Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2021-23382] Bump postcss from 8.2.10 to 8.4.24 #4403

Merged
merged 4 commits into from
Jul 1, 2023

Conversation

ZilongX
Copy link
Collaborator

@ZilongX ZilongX commented Jun 26, 2023

Description

  • This one is to fix CVE-2021-23382 in 1.3 branch targeting 1.3.12
  • The current dependency config is looking good for postcss so just did a lock file refresh to pick up the patch.
  • Here is the actual patch on postcss side postcss/postcss@2b1d04c fyi

Issues Resolved

#1094

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

Signed-off-by: Zilong Xia <zilongx@amazon.com>
Signed-off-by: Zilong Xia <zilongx@amazon.com>
@ZilongX ZilongX requested a review from Flyingliuhub June 26, 2023 21:21
@ZilongX ZilongX added cve Security vulnerabilities detected by Dependabot or Mend v1.3.12 labels Jun 26, 2023
@ananzh
Copy link
Member

ananzh commented Jun 26, 2023

@ZilongX thank you so much for helping on this. seems #3739 fail to backport to 1.3. I think what you did here is absolutely right. we don't have to update package.json "postcss": "^8.2.10". but 1.x has got updated, to make 1.3 and 1.x consistent, could you also use that PR to modify urs a little bit?

@codecov
Copy link

codecov bot commented Jun 26, 2023

Codecov Report

Merging #4403 (40c403f) into 1.3 (4df4639) will decrease coverage by 0.05%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##              1.3    #4403      +/-   ##
==========================================
- Coverage   67.50%   67.46%   -0.05%     
==========================================
  Files        3044     3044              
  Lines       58692    58692              
  Branches     8902     8902              
==========================================
- Hits        39619    39595      -24     
- Misses      16925    16945      +20     
- Partials     2148     2152       +4     
Flag Coverage Δ
Linux 67.46% <ø> (ø)
Windows ?

Flags with carried forward coverage won't be shown. Click here to find out more.

see 5 files with indirect coverage changes

@ZilongX
Copy link
Collaborator Author

ZilongX commented Jun 28, 2023

@ZilongX thank you so much for helping on this. seems #3739 fail to backport to 1.3. I think what you did here is absolutely right. we don't have to update package.json "postcss": "^8.2.10". but 1.x has got updated, to make 1.3 and 1.x consistent, could you also use that PR to modify urs a little bit?

Thanks @ananzh , just wondering are we still leveraging 1.x branch for any release purposes ? Given we're only release new patch based on 1.3 branch

ZilongX and others added 2 commits June 28, 2023 13:05
@ZilongX
Copy link
Collaborator Author

ZilongX commented Jun 28, 2023

@ananzh updated devDependencies section for postcss to keep in sync with 1.x as suggested

@ananzh ananzh merged commit ccdd431 into opensearch-project:1.3 Jul 1, 2023
@ZilongX ZilongX deleted the 1.3 branch July 5, 2023 23:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cve Security vulnerabilities detected by Dependabot or Mend v1.3.12
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants