Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE] Bumps Chromedriver to v100 and axios to v0.27.2 #1552

Merged
merged 4 commits into from
May 6, 2022
Merged

[CVE] Bumps Chromedriver to v100 and axios to v0.27.2 #1552

merged 4 commits into from
May 6, 2022

Conversation

boktorbb
Copy link
Contributor

@boktorbb boktorbb commented May 5, 2022
edited
Loading

Description

Addresses CVE-2022-1214
CHANGELOG

Bumps Chromedriver to v100 to match github actions
Bumps and pins axios to ^0.27.2 to address CVE

Issues Resolved

Resolves #1546

Check List

  • New functionality includes testing.
    • All tests pass
      • yarn test:jest
      • yarn test:jest_integration
      • yarn test:ftr
  • New functionality has been documented.
  • Commits are signed per the DCO using --signoff

Bishoy Boktor added 3 commits May 5, 2022 21:05
Upgrades and pins axios to ^0.27.2 for CVE
0baecdd 
Signed-off-by: Bishoy Boktor <boktorbb@amazon.com>
Removes axios 0.21.1 from lockfile
0a4e04c 
Signed-off-by: Bishoy Boktor <boktorbb@amazon.com>
adds resolution for axios
033862d 
Signed-off-by: Bishoy Boktor <boktorbb@amazon.com>
@boktorbb boktorbb added Mend: dependency security vulnerability Security vulnerability detected by Mend high severity High severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels May 5, 2022
@boktorbb boktorbb requested a review from a team as a code owner May 5, 2022 22:20
tmarkley
tmarkley previously requested changes May 5, 2022
View reviewed changes
Copy link
Contributor

@tmarkley tmarkley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you confirm that there are no breaking changes that we should be aware of? Also, can you add the CHANGELOG link as well as the CVE that is resolved in the commit message? Example: #1451

package.json Outdated Show resolved Hide resolved
Chagnes order of axios resolution
6e572ff 
Signed-off-by: Bishoy Boktor <boktorbb@amazon.com>
@boktorbb
Copy link
Contributor Author

boktorbb commented May 5, 2022
edited
Loading

Can you confirm that there are no breaking changes that we should be aware of? Also, can you add the CHANGELOG link as well as the CVE that is resolved in the commit message? Example: #1451

There have been several breaking changes from 0.21.1 -> 0.27.2 but we shouldn't be affected by any. The changelog documents all the breaking changes per version

@boktorbb boktorbb requested a review from tmarkley May 5, 2022 23:05
@tmarkley tmarkley merged commit cba0764 into opensearch-project:main May 6, 2022
opensearch-trigger-bot bot pushed a commit that referenced this pull request May 6, 2022
@github-actions
[CVE] Bumps chromedriver to v100 and axios to v0.27.2 (#1552)
8175217 
* Addresses CVE-2022-1214
* Bumps and resolves `axios` to ^0.27.2 to address CVE
  * [CHANGELOG](https://github.com/axios/axios/blob/master/CHANGELOG.md)
* Bumps `chromedriver` to v100 to match GitHub actions

Signed-off-by: Bishoy Boktor <boktorbb@amazon.com>
(cherry picked from commit cba0764)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request May 6, 2022
Merged
opensearch-trigger-bot bot pushed a commit that referenced this pull request May 6, 2022
@github-actions
[CVE] Bumps chromedriver to v100 and axios to v0.27.2 (#1552)
ad7e177 
* Addresses CVE-2022-1214
* Bumps and resolves `axios` to ^0.27.2 to address CVE
  * [CHANGELOG](https://github.com/axios/axios/blob/master/CHANGELOG.md)
* Bumps `chromedriver` to v100 to match GitHub actions

Signed-off-by: Bishoy Boktor <boktorbb@amazon.com>
(cherry picked from commit cba0764)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request May 6, 2022
Merged
tmarkley pushed a commit that referenced this pull request May 6, 2022
@opensearch-trigger-bot
[CVE] Bumps chromedriver to v100 and axios to v0.27.2 (#1552) (#1556
00933d1 
)

* Addresses CVE-2022-1214
* Bumps and resolves `axios` to ^0.27.2 to address CVE
  * [CHANGELOG](https://github.com/axios/axios/blob/master/CHANGELOG.md)
* Bumps `chromedriver` to v100 to match GitHub actions

Signed-off-by: Bishoy Boktor <boktorbb@amazon.com>
(cherry picked from commit cba0764)
tmarkley pushed a commit that referenced this pull request May 6, 2022
@opensearch-trigger-bot
[CVE] Bumps chromedriver to v100 and axios to v0.27.2 (#1552) (#1557
ee0812a 
)

* Addresses CVE-2022-1214
* Bumps and resolves `axios` to ^0.27.2 to address CVE
  * [CHANGELOG](https://github.com/axios/axios/blob/master/CHANGELOG.md)
* Bumps `chromedriver` to v100 to match GitHub actions

Signed-off-by: Bishoy Boktor <boktorbb@amazon.com>
(cherry picked from commit cba0764)
This was referenced May 6, 2022
Closed
Merged
joshuarrrr pushed a commit to joshuarrrr/OpenSearch-Dashboards that referenced this pull request May 11, 2022
@joshuarrrr
[CVE] Bumps chromedriver to v100 and axios to v0.27.2 (opensearch…
8972d61 
…-project#1552)

* Addresses CVE-2022-1214
* Bumps and resolves `axios` to ^0.27.2 to address CVE
  * [CHANGELOG](https://github.com/axios/axios/blob/master/CHANGELOG.md)
* Bumps `chromedriver` to v100 to match GitHub actions

Signed-off-by: Bishoy Boktor <boktorbb@amazon.com>
This was referenced May 25, 2022
Closed
Merged
kavilla pushed a commit to kavilla/OpenSearch-Dashboards-1 that referenced this pull request Jun 8, 2022
@kavilla
[CVE] Bumps chromedriver to v100 and axios to v0.27.2 (opensearch…
a75036b 
…-project#1552)

* Addresses CVE-2022-1214
* Bumps and resolves `axios` to ^0.27.2 to address CVE
  * [CHANGELOG](https://github.com/axios/axios/blob/master/CHANGELOG.md)
* Bumps `chromedriver` to v100 to match GitHub actions

Signed-off-by: Bishoy Boktor <boktorbb@amazon.com>
kavilla pushed a commit to kavilla/OpenSearch-Dashboards-1 that referenced this pull request Jun 16, 2022
@kavilla
[CVE] Bumps chromedriver to v100 and axios to v0.27.2 (opensearch…
685b4c7 
…-project#1552)

* Addresses CVE-2022-1214
* Bumps and resolves `axios` to ^0.27.2 to address CVE
  * [CHANGELOG](https://github.com/axios/axios/blob/master/CHANGELOG.md)
* Bumps `chromedriver` to v100 to match GitHub actions

Signed-off-by: Bishoy Boktor <boktorbb@amazon.com>
@tmarkley tmarkley mentioned this pull request Dec 2, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshuarrrr joshuarrrr joshuarrrr approved these changes

@tmarkley tmarkley tmarkley approved these changes

Assignees
No one assigned
Labels
backport 2.x cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE Mend: dependency security vulnerability Security vulnerability detected by Mend v2.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2022-1214 (High) detected in axios-0.21.4.tgz
3 participants
@boktorbb @joshuarrrr @tmarkley