Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Backport 1.x] Resolves ansi-regex to v5.0.1 #2425

Merged
merged 2 commits into from
Sep 29, 2022

Conversation

ZilongX
Copy link
Collaborator

@ZilongX ZilongX commented Sep 28, 2022

Signed-off-by: Zilong Xia zilongx@amazon.com

Description

Issues Resolved

Resolves #1084

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality has been documented.
  • Commits are signed per the DCO using --signoff

Signed-off-by: Zilong Xia <zilongx@amazon.com>
@joshuarrrr
Copy link
Member

joshuarrrr commented Sep 28, 2022

@ZilongX Did the backport automation fail here? Or did we just never label it appropriately for backport?

@kavilla
Copy link
Member

kavilla commented Sep 28, 2022

@ZilongX Did the backport automation fail here? Or did we just never label it appropriately for backport?

To be honest, I think it was intentionally not added since plugins might use this package but I dont think the resolutions section should be picked up by the build process we should check.

@ananzh ananzh changed the title Resolves ansi-regex to v5.0.1 [backport 1.x] Resolves ansi-regex to v5.0.1 Sep 29, 2022
@ananzh ananzh added the v1.3.6 label Sep 29, 2022
@ZilongX
Copy link
Collaborator Author

ZilongX commented Sep 29, 2022

@joshuarrrr, yes the previous fix PR was not labeled for backporting somehow (#1320), since we're still actively consuming v1.3 which makes this CVE fix still needed in 1.x

@ZilongX
Copy link
Collaborator Author

ZilongX commented Sep 29, 2022

@kavilla , just did a quick search across the whole opensearch-project(https://github.com/search?p=1&q=org%3Aopensearch-project+ansi-regex%40&type=Code) and it turns out only two versions of ansi-regex are currently in use :

  • v2.1.1
  • v5.0.1

Given there are no breaking changes introduced in from v2.1.1 to v5.0.1, the potential plugin consumption of ansi-regex should be safe from this backporting.

@ZilongX ZilongX added cve Security vulnerabilities detected by Dependabot or Mend dependencies Pull requests that update a dependency file labels Sep 29, 2022
@ZilongX
Copy link
Collaborator Author

ZilongX commented Sep 29, 2022

@joshuarrrr @kavilla Trying to catch up the release training for 1.3.6 (code freeze EOD tomorrow), appreciating a quick review / feedback on this one (。•ᴗ-)_

@kristenTian
Copy link
Contributor

@kavilla , just did a quick search across the whole opensearch-project(https://github.com/search?p=1&q=org%3Aopensearch-project+ansi-regex%40&type=Code) and it turns out only two versions of ansi-regex are currently in use :

  • v2.1.1
  • v5.0.1

Given there are no breaking changes introduced in from v2.1.1 to v5.0.1, the potential plugin consumption of ansi-regex should be safe from this backporting.

Curious to learn, where can verify no breaking changes introduced during these versions?

Copy link
Member

@kavilla kavilla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't break the build because the resolutions does not get checked in the dependency checking mechanism.

@joshuarrrr joshuarrrr merged commit a98792a into opensearch-project:1.x Sep 29, 2022
@ZilongX ZilongX deleted the cve-ansi-regex branch September 29, 2022 21:17
@joshuarrrr
Copy link
Member

@kristenTian My understanding is that one way to manually verify is:

  1. Pull down this PR branch
  2. Install one of the plugins with an old/non-matching version (such as dashboards-reports
  3. Run yarn osd bootstrap to build and check for build errors/failures

opensearch-trigger-bot bot pushed a commit that referenced this pull request Sep 29, 2022
Signed-off-by: Zilong Xia <zilongx@amazon.com>

Signed-off-by: Zilong Xia <zilongx@amazon.com>
(cherry picked from commit a98792a)
ananzh pushed a commit that referenced this pull request Sep 30, 2022
Signed-off-by: Zilong Xia <zilongx@amazon.com>

Signed-off-by: Zilong Xia <zilongx@amazon.com>
(cherry picked from commit a98792a)

Co-authored-by: ZilongX <99905560+ZilongX@users.noreply.github.com>
@ashwin-pc ashwin-pc changed the title [backport 1.x] Resolves ansi-regex to v5.0.1 [Backport 1.x] Resolves ansi-regex to v5.0.1 Nov 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 1.3 cve Security vulnerabilities detected by Dependabot or Mend dependencies Pull requests that update a dependency file v1.3.6
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants