Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2021-23490][1.x] Bump parse-link-header from 1.0.1 to 2.0.0 #3738

Merged
merged 3 commits into from
Apr 11, 2023

Conversation

ananzh
Copy link
Member

@ananzh ananzh commented Mar 30, 2023

Issue Resolve

#1111

Backport PR

#1108

Description

The above CVE requires to bump parse-link-header from 1.0.1 to 2.0.0. If we look at parse-link-header's commit history here, we could find there are two commits. One is a doc change and the other one seems not to introduce any breaking changes to the functionality of the code. It sets two environment variables that control the behavior of the parse-link-header function. It also adds checkHeader function which checks the length of the input string and throws an error or returns false based on the value of the PARSE_LINK_HEADER_THROW_ON_MAXLEN_EXCEEDED variable. Since this new behavior is optional and can be controlled using environment variables, it should not introduce any breaking changes to existing code that uses the parse-link-header function.

In main, the package is bumped via this PR. Since there is no breaking changes, we should backport it to 1.x.

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@ananzh ananzh requested a review from joshuarrrr March 30, 2023 16:39
@ananzh ananzh added cve Security vulnerabilities detected by Dependabot or Mend backport 1.3 labels Mar 30, 2023
Issue Resolve
opensearch-project#1111

Backport PR
opensearch-project#1108

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
@ananzh ananzh force-pushed the 1.x-bump-parse-link-header branch from d16da3d to 11f76ad Compare March 30, 2023 16:47
@codecov-commenter
Copy link

codecov-commenter commented Mar 30, 2023

Codecov Report

Merging #3738 (f6fbbd5) into 1.x (5d4fdd2) will not change coverage.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@           Coverage Diff           @@
##              1.x    #3738   +/-   ##
=======================================
  Coverage   67.50%   67.50%           
=======================================
  Files        3044     3044           
  Lines       58692    58692           
  Branches     8902     8902           
=======================================
  Hits        39619    39619           
  Misses      16925    16925           
  Partials     2148     2148           
Flag Coverage Δ
Linux 67.46% <ø> (+<0.01%) ⬆️
Windows 67.45% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@ananzh ananzh added the v1.3.9 label Mar 30, 2023
@joshuarrrr
Copy link
Member

All tests pass, whitesource failure can be ignored.

@joshuarrrr joshuarrrr merged commit 6af2ae2 into opensearch-project:1.x Apr 11, 2023
@joshuarrrr joshuarrrr added v1.3.10 and removed v1.3.9 labels Apr 11, 2023
opensearch-trigger-bot bot pushed a commit that referenced this pull request Apr 11, 2023
Issue Resolve
#1111

Backport PR
#1108

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit 6af2ae2)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
abbyhu2000 pushed a commit that referenced this pull request Apr 11, 2023
…) (#3820)

Issue Resolve
#1111

Backport PR
#1108

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit 6af2ae2)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 1.3 cve Security vulnerabilities detected by Dependabot or Mend v1.3.10
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants