From a384839dc5a7794bb110b16b044a718e574c4731 Mon Sep 17 00:00:00 2001 From: ananzh Date: Thu, 29 Jun 2023 00:27:37 +0000 Subject: [PATCH] [Backport 1.3][CVE-2022-25883] Resolve semver to 7.5.3 and remove unused package In this PR, we resolve semver to 7.5.3 from 5.x, 6.x and 7.x. There are breaking changes in API in 7.5.3 compared to 5.x/6.x. However, these API changes do not impact any usages. Backport PR https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4411 Issue Resolve https://github.com/opensearch-project/OpenSearch-Dashboards/issues/4370 Signed-off-by: ananzh --- CHANGELOG.md | 1 + package.json | 4 ++-- packages/osd-pm/package.json | 1 - yarn.lock | 28 +++++++++++----------------- 4 files changed, 14 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e98bbd74dbd3..24218dc918a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - [CVE-2022-1537] Bump grunt from `1.5.2` to `1.5.3` ([#4276](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4276)) - [CVE-2022-25858] Bump terser from `4.8.0` to `4.8.1` ([#3726](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3726)) - [CVE-2021-3765] Update `@microsoft/api-documenter` and `@microsoft/api-extractor` versions to bump validator from `8.2.0` to `13.9.0` ([#3725](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3725)) +- [CVE-2022-25883] Resolve `semver` to `7.5.3` and remove unused package ([#4411](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4411)) ### 📈 Features/Enhancements diff --git a/package.json b/package.json index 77a90433681e..1a2cc46c959f 100644 --- a/package.json +++ b/package.json @@ -235,7 +235,7 @@ "require-in-the-middle": "^5.0.2", "rison-node": "1.0.2", "rxjs": "^6.5.5", - "semver": "^5.7.0", + "semver": "^7.5.3", "source-map-support": "^0.5.19", "symbol-observable": "^1.2.0", "tar": "^6.1.11", @@ -351,7 +351,7 @@ "@types/recompose": "^0.30.6", "@types/request": "^2.48.2", "@types/selenium-webdriver": "^4.0.9", - "@types/semver": "^5.5.0", + "@types/semver": "^7.5.0", "@types/sinon": "^7.0.13", "@types/strip-ansi": "^5.2.1", "@types/styled-components": "^5.1.0", diff --git a/packages/osd-pm/package.json b/packages/osd-pm/package.json index fe9ed7118b44..2382f6bf2c51 100644 --- a/packages/osd-pm/package.json +++ b/packages/osd-pm/package.json @@ -19,7 +19,6 @@ "@babel/preset-env": "^7.11.0", "@babel/preset-typescript": "^7.10.4", "@types/cmd-shim": "^2.0.0", - "@types/cpy": "^5.1.0", "@types/dedent": "^0.7.0", "@types/getopts": "^2.0.1", "@types/glob": "^7.1.3", diff --git a/yarn.lock b/yarn.lock index 750d8ad21c42..af05acf3d2cb 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2586,19 +2586,6 @@ resolved "https://registry.yarnpkg.com/@types/cookiejar/-/cookiejar-2.1.0.tgz#4b7daf2c51696cfc70b942c11690528229d1a1ce" integrity sha512-EIjmpvnHj+T4nMcKwHwxZKUfDmphIKJc2qnEMhSoOvr1lYEQpuRKRz8orWr//krYIIArS/KGGLfL2YGVUYXmIA== -"@types/cp-file@*": - version "4.2.0" - resolved "https://registry.yarnpkg.com/@types/cp-file/-/cp-file-4.2.0.tgz#2b12186b50dad407b11021284627bdf4adb87a87" - integrity sha512-nkd9c0L2aWfsDFrkpxfGJ5bCKeiAv6lccbH9vxKeWYw9YuyqskjtRTrBEBAiea9R08OSiboQ4ssmwAVJMHmHHA== - -"@types/cpy@^5.1.0": - version "5.1.0" - resolved "https://registry.yarnpkg.com/@types/cpy/-/cpy-5.1.0.tgz#ced20cbae8528031ae5478f1d0fe4bca2518eda7" - integrity sha512-NU7IrYOZx+K2YCo7muReOj6FIxEWdWXCN7hgRhQ+h2lgpeLy27si9ZzdDwWCW+Q1RP9B1lDTJ368FPFSOp1ZqA== - dependencies: - "@types/cp-file" "*" - "@types/glob" "*" - "@types/d3@^3.5.43": version "3.5.43" resolved "https://registry.yarnpkg.com/@types/d3/-/d3-3.5.43.tgz#e9b4992817e0b6c5efaa7d6e5bb2cee4d73eab58" @@ -3298,10 +3285,10 @@ resolved "https://registry.yarnpkg.com/@types/selenium-webdriver/-/selenium-webdriver-4.0.9.tgz#12621e55b2ef8f6c98bd17fe23fa720c6cba16bd" integrity sha512-HopIwBE7GUXsscmt/J0DhnFXLSmO04AfxT6b8HAprknwka7pqEWquWDMXxCjd+NUHK9MkCe1SDKKsMiNmCItbQ== -"@types/semver@^5.5.0": - version "5.5.0" - resolved "https://registry.yarnpkg.com/@types/semver/-/semver-5.5.0.tgz#146c2a29ee7d3bae4bf2fcb274636e264c813c45" - integrity sha512-41qEJgBH/TWgo5NFSvBCJ1qkoi3Q6ONSF2avrHq1LVEZfYpdHmj0y9SuTK+u9ZhG1sYQKBL1AWXKyLWP4RaUoQ== +"@types/semver@^7.5.0": + version "7.5.0" + resolved "https://registry.yarnpkg.com/@types/semver/-/semver-7.5.0.tgz#591c1ce3a702c45ee15f47a42ade72c2fd78978a" + integrity sha512-G8hZ6XJiHnuhQKR7ZmysCeJWE08o8T0AXtk5darsCaTVsYZhhgUrq53jizaR2FvsoeCwJhlmwTjkXBY5Pn/ZHw== "@types/shot@*": version "4.0.0" @@ -18860,6 +18847,13 @@ semver@^7.3.8, semver@~7.3.0: dependencies: lru-cache "^6.0.0" +semver@^7.5.3: + version "7.5.3" + resolved "https://registry.yarnpkg.com/semver/-/semver-7.5.3.tgz#161ce8c2c6b4b3bdca6caadc9fa3317a4c4fe88e" + integrity sha512-QBlUtyVk/5EeHbi7X0fw6liDZc7BBmEaSYn01fMU1OUYbf6GPsbTtd8WmnqbI20SeycoHSeiybkE/q1Q+qlThQ== + dependencies: + lru-cache "^6.0.0" + send@0.18.0: version "0.18.0" resolved "https://registry.yarnpkg.com/send/-/send-0.18.0.tgz#670167cc654b05f5aa4a767f9113bb371bc706be"