#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 1792662)
opensearch-trigger-bot bot pushed a commit that referenced this pull request May 13, 2022
Addresses CVE-2022-1537

Issue:
#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 1792662)
tmarkley pushed a commit that referenced this pull request May 17, 2022
Addresses CVE-2022-1537

Issue:
#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 1792662)
tmarkley pushed a commit that referenced this pull request May 17, 2022
Addresses CVE-2022-1537

Issue:
#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 1792662)
kavilla added a commit to kavilla/OpenSearch-Dashboards-1 that referenced this pull request Jun 8, 2022
Addresses CVE-2022-1537

Issue:
opensearch-project#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
kavilla added a commit to kavilla/OpenSearch-Dashboards-1 that referenced this pull request Jun 16, 2022
Addresses CVE-2022-1537

Issue:
opensearch-project#1579

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this pull request Mar 29, 2023
Main bump grunt via this PR:
 opensearch-project#1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this pull request Mar 29, 2023
Main bump grunt via this PR:
 opensearch-project#1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this pull request Mar 29, 2023
Main bump grunt via this PR:
 opensearch-project#1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Issue Resolve:
opensearch-project#1579
opensearch-project#1450

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this pull request Mar 29, 2023
Main bump grunt via this PR:
 opensearch-project#1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Issue Resolve:
opensearch-project#1579
opensearch-project#1450

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this pull request Mar 29, 2023
Main bump grunt via this PR:
 opensearch-project#1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Issue Resolve:
opensearch-project#1579
opensearch-project#1450

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this pull request Mar 30, 2023
Main bump grunt via this PR:
 opensearch-project#1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Issue Resolve:
opensearch-project#1579
opensearch-project#1450

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
joshuarrrr added a commit that referenced this pull request Mar 31, 2023
)

Main bump grunt via this PR:
 #1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Issue Resolve:
#1579
#1450

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jun 28, 2023
)

Main bump grunt via this PR:
 #1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Issue Resolve:
#1579
#1450

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit 65deacb)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
ashwin-pc pushed a commit that referenced this pull request Jun 30, 2023
) (#4435)

Main bump grunt via this PR:
 #1580

In 1.x, bump grunt is different because v1.5.3 requires node>=8
and no breaking changes. This is the latest version with no node
conflicts.  grunt requires node>=16 sincev1.6.0 . Therefore, we
should be very specific and limit the bump range.

Issue Resolve:
#1579
#1450

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit 65deacb)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x cve Security vulnerabilities detected by Dependabot or Mend v2.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CVE-2022-1537 (High) detected in grunt-1.5.2.tgz
3 participants