Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-x565-32qp-m3vf] Bump jimp to remove phin dependency #6977

Merged
merged 1 commit into from
Jun 10, 2024

Conversation

AMoo-Miki
Copy link
Collaborator

@AMoo-Miki AMoo-Miki commented Jun 7, 2024

[GHSA-x565-32qp-m3vf] Bump jimp to remove phin dependency

jimp@0.22.0 removed all the code that used phin.

load-bmfont, a nested dependency of jimp imports phin but that is a functionality we don't use as we don't import AngleCode bitmap fonts. With an arbitrarily bump of phin, this commit avoids including an offending version in the dev-deps.

Changelog

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

Copy link
Contributor

github-actions bot commented Jun 7, 2024

ℹ️ Manual Changeset Creation Reminder

Please ensure manual commit for changeset file 6977.yml under folder changelogs/fragments to complete this PR.

If you want to use the available OpenSearch Changeset Bot App to avoid manual creation of changeset file you can install it in your forked repository following this link.

For more information about formatting of changeset files, please visit OpenSearch Auto Changeset and Release Notes Tool.

Copy link

codecov bot commented Jun 7, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.45%. Comparing base (7eaab64) to head (cf4d4ff).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #6977   +/-   ##
=======================================
  Coverage   67.44%   67.45%           
=======================================
  Files        3442     3442           
  Lines       67816    67816           
  Branches    11027    11027           
=======================================
+ Hits        45740    45742    +2     
+ Misses      19409    19408    -1     
+ Partials     2667     2666    -1     
Flag Coverage Δ
Linux_1 33.08% <ø> (ø)
Linux_2 55.11% <ø> (ø)
Linux_3 45.20% <ø> (+<0.01%) ⬆️
Linux_4 34.86% <ø> (ø)
Windows_1 33.10% <ø> (ø)
Windows_2 55.06% <ø> (ø)
Windows_3 45.21% <ø> (ø)
Windows_4 34.86% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

BionIT
BionIT previously approved these changes Jun 7, 2024
@ananzh
Copy link
Member

ananzh commented Jun 7, 2024

jimp 0.22.12 is still using phin 2.9.1 right? 😃

@virajsanghvi
Copy link
Collaborator

jimp 0.22.12 is still using phin 2.9.1 right? 😃

Does look like it:

└─ jimp@0.22.12
  ├─ @jimp/plugins@0.22.12
   │  ├─ @jimp/plugin-print@0.22.12
   │  │  ├─ load-bmfont@1.4.1
   │  │  │  ├─ phin@2.9.3

@AMoo-Miki
Copy link
Collaborator Author

AMoo-Miki commented Jun 8, 2024

jimp@0.22.0 removed all the code that used phin.

load-bmfont, a nested dependency of jimp imports phin but that is a functionality we don't use as we don't import AngleCode bitmap fonts. I will just arbitrarily bump phin to not include an offending version down our dev-deps.

`jimp@0.22.0` removed all the code that used phin.

`load-bmfont`, a nested dependency of `jimp` imports `phin` but that is a functionality we don't use as we don't import AngleCode bitmap fonts. With an arbitrarily bump of `phin`, this commit avoids including an offending version in the dev-deps.

Signed-off-by: Miki <miki@amazon.com>
@ananzh
Copy link
Member

ananzh commented Jun 10, 2024

a nested dependency of jimp imports phin but that is a functionality we don't use as we don't import AngleCode bitmap fonts. I will just arbitra

Cool.

@ananzh ananzh merged commit 54cd2d0 into opensearch-project:main Jun 10, 2024
68 checks passed
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch-Dashboards/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch-Dashboards/backport-2.x
# Create a new branch
git switch --create backport/backport-6977-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 54cd2d0f920fc25210339bd66256235a32ef6cce
# Push it to GitHub
git push --set-upstream origin backport/backport-6977-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch-Dashboards/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-6977-to-2.x.

AMoo-Miki added a commit to AMoo-Miki/OpenSearch-Dashboards that referenced this pull request Jun 10, 2024
…ch-project#6977)

`jimp@0.22.0` removed all the code that used phin.

`load-bmfont`, a nested dependency of `jimp` imports `phin` but that is a functionality we don't use as we don't import AngleCode bitmap fonts. With an arbitrarily bump of `phin`, this commit avoids including an offending version in the dev-deps.

Signed-off-by: Miki <miki@amazon.com>

(cherry picked from commit 54cd2d0)
Signed-off-by: Miki <miki@amazon.com>
BionIT pushed a commit that referenced this pull request Jun 10, 2024
…6985)

`jimp@0.22.0` removed all the code that used phin.

`load-bmfont`, a nested dependency of `jimp` imports `phin` but that is a functionality we don't use as we don't import AngleCode bitmap fonts. With an arbitrarily bump of `phin`, this commit avoids including an offending version in the dev-deps.



(cherry picked from commit 54cd2d0)

Signed-off-by: Miki <miki@amazon.com>
@zhyuanqi zhyuanqi added the cve Security vulnerabilities detected by Dependabot or Mend label Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x cve Security vulnerabilities detected by Dependabot or Mend distinguished-contributor v2.15.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants