[1.3] Fix CVE dependencies#1308
Conversation
Signed-off-by: Ryan Liang <jiallian@amazon.com>
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## 1.3 #1308 +/- ##
=======================================
Coverage 72.02% 72.02%
=======================================
Files 88 88
Lines 1916 1916
Branches 250 250
=======================================
Hits 1380 1380
Misses 480 480
Partials 56 56 Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
|
Please include the CVE referenced in the change like was done here, opensearch-project/security#2350 Multiple entries, one on each line is a good way to do this. |
There was a problem hiding this comment.
Why delete yarn.lock? If needed you can push updated yarn.lock. Check out this link that talks about whether or not yarn.lock should be deleted.
Apologies. I do see that it is not deleted.
Also, can you add a brief description of why this change is required or point to the issue that requires this change?
|
@DarshitChanpura This does not delete the yarn.lock, there are just a lot of lines deleted. I believe a lot of these dependencies were coming from storybook from OSD core which was deleted so there were a lot of deletions in this yarn.lock as well. For some additional context, |
Yep I saw 4/5 red bars on yarn.lock and concluded it was deleted 🤦 .
Yep, it was introduced with that PR and that is why I was trying to make sure it wasn't deleted. |
|
@peternied @DarshitChanpura Thanks for the review, and I just attach the dependencies names and version number with the issue links. |
|
@RyanL1997 Can you rebase this with the latest from 1.3? The version increment was just merged. |
|
Update: I also run the sanity tests with this changes and it is all good. |
|
The backport to To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.x 1.x
# Navigate to the new working tree
cd .worktrees/backport-1.x
# Create a new branch
git switch --create backport/backport-1308-to-1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 8e101672d9e9c8bc0bb03d88c9aac7054a2f79e0
# Push it to GitHub
git push --set-upstream origin backport/backport-1308-to-1.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.xThen, create a pull request where the |
Signed-off-by: Ryan Liang jiallian@amazon.com
Description
Upgrade
loader-utilsto 2.0.4 and above to fix CVE-2022-37601Upgrade
loader-utilsto 2.0.4 and above to fix CVE-2022-37603Upgrade
glob-parentto 6.0.0 and above to fix CVE-2020-28469Upgrade
decode-uri-componentto 0.2.2 and above to fix CVE-2022-38900Category
Maintenance
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.