-
Notifications
You must be signed in to change notification settings - Fork 918
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[1.3][CVE-2023-0842] Bump xml2js from 0.4.22 to 0.6.2 #5024
Conversation
Signed-off-by: ananzh <ananzh@amazon.com>
CHANGELOG.md
Outdated
@@ -36,6 +36,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) | |||
- [CVE-2022-1537] Bump grunt from `1.4.1` to `1.5.3` ([#3723](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3723)) | |||
- [CVE-2022-0436] Bump grunt from `1.4.1` to `1.5.3` ([#3723](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3723)) | |||
- [CVE-2023-26136] Resolve `tough-cookie` to `4.1.3` ([#4682](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4682)) | |||
- [CVE-2023-0842] Bump `xml2js` from `0.4.22` to `0.6.2` ([#5024](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5024)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wrong section - should be under L10.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
eeeee... I need to fix others. thank you.
yarn.lock
Outdated
@@ -22297,7 +22297,7 @@ xml-parse-from-string@^1.0.0: | |||
resolved "https://registry.yarnpkg.com/xml-parse-from-string/-/xml-parse-from-string-1.0.1.tgz#a9029e929d3dbcded169f3c6e28238d95a5d5a28" | |||
integrity sha1-qQKekp09vN7RafPG4oI42VpdWig= | |||
|
|||
xml2js@^0.4.22, xml2js@^0.4.5: | |||
xml2js@^0.4.5: | |||
version "0.4.22" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like we still have a sub-dep requiring 0.4.22
. To resolve the CVE, do we need to force a resolution?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah you are right. it is brought in by
=> Found "parse-bmfont-xml#xml2js@0.4.23"
info This module exists because "_project_#jimp#@jimp#plugins#@jimp#plugin-print#load-bmfont#parse-bmfont-xml" depends on it.
info Disk size without dependencies: "72KB"
info Disk size with unique dependencies: "504KB"
info Disk size with transitive dependencies: "504KB"
info Number of shared dependencies: 2
with the latest jimp
, we still see xml2js@0.4.23
. have to force a resolution. Thank you for checking this carefully. ❤️
Codecov Report
@@ Coverage Diff @@
## 1.3 #5024 +/- ##
==========================================
+ Coverage 67.45% 67.50% +0.04%
==========================================
Files 3044 3044
Lines 58692 58692
Branches 8902 8902
==========================================
+ Hits 39593 39619 +26
+ Misses 16946 16925 -21
+ Partials 2153 2148 -5
Flags with carried forward coverage won't be shown. Click here to find out more. |
Signed-off-by: ananzh <ananzh@amazon.com>
Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Signed-off-by: Anan Zhuang <ananzh@amazon.com>
With the
SemVer
philosophy, when releasing a patch version, it should not introduce breaking changes, which includes bumping a dependency to its major version.xml2js
is a dev dependency in both OSD and package@osd/test
. Meanwhile, it is not included in release artifact. Therefore, bumping major versions should not breakSemVer
rules.Description
Due to Leonidas-from-XIV/node-xml2js#672 (comment) , try bump
xml2js
to0.6.2
to solve cve and avoid regression errors.Issues Resolved
CVE-2023-0842
#3793
Check List
yarn test:jest
yarn test:jest_integration
yarn test:ftr