From 9298cdd8a7eef795dd9e3411a9377a1f8f5ed594 Mon Sep 17 00:00:00 2001 From: himsgupta1122 Date: Thu, 20 Oct 2022 17:50:15 -0700 Subject: [PATCH 1/5] Update CVE 2022-3517 minimatch to 3.0.5 Signed-off-by: himsgupta1122 --- CHANGELOG.md | 2 ++ package.json | 2 +- yarn.lock | 7 +++++++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 924aa5280c9e..da66fd9f500d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -66,6 +66,8 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) * [CVE-2022-33987] Upgrade geckodriver to 3.0.2 ([#2166](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2166)) * Bumps percy-agent to use non-beta version ([#2415](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2415)) * Resolve sub-dependent d3-color version and potential security issue ([#2454](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2454)) +* [CVE-2022-3517] Update minimatch from 3.0.4 to 3.0.5 ([#2640](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2640)) +* Update unset-value from 1.0.1 to 2.0.1 ([#2640](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2640)) ### 📈 Features/Enhancements diff --git a/package.json b/package.json index e491c823a5eb..57bafc9deb31 100644 --- a/package.json +++ b/package.json @@ -181,7 +181,7 @@ "json-stringify-safe": "5.0.1", "lodash": "^4.17.21", "lru-cache": "^4.1.5", - "minimatch": "^3.0.4", + "minimatch": "3.0.5", "moment": "^2.24.0", "moment-timezone": "^0.5.27", "mustache": "^2.3.2", diff --git a/yarn.lock b/yarn.lock index 42a7660cf0be..adbe0928430a 100644 --- a/yarn.lock +++ b/yarn.lock @@ -12797,6 +12797,13 @@ minimatch@3.0.4: dependencies: brace-expansion "^1.1.7" +minimatch@3.0.5: + version "3.0.5" + resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.5.tgz#4da8f1290ee0f0f8e83d60ca69f8f134068604a3" + integrity sha512-tUpxzX0VAzJHjLu0xUfFv1gwVp9ba3IOuRAVH2EGuRW8a5emA2FlACLqiT/lDVtS1W+TGNwqz3sWaNyLgDJWuw== + dependencies: + brace-expansion "^1.1.7" + minimatch@~3.0.4: version "3.0.8" resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.8.tgz#5e6a59bd11e2ab0de1cfb843eb2d82e546c321c1" From b4a443200374170dfa8be8ec8f89aa56b0dd03ab Mon Sep 17 00:00:00 2001 From: himsgupta1122 Date: Thu, 20 Oct 2022 18:03:24 -0700 Subject: [PATCH 2/5] enforce unset-value to 2.0.1 Signed-off-by: himsgupta1122 --- package.json | 3 ++- yarn.lock | 53 ++++++++++++++++++++++++++++++++-------------------- 2 files changed, 35 insertions(+), 21 deletions(-) diff --git a/package.json b/package.json index 57bafc9deb31..2ec02365e0f2 100644 --- a/package.json +++ b/package.json @@ -91,7 +91,8 @@ "**/nth-check": "^2.0.1", "**/qs": "^6.10.3", "**/trim": "^0.0.3", - "**/typescript": "4.0.2" + "**/typescript": "4.0.2", + "**/unset-value": "^2.0.1" }, "workspaces": { "packages": [ diff --git a/yarn.lock b/yarn.lock index adbe0928430a..0544e65144a5 100644 --- a/yarn.lock +++ b/yarn.lock @@ -9157,11 +9157,18 @@ get-symbol-description@^1.0.0: call-bind "^1.0.2" get-intrinsic "^1.1.1" -get-value@^2.0.3, get-value@^2.0.6: +get-value@^2.0.6: version "2.0.6" resolved "https://registry.yarnpkg.com/get-value/-/get-value-2.0.6.tgz#dc15ca1c672387ca76bd37ac0a395ba2042a2c28" integrity sha1-3BXKHGcjh8p2vTesCjlbogQqLCg= +get-value@^3.0.0: + version "3.0.1" + resolved "https://registry.yarnpkg.com/get-value/-/get-value-3.0.1.tgz#5efd2a157f1d6a516d7524e124ac52d0a39ef5a8" + integrity