-
Notifications
You must be signed in to change notification settings - Fork 918
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2021-23382][1.x] Bump postcss from 8.2.10 to 8.2.13 #3739
Conversation
Issue Resolve opensearch-project#1094 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
c36864f
to
60f9444
Compare
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## 1.x #3739 +/- ##
==========================================
- Coverage 67.49% 67.45% -0.05%
==========================================
Files 3044 3044
Lines 58692 58692
Branches 8902 8902
==========================================
- Hits 39617 39593 -24
- Misses 16926 16946 +20
- Partials 2149 2153 +4
Flags with carried forward coverage won't be shown. Click here to find out more. see 6 files with indirect coverage changes Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-1.3 1.3
# Navigate to the new working tree
pushd ../.worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-3739-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 53d2d91b930a63dedebae236ffa1703c2e388752
# Push it to GitHub
git push --set-upstream origin backport/backport-3739-to-1.3
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-1.3 Then, create a pull request where the |
Issue Resolve
#1094
Description
This CVE requires to bump
postcss
to be<7.0.36||>=8.0.0 <8.2.13
.The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /*\s* sourceMappingURL=(.*).
In 1.x we are usingpostcss
under two versions, 8.2.10 and 7.0.36.Since 7.0.36 is a safe version. We only need to bump 8.2.10 to 8.2.13, which seems no breaking changes by comparing the two versions.
Check List
yarn test:jest
yarn test:jest_integration
yarn test:ftr