Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1.3][CVE-2021-23364] Bump browserslist from 4.12.0 to 4.21.10 #5023

Closed
wants to merge 1 commit into from
Closed

[1.3][CVE-2021-23364] Bump browserslist from 4.12.0 to 4.21.10 #5023

wants to merge 1 commit into from

Conversation

ananzh
Copy link
Member

@ananzh ananzh commented Sep 14, 2023
edited
Loading

With the SemVer philosophy, when releasing a patch version, it should not introduce breaking changes, which includes bumping a dependency to its major version. To solve this CVE, we need to bump both browserslist.

  • browserslist is not a direct dependency or dev dependency in any OSD or OSD node modules. It is not included in release artifact. Bumping it should not break SemVer rule.

Description

We don't need to bump autoprefixer because browserslist version < 4.0.0 is not affected by this CVE. Bump browserslist directly in yarn.lock.

  • Bump browserslist from 4.12.0 to 4.21.10

Issues Resolved

CVE-2021-23364

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@ananzh ananzh added cve Security vulnerabilities detected by Dependabot or Mend v1.3.13 labels Sep 14, 2023
@codecov
Copy link

codecov bot commented Sep 14, 2023
edited
Loading

Codecov Report

Merging #5023 (f5b6062) into 1.3 (a45dea3) will increase coverage by 0.00%.
The diff coverage is n/a.

@@           Coverage Diff           @@
##              1.3    #5023   +/-   ##
=======================================
  Coverage   67.50%   67.50%           
=======================================
  Files        3044     3044           
  Lines       58692    58691    -1     
  Branches     8902     8902           
=======================================
  Hits        39619    39619           
+ Misses      16925    16924    -1     
  Partials     2148     2148
Flag Coverage Δ
Linux 67.46% <ø> (+<0.01%) ⬆️
Windows 67.45% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 1 file with indirect coverage changes

joshuarrrr
joshuarrrr reviewed Sep 14, 2023
View reviewed changes
Copy link
Member

@joshuarrrr joshuarrrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

osd-optimizer is an internal package - I think bumping deps that only occur there should be totally fine.

packages/osd-optimizer/postcss.config.js Outdated Show resolved Hide resolved
packages/osd-plugin-helpers/src/integration_tests/build.test.ts Outdated Show resolved Hide resolved
manasvinibs
manasvinibs previously approved these changes Sep 14, 2023
View reviewed changes
manasvinibs
manasvinibs previously approved these changes Sep 14, 2023
View reviewed changes
abbyhu2000
abbyhu2000 previously approved these changes Sep 14, 2023
View reviewed changes
@ananzh ananzh dismissed stale reviews from abbyhu2000 and manasvinibs via 8f30c19 September 15, 2023 16:15
@ananzh ananzh force-pushed the 1.3-browserslist branch 2 times, most recently from 8f30c19 to b5b8024 Compare September 15, 2023 16:39
@ananzh ananzh changed the title [1.3][CVE-2021-23364] Bump browserslist from 2.11.3 to 4.21.10 and autoprefixer from 7.2.6 to 10.4.15 [1.3][CVE-2021-23364] Bump browserslist from 4.12.0 to 4.21.10 Sep 15, 2023
AMoo-Miki
AMoo-Miki previously approved these changes Sep 15, 2023
View reviewed changes
@ananzh
[1.3][CVE-2021-23364] Bump browserslist from 4.12.0 to 4.21.10
f5b6062 
Signed-off-by: ananzh <ananzh@amazon.com>
@ananzh ananzh marked this pull request as draft September 15, 2023 21:05
@ananzh ananzh removed the v1.3.13 label Sep 15, 2023
@ananzh
Copy link
Member Author

ananzh commented Sep 15, 2023

See testing issue. Temporarily make it as a draft. Since browserslist is not included in the release artifact, this cve should not affect users. We will continue research this issue.

