[CVE-2023-45133] Add package resolution for @babel/traverse to 7.23.2 to fix vulnerability
#5309
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
manasvinibs
requested review from
ananzh,
kavilla,
seanneumann,
AMoo-Miki,
ashwin-pc,
joshuarrrr,
abbyhu2000,
zengyan-amazon,
kristenTian,
zhongnansu,
ZilongX,
Flyingliuhub,
BSFishy and
curq
as code owners
Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
manasvinibs
force-pushed
the
Issue-5303
branch
from
6db2bbe
to
8d9fe3f
Compare
Codecov Report
@@ Coverage Diff @@
## main #5309 +/- ##
===========================================
+ Coverage 55.64% 66.79% +11.14%
===========================================
Files 2995 3284 +289
Lines 59120 63113 +3993
Branches 9436 10049 +613
===========================================
+ Hits 32900 42159 +9259
+ Misses 24129 18474 -5655
- Partials 2091 2480 +389
Flags with carried forward coverage won't be shown. Click here to find out more. |
manasvinibs
added
high severity
ananzh
previously approved these changes
Oct 16, 2023
manasvinibs
changed the title
@babel/traverse to 7.23.2 to fix vulnerability
Signed-off-by: Josh Romero <rmerqg@amazon.com>
This reverts commit 4973099. Signed-off-by: Josh Romero <rmerqg@amazon.com>
joshuarrrr
approved these changes
Oct 17, 2023
BSFishy
reviewed
Oct 17, 2023
| @@ -103,7 +103,8 @@ | |||
| "**/semver": "^7.5.3", | |||
| "**/set-value": "^4.1.0", | |||
| "**/xml2js": "^0.5.0", | |||
| "**/yaml": "^2.2.2" | |||
| "**/yaml": "^2.2.2", | |||
| "**/@babel/traverse": "^7.23.2" | |||
There was a problem hiding this comment.
It doesn't seem to me like a resolution is necessary. All the versions in the lock file are compatible with this version, so it should only need to be an update to the lock file.
With a grain of salt, though. I don't know how this project handles CVE's in terms of what optimizer does/guaranteeing that all plugins use this version too
There was a problem hiding this comment.
I think adding package resolution will install the dependencies rightly to the desired version. Also, I think its a standard practice to add package resolution and to avoid directly editing the lock file as it can break somethings. I don't know how this package is any different from other ones we have dealt with.
There was a problem hiding this comment.
Yeah, @BSFishy is right that it's not necessary; simply removing the entries from the yarn.lock and re-running the bootstrap command would be sufficient. But for CVEs, I think it's kind of nice to enforce a minimum range via a resolution, in case some dep decided to go backwards, so I'm fine with it either way.
ananzh
approved these changes
Oct 17, 2023
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch-Dashboards/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch-Dashboards/backport-2.x
# Create a new branch
git switch --create backport/backport-5309-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 a351f908b7ad28fedbb0534f2758cdcea693ffd8
# Push it to GitHub
git push --set-upstream origin backport/backport-5309-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch-Dashboards/backport-2.xThen, create a pull request where the |
|
@manasvinibs Looks like you'll need to manually backport. |
manasvinibs
added a commit
to manasvinibs/OpenSearch-Dashboards
that referenced
this pull request
Oct 18, 2023
…3.2` to fix vulnerability (opensearch-project#5309) * Add package resolution for to to fix vulnerability Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> * Further consolidate locked deps Signed-off-by: Josh Romero <rmerqg@amazon.com> * Revert "Further consolidate locked deps" This reverts commit 4973099. Signed-off-by: Josh Romero <rmerqg@amazon.com> --------- Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> Signed-off-by: Josh Romero <rmerqg@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit a351f90)
7 tasks
manasvinibs
added a commit
to manasvinibs/OpenSearch-Dashboards
that referenced
this pull request
Oct 26, 2023
…3.2` to fix vulnerability (opensearch-project#5309) * Add package resolution for to to fix vulnerability Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> * Further consolidate locked deps Signed-off-by: Josh Romero <rmerqg@amazon.com> * Revert "Further consolidate locked deps" This reverts commit 4973099. Signed-off-by: Josh Romero <rmerqg@amazon.com> --------- Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> Signed-off-by: Josh Romero <rmerqg@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit a351f90)
manasvinibs
added a commit
to manasvinibs/OpenSearch-Dashboards
that referenced
this pull request
Oct 27, 2023
…3.2` to fix vulnerability (opensearch-project#5309) * Add package resolution for to to fix vulnerability Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> * Further consolidate locked deps Signed-off-by: Josh Romero <rmerqg@amazon.com> * Revert "Further consolidate locked deps" This reverts commit 4973099. Signed-off-by: Josh Romero <rmerqg@amazon.com> --------- Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> Signed-off-by: Josh Romero <rmerqg@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit a351f90)
7 tasks
manasvinibs
added a commit
that referenced
this pull request
Nov 7, 2023
…3.2` to fix vulnerability (#5309) (#5320) * Add package resolution for to to fix vulnerability Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> * Further consolidate locked deps Signed-off-by: Josh Romero <rmerqg@amazon.com> * Revert "Further consolidate locked deps" This reverts commit 4973099. Signed-off-by: Josh Romero <rmerqg@amazon.com> --------- Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> Signed-off-by: Josh Romero <rmerqg@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit a351f90) Co-authored-by: Josh Romero <rmerqg@amazon.com>
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Nov 15, 2023
…3.2` to fix vulnerability (#5309) (#5320) * Add package resolution for to to fix vulnerability Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> * Further consolidate locked deps Signed-off-by: Josh Romero <rmerqg@amazon.com> * Revert "Further consolidate locked deps" This reverts commit 4973099. Signed-off-by: Josh Romero <rmerqg@amazon.com> --------- Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> Signed-off-by: Josh Romero <rmerqg@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit a351f90) Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit ea0e856) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md
joshuarrrr
pushed a commit
that referenced
this pull request
Nov 16, 2023
…3.2` to fix vulnerability (#5309) (#5320) (#5480) * Add package resolution for to to fix vulnerability Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> * Further consolidate locked deps Signed-off-by: Josh Romero <rmerqg@amazon.com> * Revert "Further consolidate locked deps" This reverts commit 4973099. Signed-off-by: Josh Romero <rmerqg@amazon.com> --------- Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com> Signed-off-by: Josh Romero <rmerqg@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit a351f90) Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit ea0e856) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch-Dashboards/backport-1.3 1.3
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch-Dashboards/backport-1.3
# Create a new branch
git switch --create backport/backport-5309-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 a351f908b7ad28fedbb0534f2758cdcea693ffd8
# Push it to GitHub
git push --set-upstream origin backport/backport-5309-to-1.3
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch-Dashboards/backport-1.3Then, create a pull request where the |
7 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Before fix:
After package resolution fix:
Issues Resolved
#5303
Check List
yarn test:jestyarn test:jest_integration