sha512-mKZj9JLQrwMBtj5wxi6MH8Z5eSKaERpAwjg43dPtlGI1ZVEgH/qC7T8/6R2OBSUA+zzHBZgICsVJaEIV2tKTDA== + dependencies: + isobject "^3.0.1" + getobject@~1.0.0: version "1.0.2" resolved "https://registry.yarnpkg.com/getobject/-/getobject-1.0.2.tgz#25ec87a50370f6dcc3c6ba7ef43c4c16215c4c89" @@ -9731,15 +9738,6 @@ has-unicode@^2.0.0: resolved "https://registry.yarnpkg.com/has-unicode/-/has-unicode-2.0.1.tgz#e0e6fe6a28cf51138855e086d1691e771de2a8b9" integrity sha1-4Ob+aijPUROIVeCG0Wkedx3iqLk= -has-value@^0.3.1: - version "0.3.1" - resolved "https://registry.yarnpkg.com/has-value/-/has-value-0.3.1.tgz#7b1f58bada62ca827ec0a2078025654845995e1f" - integrity sha1-ex9YutpiyoJ+wKIHgCVlSEWZXh8= - dependencies: - get-value "^2.0.3" - has-values "^0.1.4" - isobject "^2.0.0" - has-value@^1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/has-value/-/has-value-1.0.0.tgz#18b281da585b1c5c51def24c930ed29a0be6b177" @@ -9749,10 +9747,13 @@ has-value@^1.0.0: has-values "^1.0.0" isobject "^3.0.0" -has-values@^0.1.4: - version "0.1.4" - resolved "https://registry.yarnpkg.com/has-values/-/has-values-0.1.4.tgz#6d61de95d91dfca9b9a02089ad384bff8f62b771" - integrity sha1-bWHeldkd/Km5oCCJrThL/49it3E= +has-value@^2.0.2: + version "2.0.2" + resolved "https://registry.yarnpkg.com/has-value/-/has-value-2.0.2.tgz#d0f12e8780ba8e90e66ad1a21c707fdb67c25658" + integrity sha512-ybKOlcRsK2MqrM3Hmz/lQxXHZ6ejzSPzpNabKB45jb5qDgJvKPa3SdapTsTLwEb9WltgWpOmNax7i+DzNOk4TA== + dependencies: + get-value "^3.0.0" + has-values "^2.0.1" has-values@^1.0.0: version "1.0.0" @@ -9762,6 +9763,13 @@ has-values@^1.0.0: is-number "^3.0.0" kind-of "^4.0.0" +has-values@^2.0.1: + version "2.0.1" + resolved "https://registry.yarnpkg.com/has-values/-/has-values-2.0.1.tgz#3876200ff86d8a8546a9264a952c17d5fc17579d" + integrity sha512-+QdH3jOmq9P8GfdjFg0eJudqx1FqU62NQJ4P16rOEHeRdl7ckgwn6uqQjzYE0ZoHVV/e5E2esuJ5Gl5+HUW19w== + dependencies: + kind-of "^6.0.2" + has@^1.0.1, has@^1.0.3: version "1.0.3" resolved "https://registry.yarnpkg.com/has/-/has-1.0.3.tgz#722d7cbfc1f6aa8241f16dd814e011e1f41e8796" @@ -10998,6 +11006,11 @@ isobject@^3.0.0, isobject@^3.0.1: resolved "https://registry.yarnpkg.com/isobject/-/isobject-3.0.1.tgz#4e431e92b11a9731636aa1f9c8d1ccbcfdab78df" integrity sha1-TkMekrEalzFjaqH5yNHMvP2reN8= +isobject@^4.0.0: + version "4.0.0" + resolved "https://registry.yarnpkg.com/isobject/-/isobject-4.0.0.tgz#3f1c9155e73b192022a80819bacd0343711697b0" + integrity sha512-S/2fF5wH8SJA/kmwr6HYhK/RI/OkhD84k8ntalo0iJjZikgq1XFvR5M8NPT1x5F7fBwCG3qHfnzeP/Vh/ZxCUA== + isstream@~0.1.2: version "0.1.2" resolved "https://registry.yarnpkg.com/isstream/-/isstream-0.1.2.tgz#47e63f7af55afa6f92e1500e690eb8b8529c099a" @@ -17962,13 +17975,13 @@ unlazy-loader@^0.1.3: dependencies: requires-regex "^0.3.3" -unset-value@^1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/unset-value/-/unset-value-1.0.0.tgz#8376873f7d2335179ffb1e6fc3a8ed0dfc8ab559" - integrity sha1-g3aHP30jNRef+x5vw6jtDfyKtVk= +unset-value@^1.0.0, unset-value@^2.0.1: + version "2.0.1" + resolved "https://registry.yarnpkg.com/unset-value/-/unset-value-2.0.1.tgz#57bed0c22d26f28d69acde5df9a11b77c74d2df3" + integrity sha512-2hvrBfjUE00PkqN+q0XP6yRAOGrR06uSiUoIQGZkc7GxvQ9H7v8quUPNtZjMg4uux69i8HWpIjLPUKwCuRGyNg== dependencies: - has-value "^0.3.1" - isobject "^3.0.0" + has-value "^2.0.2" + isobject "^4.0.0" upath@^1.1.1: version "1.2.0" From 26b78ae9d86e415fa122cb9544c6438d1ce299e5 Mon Sep 17 00:00:00 2001 From: himsgupta1122 Date: Thu, 20 Oct 2022 18:05:39 -0700 Subject: [PATCH 3/5] edit CHANGELOG.md Signed-off-by: himsgupta1122 --- CHANGELOG.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index da66fd9f500d..b636ffae0a6b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -66,8 +66,8 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) * [CVE-2022-33987] Upgrade geckodriver to 3.0.2 ([#2166](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2166)) * Bumps percy-agent to use non-beta version ([#2415](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2415)) * Resolve sub-dependent d3-color version and potential security issue ([#2454](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2454)) -* [CVE-2022-3517] Update minimatch from 3.0.4 to 3.0.5 ([#2640](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2640)) -* Update unset-value from 1.0.1 to 2.0.1 ([#2640](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2640)) +* [CVE-2022-3517] Bumps minimatch from 3.0.4 to 3.0.5 ([#2640](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2640)) +* Bumps unset-value from 1.0.1 to 2.0.1 ([#2640](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2640)) ### 📈 Features/Enhancements From 17a35b26c7dacb2de5723aa033710df6ad2d3126 Mon Sep 17 00:00:00 2001 From: himsgupta1122 Date: Fri, 21 Oct 2022 10:18:13 -0700 Subject: [PATCH 4/5] version semver update and combining changelogs Signed-off-by: himsgupta1122 --- CHANGELOG.md | 3 +-- package.json | 2 +- yarn.lock | 9 +-------- 3 files changed, 3 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index b636ffae0a6b..31bcee4a2e9e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -66,8 +66,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) * [CVE-2022-33987] Upgrade geckodriver to 3.0.2 ([#2166](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2166)) * Bumps percy-agent to use non-beta version ([#2415](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2415)) * Resolve sub-dependent d3-color version and potential security issue ([#2454](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2454)) -* [CVE-2022-3517] Bumps minimatch from 3.0.4 to 3.0.5 ([#2640](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2640)) -* Bumps unset-value from 1.0.1 to 2.0.1 ([#2640](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2640)) +* [CVE-2022-3517] Bumps minimatch from 3.0.4 to 3.0.5 and [IBM X-Force ID: 220063] unset-value from 1.0.1 to 2.0.1 ([#2640](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2640)) ### 📈 Features/Enhancements diff --git a/package.json b/package.json index 2ec02365e0f2..dc0bd7818378 100644 --- a/package.json +++ b/package.json @@ -182,7 +182,7 @@ "json-stringify-safe": "5.0.1", "lodash": "^4.17.21", "lru-cache": "^4.1.5", - "minimatch": "3.0.5", + "minimatch": "^3.0.5", "moment": "^2.24.0", "moment-timezone": "^0.5.27", "mustache": "^2.3.2", diff --git a/yarn.lock b/yarn.lock index 0544e65144a5..b44990a9151b 100644 --- a/yarn.lock +++ b/yarn.lock @@ -12796,7 +12796,7 @@ minimalistic-crypto-utils@^1.0.1: resolved "https://registry.yarnpkg.com/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz#f6c00c1c0b082246e5c4d99dfb8c7c083b2b582a" integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo= -"minimatch@2 || 3", minimatch@^3.0.4, minimatch@^3.1.2: +"minimatch@2 || 3", minimatch@^3.0.4, minimatch@^3.0.5, minimatch@^3.1.2: version "3.1.2" resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b" integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw== @@ -12810,13 +12810,6 @@ minimatch@3.0.4: dependencies: brace-expansion "^1.1.7" -minimatch@3.0.5: - version "3.0.5" - resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.5.tgz#4da8f1290ee0f0f8e83d60ca69f8f134068604a3" - integrity sha512-tUpxzX0VAzJHjLu0xUfFv1gwVp9ba3IOuRAVH2EGuRW8a5emA2FlACLqiT/lDVtS1W+TGNwqz3sWaNyLgDJWuw== - dependencies: - brace-expansion "^1.1.7" - minimatch@~3.0.4: version "3.0.8" resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.8.tgz#5e6a59bd11e2ab0de1cfb843eb2d82e546c321c1" From dd3a7a799ce8024a9b8a2beb56037709fbb6913b Mon Sep 17 00:00:00 2001 From: himsgupta1122 Date: Fri, 21 Oct 2022 15:21:45 -0700 Subject: [PATCH 5/5] adding minimatch sub-dep resolution Signed-off-by: himsgupta1122 --- package.json | 5 +++-- yarn.lock | 18 ++---------------- 2 files changed, 5 insertions(+), 18 deletions(-) diff --git a/package.json b/package.json index dc0bd7818378..980306b04b61 100644 --- a/package.json +++ b/package.json @@ -92,7 +92,8 @@ "**/qs": "^6.10.3", "**/trim": "^0.0.3", "**/typescript": "4.0.2", - "**/unset-value": "^2.0.1" + "**/unset-value": "^2.0.1", + "**/minimatch": "^3.0.5" }, "workspaces": { "packages": [ @@ -182,7 +183,7 @@ "json-stringify-safe": "5.0.1", "lodash": "^4.17.21", "lru-cache": "^4.1.5", - "minimatch": "^3.0.5", + "minimatch": "^3.0.4", "moment": "^2.24.0", "moment-timezone": "^0.5.27", "mustache": "^2.3.2", diff --git a/yarn.lock b/yarn.lock index b44990a9151b..0c4ebdfc120e 100644 --- a/yarn.lock +++ b/yarn.lock @@ -6149,7 +6149,7 @@ compression-webpack-plugin@^4.0.0: concat-map@0.0.1: version "0.0.1" resolved "https://registry.yarnpkg.com/concat-map/-/concat-map-0.0.1.tgz#d8a96bd77fd68df7793a73036a3ba0d5405d477b" - integrity sha1-2Klr13/Wjfd5OnMDajug1UBdR3s= + integrity sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg== concat-stream@^1.4.7, concat-stream@^1.5.0: version "1.6.2" @@ -12796,27 +12796,13 @@ minimalistic-crypto-utils@^1.0.1: resolved "https://registry.yarnpkg.com/minimalistic-crypto-utils/-/minimalistic-crypto-utils-1.0.1.tgz#f6c00c1c0b082246e5c4d99dfb8c7c083b2b582a" integrity sha1-9sAMHAsIIkblxNmd+4x8CDsrWCo= -"minimatch@2 || 3", minimatch@^3.0.4, minimatch@^3.0.5, minimatch@^3.1.2: +"minimatch@2 || 3", minimatch@3.0.4, minimatch@^3.0.4, minimatch@^3.0.5, minimatch@^3.1.2, minimatch@~3.0.4: version "3.1.2" resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b" integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw== dependencies: brace-expansion "^1.1.7" -minimatch@3.0.4: - version "3.0.4" - resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.4.tgz#5166e286457f03306064be5497e8dbb0c3d32083" - integrity sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA== - dependencies: - brace-expansion "^1.1.7" - -minimatch@~3.0.4: - version "3.0.8" - resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.0.8.tgz#5e6a59bd11e2ab0de1cfb843eb2d82e546c321c1" - integrity sha512-6FsRAQsxQ61mw+qP1ZzbL9Bc78x2p5OqNgNpnoAFLTrX8n5Kxph0CsnhmKKNXTWjXqU5L0pGPR7hYk+XWZr60Q== - dependencies: - brace-expansion "^1.1.7" - minimist-options@4.1.0, minimist-options@^4.0.2: version "4.1.0" resolved "https://registry.yarnpkg.com/minimist-options/-/minimist-options-4.1.0.tgz#c0655713c53a8a2ebd77ffa247d342c40f010619"