@ananzh
Copy link
Member Author

ananzh commented Sep 15, 2023

I added some logs in packages/osd-optimizer/src/optimizer/handle_optimizer_completion.ts and see errors is from the mock bar plugin

  Current update state: { phase: 'issue',
      compilerStates:
       [ { bundleId: 'foo', type: 'compiler success', moduleCount: 6 },
         { bundleId: 'bar',
           type: 'compiler issue',
           failure:
            'Optimizations failure.\n   17 modules\n    \n    \u001b[1m\u001b[33mWARNING in ./public/index.scss?v7light (/home/ubuntu/work/OpenSearch-Dashboards/node_modules/css-loader/dist/cjs.js??ref--6-oneOf-1-1!/home/ubuntu/work/OpenSearch-Dashboards/node_modules/postcss-loader/src??ref--6-oneOf-1-2!/home/ubuntu/work/OpenSearch-Dashboards/node_modules/sass-loader/dist/cjs.js??ref--6-oneOf-1-3!./public/index.scss?v7light)\n    Module Warning (from /home/ubuntu/work/OpenSearch-Dashboards/node_modules/postcss-loader/src/index.js):\n    Warning\n    \n    Greetings, time traveller. We are in the golden age of prefix-less CSS, where Autoprefixer is no longer needed for your stylesheet.\n     @ ./public/index.scss?v7light 2:26-308\n     @ ./public/index.scss\n     @ ./public/index.ts\n     @ /home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/target/worker/entry_point_creator.js\u001b[39m\u001b[22m\n    \n    \u001b[1m\u001b[33mWARNING in ./public/index.scss?v7dark (/home/ubuntu/work/OpenSearch-Dashboards/node_modules/css-loader/dist/cjs.js??ref--6-oneOf-0-1!/home/ubuntu/work/OpenSearch-Dashboards/node_modules/postcss-loader/src??ref--6-oneOf-0-2!/home/ubuntu/work/OpenSearch-Dashboards/node_modules/sass-loader/dist/cjs.js??ref--6-oneOf-0-3!./public/index.scss?v7dark)\n    Module Warning (from /home/ubuntu/work/OpenSearch-Dashboards/node_modules/postcss-loader/src/index.js):\n    Warning\n    \n    Greetings, time traveller. We are in the golden age of prefix-less CSS, where Autoprefixer is no longer needed for your stylesheet.\n     @ ./public/index.scss?v7dark 2:26-307\n     @ ./public/index.scss\n     @ ./public/index.ts\n     @ /home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/target/worker/entry_point_creator.js\u001b[39m\u001b[22m\n    \n    \u001b[1m\u001b[33mWARNING in ./public/legacy/styles.scss?v7light (/home/ubuntu/work/OpenSearch-Dashboards/node_modules/css-loader/dist/cjs.js??ref--6-oneOf-1-1!/home/ubuntu/work/OpenSearch-Dashboards/node_modules/postcss-loader/src??ref--6-oneOf-1-2!/home/ubuntu/work/OpenSearch-Dashboards/node_modules/sass-loader/dist/cjs.js??ref--6-oneOf-1-3!./public/legacy/styles.scss?v7light)\n    Module Warning (from /home/ubuntu/work/OpenSearch-Dashboards/node_modules/postcss-loader/src/index.js):\n    Warning\n    \n    Greetings, time traveller. We are in the golden age of prefix-less CSS, where Autoprefixer is no longer needed for your stylesheet.\n     @ ./public/legacy/styles.scss?v7light 2:26-318\n     @ ./public/legacy/styles.scss\n     @ ./public/index.ts\n     @ /home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/target/worker/entry_point_creator.js\u001b[39m\u001b[22m\n    \n    \u001b[1m\u001b[33mWARNING in ./public/legacy/styles.scss?v7dark (/home/ubuntu/work/OpenSearch-Dashboards/node_modules/css-loader/dist/cjs.js??ref--6-oneOf-0-1!/home/ubuntu/work/OpenSearch-Dashboards/node_modules/postcss-loader/src??ref--6-oneOf-0-2!/home/ubuntu/work/OpenSearch-Dashboards/node_modules/sass-loader/dist/cjs.js??ref--6-oneOf-0-3!./public/legacy/styles.scss?v7dark)\n    Module Warning (from /home/ubuntu/work/OpenSearch-Dashboards/node_modules/postcss-loader/src/index.js):\n    Warning\n    \n    Greetings, time traveller. We are in the golden age of prefix-less CSS, where Autoprefixer is no longer needed for your stylesheet.\n     @ ./public/legacy/styles.scss?v7dark 2:26-317\n     @ ./public/legacy/styles.scss\n     @ ./public/index.ts\n     @ /home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/target/worker/entry_point_creator.js\u001b[39m\u001b[22m' } ],
      offlineBundles: [],
      onlineBundles:
       [ Bundle {
           type: 'plugin',
           id: 'bar',
           publicDirNames: [Array],
           contextDir:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo/plugins/bar',
           sourceRoot:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo',
           outputDir:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo/plugins/bar/target/public',
           banner: undefined,
           manifestPath:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo/plugins/bar/opensearch_dashboards.json',
           cache: [BundleCache] },
         Bundle {
           type: 'plugin',
           id: 'foo',
           publicDirNames: [Array],
           contextDir:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo/plugins/foo',
           sourceRoot:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo',
           outputDir:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo/plugins/foo/target/public',
           banner: undefined,
           manifestPath:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo/plugins/foo/opensearch_dashboards.json',
           cache: [BundleCache] } ],
      startTime: 1694814967538,
      durSec: 1.5 }

