Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE] Bump prismjs to 1.29.0 to fix CVE-2022-23647 #2668

Merged
merged 1 commit into from
Oct 25, 2022

Conversation

ZilongX
Copy link
Collaborator

@ZilongX ZilongX commented Oct 25, 2022

Signed-off-by: Zilong Xia [email protected]

Description

  • Resolves CVE-2022-23647 by bumping prismjs up to 1.29.0
  • This one is mainly a lock file refresh (aka remove the prismjs entry in lock file and then re-run yarn osd bootstrap)

Issues Resolved

Resolves #1358

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@ZilongX ZilongX added Mend: dependency security vulnerability Security vulnerability detected by Mend cve Security vulnerabilities detected by Dependabot or Mend v1.3.7 labels Oct 25, 2022
@ZilongX ZilongX requested a review from a team October 25, 2022 19:28
Copy link
Member

@zhongnansu zhongnansu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@seraphjiang seraphjiang requested a review from a team October 25, 2022 22:28
@joshuarrrr joshuarrrr merged commit 8a4a5ba into opensearch-project:1.x Oct 25, 2022
@opensearch-trigger-bot
Copy link
Contributor

The backport to 1.3 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.3 1.3
# Navigate to the new working tree
cd .worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-2668-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 8a4a5ba9d82c12fa6d5b215382727c2fa47a85c7
# Push it to GitHub
git push --set-upstream origin backport/backport-2668-to-1.3
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.3

Then, create a pull request where the base branch is 1.3 and the compare/head branch is backport/backport-2668-to-1.3.

@ZilongX ZilongX deleted the cve-prismjs branch October 26, 2022 01:26
joshuarrrr pushed a commit to joshuarrrr/OpenSearch-Dashboards that referenced this pull request Nov 29, 2022
…t#2668)

Signed-off-by: Zilong Xia <[email protected]>

Signed-off-by: Zilong Xia <[email protected]>
(cherry picked from commit 8a4a5ba)
joshuarrrr added a commit that referenced this pull request Nov 30, 2022
Signed-off-by: Zilong Xia <[email protected]>

Signed-off-by: Zilong Xia <[email protected]>
(cherry picked from commit 8a4a5ba)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 1.3 cve Security vulnerabilities detected by Dependabot or Mend Mend: dependency security vulnerability Security vulnerability detected by Mend v1.3.7
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants