-
Notifications
You must be signed in to change notification settings - Fork 913
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix d3-color and potential security issue #2454
Conversation
Looks like it's require snapshot update? |
* Addresses potential ReDoS issue from d3-color version < 3.1.0 Signed-off-by: Anan Zhuang <[email protected]>
Not just snapshot. but see a lot of
due to d3-color pre-compiled source code. fix that. Then see locally some failing tests are from
|
Codecov Report
@@ Coverage Diff @@
## main #2454 +/- ##
=======================================
Coverage 66.75% 66.75%
=======================================
Files 3200 3200
Lines 60886 60886
Branches 9250 9250
=======================================
+ Hits 40644 40646 +2
+ Misses 18030 18028 -2
Partials 2212 2212
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
I only see the above 5 failed unit tests locally |
@noCharger i saw some src/plugins/data_source UT failed, could you take a look |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good, just a couple small questions.
add a tracking issue for the failed local unit tests: |
Signed-off-by: Anan Zhuang <[email protected]>
will do |
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.x 1.x
# Navigate to the new working tree
cd .worktrees/backport-1.x
# Create a new branch
git switch --create backport/backport-2454-to-1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d802a3ef5b3c75418e2cf4d5f480e48274842dfd
# Push it to GitHub
git push --set-upstream origin backport/backport-2454-to-1.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.x Then, create a pull request where the |
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.3 1.3
# Navigate to the new working tree
cd .worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-2454-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d802a3ef5b3c75418e2cf4d5f480e48274842dfd
# Push it to GitHub
git push --set-upstream origin backport/backport-2454-to-1.3
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.3 Then, create a pull request where the |
* Resolve sub-dependent d3-color version and potencial security issue * Addresses potential ReDoS issue from d3-color version < 3.1.0 Signed-off-by: Anan Zhuang <[email protected]> (cherry picked from commit d802a3e)
* Resolve sub-dependent d3-color version and potencial security issue * Addresses potential ReDoS issue from d3-color version < 3.1.0 Signed-off-by: Anan Zhuang <[email protected]> (cherry picked from commit d802a3e)
* Resolve sub-dependent d3-color version and potencial security issue * Addresses potential ReDoS issue from d3-color version < 3.1.0 Signed-off-by: Anan Zhuang <[email protected]> (cherry picked from commit d802a3e) Co-authored-by: Anan Zhuang <[email protected]>
…ecurity issue * Addresses potential ReDoS issue from d3-color version < 3.1.0 backport PR: opensearch-project#2454 Signed-off-by: Anan Zhuang <[email protected]>
* Addresses potential ReDoS issue from d3-color version < 3.1.0 backport PR: opensearch-project#2454 Signed-off-by: Anan Zhuang <[email protected]>
* Resolve sub-dependent d3-color version and potencial security issue * Addresses potential ReDoS issue from d3-color version < 3.1.0 Signed-off-by: Anan Zhuang <[email protected]> (cherry picked from commit d802a3e) Co-authored-by: Anan Zhuang <[email protected]>
not backportable to any |
…pensearch-project#2466) * Resolve sub-dependent d3-color version and potencial security issue * Addresses potential ReDoS issue from d3-color version < 3.1.0 Signed-off-by: Anan Zhuang <[email protected]> (cherry picked from commit d802a3e) Co-authored-by: Anan Zhuang <[email protected]>
* Resolve sub-dependent d3-color version and potencial security issue * Addresses potential ReDoS issue from d3-color version < 3.1.0 Signed-off-by: Anan Zhuang <[email protected]> Signed-off-by: Sergey V. Osipov <[email protected]>
Description
Addresses potential ReDoS issue from d3-color version < 3.1.0
d3-color is used as a sub-dependency of elastic/chart package. since there is no function change form 1.4 to 3.1.0, we could add resolution in package.json to overwrite the version.
Check List
yarn test:jest
yarn test:jest_integration
yarn test:ftr