[Bug]: CVE items in opensearch dashboards

[accmt]

Describe the bug

opensearch-dashboard 1.2.0 has following security issues:
CVE-2022-0144 shelljs fixed in 0.8.5
CVE-2022-0155 follow-redirects fixed in 1.14.7
CVE-2022-23647 prismjs fixed in 1.27.0
CVE-2022-0686 url-parse fixed in 1.5.8
CVE-2022-0235 node-fetch fixed in 2.6.7, 3.1.1

Please upgrade the dependencies to fix these issues.

To reproduce

--

Expected behavior

No response

Screenshots

If applicable, add screenshots to help explain your problem.

Host / Environment

No response

Additional context

No response

Relevant log output

No response

[kavilla]

For OpenSearch Dashboards we have CVE items:

We try to avoid major version bumps in packages to avoid breaking plugins so for 1.3.0 we have addressed the following: https://github.com/opensearch-project/OpenSearch-Dashboards/issues?q=is%3Aissue+is%3Aclosed+label%3Acve+label%3Av1.3.0, which was just GHSA-r683-j2x4-v87g node-fetch fixed in 2.6.7, 3.1.1.

For 2.0.0 OpenSearch Dashboards we have merged into main and addressed the following: https://github.com/opensearch-project/OpenSearch-Dashboards/issues?q=is%3Aissue+is%3Aclosed+label%3Acve+label%3Av2.0.0. With these still remaining: https://github.com/opensearch-project/OpenSearch-Dashboards/issues?q=is%3Aissue+is%3Aopen+label%3Acve+label%3Av2.0.0+.

I believe we can close this issue as a duplicate and track the specific CVEs with https://github.com/opensearch-project/OpenSearch-Dashboards/issues?q=is%3Aopen+is%3Aissue+label%3Acve when related to OpenSearch Dashboards.

What do you think @accmt?

cc: @tmarkley

[accmt]

@kavilla thanks for a really quick response. Sorry for reporting into a wrong project and not finding those tickets. This can be closed as you are tracking those well. Thanks a lot!

[tmarkley]

For reference, here's where each CVE is tracked:

CVE-2022-0144 - #1139
CVE-2022-0155 - #1133
CVE-2022-23647 - prismjs was removed in #1300
CVE-2022-0686 - #1266
CVE-2022-0235 - #1162