Due to Greetings, time traveller. We are in the golden age of prefix-less CSS, where Autoprefixer is no longer needed for your stylesheet, I tried to comment out autoprefixer in postcss.config file

module.exports = {
  plugins: [/*require('autoprefixer')()*/],
};

But honestly this autprefixer seems pure warnings to me, don’t think it causes the issue though. I mean it’s unclear if they are the sole reason behind the compiler issue for the bar plugin. Not sure if at this point we should conduct a deeper dive to pinpoint the root cause of the compilation problem. If we need a deeper dive, let’s not rush it into 1.3.13.

Here is the new log after comment out autoprefixer:

 Current update state: { phase: 'success',
      compilerStates:
       [ { bundleId: 'foo', type: 'compiler success', moduleCount: 6 },
         { bundleId: 'bar', type: 'compiler success', moduleCount: 16 } ],
      offlineBundles: [],
      onlineBundles:
       [ Bundle {
           type: 'plugin',
           id: 'bar',
           publicDirNames: [Array],
           contextDir:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo/plugins/bar',
           sourceRoot:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo',
           outputDir:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo/plugins/bar/target/public',
           banner: undefined,
           manifestPath:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo/plugins/bar/opensearch_dashboards.json',
           cache: [BundleCache] },
         Bundle {
           type: 'plugin',
           id: 'foo',
           publicDirNames: [Array],
           contextDir:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo/plugins/foo',
           sourceRoot:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo',
           outputDir:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo/plugins/foo/target/public',
           banner: undefined,
           manifestPath:
            '/home/ubuntu/work/OpenSearch-Dashboards/packages/osd-optimizer/src/__fixtures__/__tmp__/mock_repo/plugins/foo/opensearch_dashboards.json',
           cache: [BundleCache] } ],
      startTime: 1694816436855,
      durSec: 1.3 }
could see both plugins compile successfully.

@AMoo-Miki need your help here

@AMoo-Miki
Copy link
Collaborator

AMoo-Miki commented Sep 26, 2023
edited
Loading

@ananzh I don't know if we talked about this offline or not. Take all of my changes from #4649, maybe cherry-pick, except the line that changes the node version.

@ananzh ananzh closed this Jun 10, 2024
@ananzh ananzh deleted the 1.3-browserslist branch August 16, 2024 22:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshuarrrr joshuarrrr joshuarrrr left review comments

@AMoo-Miki AMoo-Miki AMoo-Miki left review comments

@abbyhu2000 abbyhu2000 abbyhu2000 left review comments

@manasvinibs manasvinibs manasvinibs left review comments

@kavilla kavilla Awaiting requested review from kavilla kavilla is a code owner

@seanneumann seanneumann Awaiting requested review from seanneumann

@ashwin-pc ashwin-pc Awaiting requested review from ashwin-pc ashwin-pc is a code owner

@zengyan-amazon zengyan-amazon Awaiting requested review from zengyan-amazon zengyan-amazon is a code owner

@kristenTian kristenTian Awaiting requested review from kristenTian

@zhongnansu zhongnansu Awaiting requested review from zhongnansu zhongnansu is a code owner

@ZilongX ZilongX Awaiting requested review from ZilongX ZilongX is a code owner

@Flyingliuhub Flyingliuhub Awaiting requested review from Flyingliuhub Flyingliuhub is a code owner

@BSFishy BSFishy Awaiting requested review from BSFishy

@curq curq Awaiting requested review from curq curq will be requested when the pull request is marked ready for review curq is a code owner

@bandinib-amzn bandinib-amzn Awaiting requested review from bandinib-amzn bandinib-amzn will be requested when the pull request is marked ready for review bandinib-amzn is a code owner

@SuZhou-Joe SuZhou-Joe Awaiting requested review from SuZhou-Joe SuZhou-Joe will be requested when the pull request is marked ready for review SuZhou-Joe is a code owner

Assignees
No one assigned
Labels
cve Security vulnerabilities detected by Dependabot or Mend
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ananzh @AMoo-Miki @joshuarrrr @abbyhu2000 @manasvinibs