Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE] Bump follow-redirects to 1.15.2 to fix CVE-2022-0155 and CVE-20… #2653

Merged
merged 1 commit into from
Oct 24, 2022
Merged

[CVE] Bump follow-redirects to 1.15.2 to fix CVE-2022-0155 and CVE-20… #2653

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)

### 🛡 Security
* [CVE-2022-0144] Bump shelljs from 0.8.4 to 0.8.5 ([#2511](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2511))
* [CVE-2022-0155] Bump follow-redirects to 1.15.2 [#2653](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2653))
* [CVE-2022-0536] Bump follow-redirects to 1.15.2 [#2653](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2653))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

combining change log into one? Since we always have 1 PR mapping to 1 change log. according to @ananzh 's comment here, and even tho it's different cve number, but the the change of dependency is the same.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

combining change log into one? Since we always have 1 PR mapping to 1 change log. according to @ananzh 's comment here, and even tho it's different cve number, but the the change of dependency is the same.

As long as it is not PR log or commit log, keep separate entry make sense to me.

Btw, I'm not fan of changelog file 😎

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well actually I'm not quite sold on this one (#2640 (comment)) aka one changelog item per one PR, my $0.02 are :

  • changelogs are for humans not machines, and for humans we read focus on the first key word of a sentence and for CVE changes the keywords are always the CVE numbers
  • as a developer and a customer (as targeted audiences of the changelog), I care more about which changes have been done rather than how many changes have been done in one single PR, single fix could span across multiple PRs and single PR could achieve multiple changes, it would be good as long as the changed items are listed clearly in the changelog,

The one shared is actually a bad example, comparing

  • [CVE-2022-3517] Bumps minimatch from 3.0.4 to 3.0.5 and [IBM X-Force ID: 220063] unset-value from 1.0.1 to 2.0.1
    vs
  • [CVE-2022-3517] Bumps minimatch from 3.0.4 to 3.0.5
  • [IBM X-Force ID: 220063] unset-value from 1.0.1 to 2.0.1

The latter one actually seems more concise and clear to me.

Copy link
Member

@zhongnansu zhongnansu Oct 24, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change log is something that doesn't have a standard, it relies more on community discussion and consensus. @ZilongX 's point is valid, cve number is critical info and it should be treated as 2 items in change log. I'll approve to unblock this PR.

single fix could span across multiple PRs and single PR could achieve multiple changes,

But I can't fully agree with this. I think the best practice for PR is still single responsibility rule. I PR aims to solve 1 issue. Even for #2640, I think the best practice is to divide into 2 PRs, that fixes 2 cves, and create 2 change log items.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with @ZilongX that we should use a standard format for CVEs, because quickly searching/scanning for those is likely a common use for this changelog. And also 💯 to @zhongnansu's point about smaller, single responsibility PRs/commits.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zhongnansu @joshuarrrr , I actually searched a bunch of other repos' CHANGELOG trying to find a unified style yet no luck, so yes we got to work together with the community and the format may just keep pivoting.

And yes agreed on :)

  • Single responsibility PR per issue (per CVE or per Package) makes good sense to me, it makes each change more clear especially for CVE fixings
  • CVE change items in CHANGELOG needs to follow a standard for quick searching/scanning purposes at least, and for now we are following format as
    [CVE Number] - Fix Message - PR Link
    (with one example [CVE-2022-0536] Bump follow-redirects to 1.15.2 #2653))


### 📈 Features/Enhancements

Expand Down
1 change: 1 addition & 0 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@
"**/ansi-regex": "^5.0.1",
"**/axios": "^0.21.4",
"**/ejs": "^3.1.6",
"**/follow-redirects": "^1.15.2",
"**/front-matter": "^4.0.2",
"**/glob-parent": "^6.0.0",
"**/hoist-non-react-statics": "^3.3.2",
Expand Down
13 changes: 4 additions & 9 deletions yarn.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11322,15 +11322,10 @@ focus-trap@^2.0.1:
dependencies:
tabbable "^1.0.3"

[email protected]:
version "1.12.1"
resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.12.1.tgz#de54a6205311b93d60398ebc01cf7015682312b6"
integrity sha512-tmRv0AVuR7ZyouUHLeNSiO6pqulF7dYa3s19c6t+wz9LD69/uSzdMxJ2S91nTI9U3rt/IldxpzMOFejp6f0hjg==

follow-redirects@^1.0.0, follow-redirects@^1.14.0:
version "1.14.3"
resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.14.3.tgz#6ada78118d8d24caee595595accdc0ac6abd022e"
integrity sha512-3MkHxknWMUtb23apkgz/83fDoe+y+qr0TdgacGIA7bew+QLBo3vdgEN2xEsuXNivpFy4CyDhBBZnNZOtalmenw==
[email protected], follow-redirects@^1.0.0, follow-redirects@^1.14.0, follow-redirects@^1.15.2:
version "1.15.2"
resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.2.tgz#b460864144ba63f2681096f274c4e57026da2c13"
integrity sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==

[email protected]:
version "4.7.0"
Expand Down