-
Notifications
You must be signed in to change notification settings - Fork 918
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2023-45133] Add package resolution for @babel/traverse
to 7.23.2
to fix vulnerability
#5309
Conversation
Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
6db2bbe
to
8d9fe3f
Compare
Codecov Report
@@ Coverage Diff @@
## main #5309 +/- ##
===========================================
+ Coverage 55.64% 66.79% +11.14%
===========================================
Files 2995 3284 +289
Lines 59120 63113 +3993
Branches 9436 10049 +613
===========================================
+ Hits 32900 42159 +9259
+ Misses 24129 18474 -5655
- Partials 2091 2480 +389
Flags with carried forward coverage won't be shown. Click here to find out more. |
@babel/traverse
to 7.23.2
to fix vulnerability
Signed-off-by: Josh Romero <rmerqg@amazon.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
This reverts commit 4973099. Signed-off-by: Josh Romero <rmerqg@amazon.com>
@@ -103,7 +103,8 @@ | |||
"**/semver": "^7.5.3", | |||
"**/set-value": "^4.1.0", | |||
"**/xml2js": "^0.5.0", | |||
"**/yaml": "^2.2.2" | |||
"**/yaml": "^2.2.2", | |||
"**/@babel/traverse": "^7.23.2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't seem to me like a resolution is necessary. All the versions in the lock file are compatible with this version, so it should only need to be an update to the lock file.
With a grain of salt, though. I don't know how this project handles CVE's in terms of what optimizer does/guaranteeing that all plugins use this version too
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think adding package resolution will install the dependencies rightly to the desired version. Also, I think its a standard practice to add package resolution and to avoid directly editing the lock file as it can break somethings. I don't know how this package is any different from other ones we have dealt with.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, @BSFishy is right that it's not necessary; simply removing the entries from the yarn.lock
and re-running the bootstrap command would be sufficient. But for CVEs, I think it's kind of nice to enforce a minimum range via a resolution, in case some dep decided to go backwards, so I'm fine with it either way.
The backport to
To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch-Dashboards/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch-Dashboards/backport-2.x
# Create a new branch
git switch --create backport/backport-5309-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 a351f908b7ad28fedbb0534f2758cdcea693ffd8
# Push it to GitHub
git push --set-upstream origin backport/backport-5309-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch-Dashboards/backport-2.x Then, create a pull request where the |
@manasvinibs Looks like you'll need to manually backport. |
…3.2` to fix vulnerability (opensearch-project#5309) * Add package resolution for to to fix vulnerability Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> * Further consolidate locked deps Signed-off-by: Josh Romero <rmerqg@amazon.com> * Revert "Further consolidate locked deps" This reverts commit 4973099. Signed-off-by: Josh Romero <rmerqg@amazon.com> --------- Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> Signed-off-by: Josh Romero <rmerqg@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit a351f90)
…3.2` to fix vulnerability (opensearch-project#5309) * Add package resolution for to to fix vulnerability Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> * Further consolidate locked deps Signed-off-by: Josh Romero <rmerqg@amazon.com> * Revert "Further consolidate locked deps" This reverts commit 4973099. Signed-off-by: Josh Romero <rmerqg@amazon.com> --------- Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> Signed-off-by: Josh Romero <rmerqg@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit a351f90)
…3.2` to fix vulnerability (opensearch-project#5309) * Add package resolution for to to fix vulnerability Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> * Further consolidate locked deps Signed-off-by: Josh Romero <rmerqg@amazon.com> * Revert "Further consolidate locked deps" This reverts commit 4973099. Signed-off-by: Josh Romero <rmerqg@amazon.com> --------- Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> Signed-off-by: Josh Romero <rmerqg@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit a351f90)
…3.2` to fix vulnerability (#5309) (#5320) * Add package resolution for to to fix vulnerability Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> * Further consolidate locked deps Signed-off-by: Josh Romero <rmerqg@amazon.com> * Revert "Further consolidate locked deps" This reverts commit 4973099. Signed-off-by: Josh Romero <rmerqg@amazon.com> --------- Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> Signed-off-by: Josh Romero <rmerqg@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit a351f90) Co-authored-by: Josh Romero <rmerqg@amazon.com>
…3.2` to fix vulnerability (#5309) (#5320) * Add package resolution for to to fix vulnerability Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> * Further consolidate locked deps Signed-off-by: Josh Romero <rmerqg@amazon.com> * Revert "Further consolidate locked deps" This reverts commit 4973099. Signed-off-by: Josh Romero <rmerqg@amazon.com> --------- Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> Signed-off-by: Josh Romero <rmerqg@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit a351f90) Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit ea0e856) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md
…3.2` to fix vulnerability (#5309) (#5320) (#5480) * Add package resolution for to to fix vulnerability Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> * Further consolidate locked deps Signed-off-by: Josh Romero <rmerqg@amazon.com> * Revert "Further consolidate locked deps" This reverts commit 4973099. Signed-off-by: Josh Romero <rmerqg@amazon.com> --------- Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> Signed-off-by: Josh Romero <rmerqg@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit a351f90) Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit ea0e856) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
The backport to
To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch-Dashboards/backport-1.3 1.3
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch-Dashboards/backport-1.3
# Create a new branch
git switch --create backport/backport-5309-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 a351f908b7ad28fedbb0534f2758cdcea693ffd8
# Push it to GitHub
git push --set-upstream origin backport/backport-5309-to-1.3
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch-Dashboards/backport-1.3 Then, create a pull request where the |
Description
Before fix:
After package resolution fix:
Issues Resolved
#5303
Check List
yarn test:jest
yarn test:jest_integration