-
Notifications
You must be signed in to change notification settings - Fork 915
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE] Bump follow-redirects to 1.15.2 to fix CVE-2022-0155 and CVE-20… #2653
[CVE] Bump follow-redirects to 1.15.2 to fix CVE-2022-0155 and CVE-20… #2653
Conversation
…22-0536 Signed-off-by: Zilong Xia <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, left one comment about change log
@@ -8,6 +8,8 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) | |||
|
|||
### 🛡 Security | |||
* [CVE-2022-0144] Bump shelljs from 0.8.4 to 0.8.5 ([#2511](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2511)) | |||
* [CVE-2022-0155] Bump follow-redirects to 1.15.2 [#2653](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2653)) | |||
* [CVE-2022-0536] Bump follow-redirects to 1.15.2 [#2653](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2653)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
combining change log into one? Since we always have 1 PR mapping to 1 change log. according to @ananzh 's comment here, and even tho it's different cve number, but the the change of dependency is the same.
As long as it is not PR log or commit log, keep separate entry make sense to me.
Btw, I'm not fan of changelog file 😎
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well actually I'm not quite sold on this one (#2640 (comment)) aka one changelog item per one PR, my $0.02 are :
- changelogs are for humans not machines, and for humans we read focus on the first key word of a sentence and for CVE changes the keywords are always the CVE numbers
- as a developer and a customer (as targeted audiences of the changelog), I care more about which changes have been done rather than how many changes have been done in one single PR, single fix could span across multiple PRs and single PR could achieve multiple changes, it would be good as long as the changed items are listed clearly in the changelog,
The one shared is actually a bad example, comparing
- [CVE-2022-3517] Bumps minimatch from 3.0.4 to 3.0.5 and [IBM X-Force ID: 220063] unset-value from 1.0.1 to 2.0.1
vs - [CVE-2022-3517] Bumps minimatch from 3.0.4 to 3.0.5
- [IBM X-Force ID: 220063] unset-value from 1.0.1 to 2.0.1
The latter one actually seems more concise and clear to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change log is something that doesn't have a standard, it relies more on community discussion and consensus. @ZilongX 's point is valid, cve number is critical info and it should be treated as 2 items in change log. I'll approve to unblock this PR.
single fix could span across multiple PRs and single PR could achieve multiple changes,
But I can't fully agree with this. I think the best practice for PR is still single responsibility rule. I PR aims to solve 1 issue. Even for #2640, I think the best practice is to divide into 2 PRs, that fixes 2 cves, and create 2 change log items.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree with @ZilongX that we should use a standard format for CVEs, because quickly searching/scanning for those is likely a common use for this changelog. And also 💯 to @zhongnansu's point about smaller, single responsibility PRs/commits.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zhongnansu @joshuarrrr , I actually searched a bunch of other repos' CHANGELOG trying to find a unified style yet no luck, so yes we got to work together with the community and the format may just keep pivoting.
And yes agreed on :)
- Single responsibility PR per issue (per CVE or per Package) makes good sense to me, it makes each change more clear especially for CVE fixings
- CVE change items in CHANGELOG needs to follow a standard for quick searching/scanning purposes at least, and for now we are following format as
[CVE Number] - Fix Message - PR Link
(with one example [CVE-2022-0536] Bump follow-redirects to 1.15.2 #2653))
…22-0536 (#2653) Signed-off-by: Zilong Xia <[email protected]> (cherry picked from commit caed667)
…22-0536 (#2653) (#2935) Signed-off-by: Zilong Xia <[email protected]> (cherry picked from commit caed667)
Signed-off-by: Zilong Xia [email protected]
Description
follow-redirects
up to 1.15.22.0.0
(Removes deprecatedrequest
and@percy/agent
#1113) to1.x
Issues Resolved
Resolves #1133
Resolves #1238
Check List
yarn test:jest
yarn test:jest_integration
yarn test:ftr