Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2024-27088] Bump es5-ext from 0.10.59 to 0.10.64 #6021

Merged
merged 1 commit into from
Mar 13, 2024

Conversation

ananzh
Copy link
Member

@ananzh ananzh commented Mar 4, 2024

Description

From https://www.mend.io/vulnerability-database/CVE-2024-27088:

es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into `function#copy` or `function#toStringTokens` may cause the script to stall. The vulnerability is patched in v0.10.63.

This PR bumps es5-ext from

=> Found "es5-ext@0.10.59"
info Reasons this module exists
   - "_project_#gulp-sourcemaps#debug-fabulous#memoizee" depends on it
   - Hoisted from "_project_#gulp-sourcemaps#debug-fabulous#memoizee#es5-ext"
   - Hoisted from "_project_#gulp-sourcemaps#debug-fabulous#memoizee#es6-weak-map#es5-ext"
   - Hoisted from "_project_#gulp-sourcemaps#debug-fabulous#memoizee#d#es5-ext"
   - Hoisted from "_project_#gulp-sourcemaps#debug-fabulous#memoizee#event-emitter#es5-ext"
   - Hoisted from "_project_#gulp-sourcemaps#debug-fabulous#memoizee#lru-queue#es5-ext"
   - Hoisted from "_project_#gulp-sourcemaps#debug-fabulous#memoizee#timers-ext#es5-ext"
   - Hoisted from "_project_#gulp-sourcemaps#debug-fabulous#memoizee#es5-ext#es6-iterator#es5-ext"
info Disk size without dependencies: "2.21MB"
info Disk size with unique dependencies: "2.48MB"
info Disk size with transitive dependencies: "6.16MB"
info Number of shared dependencies: 5
Done in 1.58s.

to

=> Found "es5-ext@0.10.64"
info Reasons this module exists
   - "_project_#gulp-sourcemaps#debug-fabulous#memoizee" depends on it
   - Hoisted from "_project_#gulp-sourcemaps#debug-fabulous#memoizee#es5-ext"
   - Hoisted from "_project_#gulp-sourcemaps#debug-fabulous#memoizee#es6-weak-map#es5-ext"
   - Hoisted from "_project_#gulp-sourcemaps#debug-fabulous#memoizee#d#es5-ext"
   - Hoisted from "_project_#gulp-sourcemaps#debug-fabulous#memoizee#event-emitter#es5-ext"
   - Hoisted from "_project_#gulp-sourcemaps#debug-fabulous#memoizee#lru-queue#es5-ext"
   - Hoisted from "_project_#gulp-sourcemaps#debug-fabulous#memoizee#timers-ext#es5-ext"
   - Hoisted from "_project_#gulp-sourcemaps#debug-fabulous#memoizee#es5-ext#es6-iterator#es5-ext"
   - Hoisted from "_project_#gulp-sourcemaps#debug-fabulous#memoizee#es5-ext#esniff#es5-ext"
info Disk size without dependencies: "2.21MB"
info Disk size with unique dependencies: "3.41MB"
info Disk size with transitive dependencies: "7.18MB"
info Number of shared dependencies: 6
Done in 1.57s.

Issues Resolved

#6004

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

Issue Resolve
opensearch-project#6004

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
@ananzh ananzh added backport 2.x cve Security vulnerabilities detected by Dependabot or Mend v2.13.0 labels Mar 4, 2024
Copy link

codecov bot commented Mar 4, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.09%. Comparing base (9901bea) to head (b6b3bba).

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #6021      +/-   ##
==========================================
- Coverage   67.11%   67.09%   -0.03%     
==========================================
  Files        3315     3315              
  Lines       63904    63904              
  Branches    10220    10220              
==========================================
- Hits        42892    42874      -18     
- Misses      18528    18543      +15     
- Partials     2484     2487       +3     
Flag Coverage Δ
Linux_1 31.64% <ø> (ø)
Linux_2 55.07% <ø> (ø)
Linux_3 44.57% <ø> (-0.01%) ⬇️
Linux_4 35.17% <ø> (ø)
Windows_1 31.69% <ø> (ø)
Windows_2 ?
Windows_3 44.59% <ø> (ø)
Windows_4 35.17% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@manasvinibs manasvinibs merged commit 3797fd8 into opensearch-project:main Mar 13, 2024
77 checks passed
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch-Dashboards/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch-Dashboards/backport-2.x
# Create a new branch
git switch --create backport/backport-6021-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 3797fd882919ff3109ede788f18393613ab633ef
# Push it to GitHub
git push --set-upstream origin backport/backport-6021-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch-Dashboards/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-6021-to-2.x.

manasvinibs pushed a commit to manasvinibs/OpenSearch-Dashboards that referenced this pull request Mar 13, 2024
…-project#6021)

Issue Resolve
opensearch-project#6004

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
(cherry picked from commit 3797fd8)
@manasvinibs
Copy link
Member

Manual Backport #6140

ashwin-pc pushed a commit that referenced this pull request Mar 15, 2024
)

Issue Resolve
#6004

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
(cherry picked from commit 3797fd8)

Co-authored-by: Anan Zhuang <ananzh@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x cve Security vulnerabilities detected by Dependabot or Mend distinguished-contributor v2.13.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants