From 5b7717444dee56984712e06777a2bf59af7fa291 Mon Sep 17 00:00:00 2001 From: Adam Tackett <105462877+TackAdam@users.noreply.github.com> Date: Wed, 24 Jul 2024 14:13:08 -0700 Subject: [PATCH 1/4] [Bug] CVE fix for ag (#1989) * update package to fix CVEs Signed-off-by: Adam Tackett * include yarnlock Signed-off-by: Adam Tackett * change ag for cve Signed-off-by: Adam Tackett * update release notes Signed-off-by: Adam Tackett --------- Signed-off-by: Adam Tackett Signed-off-by: Shenoy Pratik Co-authored-by: Adam Tackett Co-authored-by: Shenoy Pratik (cherry picked from commit 196dd35b0f256b7521efc7d75eb297b495a7509e) --- package.json | 4 ++-- ...ds-observability.release-notes-2.16.0.0.md | 2 ++ yarn.lock | 22 +++++++++++++++---- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/package.json b/package.json index ba3ff09b18..438ac5eaaf 100644 --- a/package.json +++ b/package.json @@ -16,13 +16,13 @@ "cypress:parallel": "cypress-parallel -s cypress:run -t 2 -d .cypress/integration" }, "dependencies": { - "@ag-grid-community/styles": "^31.2.0", + "@ag-grid-community/styles": "^31.3.4", "@algolia/autocomplete-core": "^1.4.1", "@algolia/autocomplete-theme-classic": "^1.2.1", "@nteract/outputs": "^3.0.11", "@nteract/presentational-components": "^3.4.3", "@reduxjs/toolkit": "^1.6.1", - "ag-grid-react": "^31.2.0", + "ag-grid-react": "^31.3.4", "ajv": "^8.11.0", "antlr4": "4.8.0", "antlr4ts": "^0.5.0-alpha.4", diff --git a/release-notes/dashboards-observability.release-notes-2.16.0.0.md b/release-notes/dashboards-observability.release-notes-2.16.0.0.md index 3b5a321d19..0ad6fbd135 100644 --- a/release-notes/dashboards-observability.release-notes-2.16.0.0.md +++ b/release-notes/dashboards-observability.release-notes-2.16.0.0.md @@ -22,3 +22,5 @@ Compatible with OpenSearch and OpenSearch Dashboards version 2.16.0 ### Maintenance * updated java version from 11 to 21 ([#1940](https://github.com/opensearch-project/dashboards-observability/pull/1940)) +* [Bug] Fix CVEs for ag-grid, ws and braces packages ([#1987](https://github.com/opensearch-project/dashboards-observability/pull/1987)) +* [Bug] CVE fix for ag ([#1989](https://github.com/opensearch-project/dashboards-observability/pull/1989)) \ No newline at end of file diff --git a/yarn.lock b/yarn.lock index f0d28220ad..f163029bf7 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2,10 +2,10 @@ # yarn lockfile v1 -"@ag-grid-community/styles@^31.2.0": - version "31.2.0" - resolved "https://registry.yarnpkg.com/@ag-grid-community/styles/-/styles-31.2.0.tgz#7605338f2e0f3a3c2e7952f0e96360600033316c" - integrity sha512-fU6wDpK0//dJLp5pwojuTUQPi4nVZ4iTBF1yaQw+6NXeGi0ma7rz7IOS6Idw0XXE3ELKGTuO7QUJmxxdL7kykw== +"@ag-grid-community/styles@^31.3.4": + version "31.3.4" + resolved "https://registry.yarnpkg.com/@ag-grid-community/styles/-/styles-31.3.4.tgz#e88a36a8c68456ba78479f56e74a225396d44a68" + integrity sha512-5pgt/Qq/GxiJi59UA17ltG5U4r0J+GB3S/QCysJFi6kmgmCDsbCfisekTwSh0xxOGO+OIhejoqsOuEnTcw78kg== "@algolia/autocomplete-core@^1.4.1": version "1.11.0" @@ -359,6 +359,7 @@ acorn@^7.1.1: resolved "https://registry.yarnpkg.com/acorn/-/acorn-7.4.1.tgz#feaed255973d2e77555b83dbc08851a6c63520fa" integrity sha512-nQyp0o1/mNdbTO1PO6kHkwSrmgZ0MT/jCCpNiwbUjGoRN4dlBhqJtoQuCnEOKzgTVwg0ZWiCoQy6SxMebQVh8A== +<<<<<<< HEAD ag-grid-community@31.2.0: version "31.2.0" resolved "https://registry.yarnpkg.com/ag-grid-community/-/ag-grid-community-31.2.0.tgz#376f07a3a7dd5c87d8cb6f660e4e338ec70663d1" @@ -370,6 +371,19 @@ ag-grid-react@^31.2.0: integrity sha512-ObFdPmF3EC7/xWZX8NjrZjURePyFa72MWjb1ZgUqDP7Wq09OSXXyKBN1qXmfUIT3h4o5+os6tCQEqoo7Op+3ZA== dependencies: ag-grid-community "31.2.0" +======= +ag-grid-community@31.3.4: + version "31.3.4" + resolved "https://registry.yarnpkg.com/ag-grid-community/-/ag-grid-community-31.3.4.tgz#d9397672d6941aebc633a37b2b32e3637aa05642" + integrity sha512-jOxQO86C6eLnk1GdP24HB6aqaouFzMWizgfUwNY5MnetiWzz9ZaAmOGSnW/XBvdjXvC5Fpk3gSbvVKKQ7h9kBw== + +ag-grid-react@^31.3.4: + version "31.3.4" + resolved "https://registry.yarnpkg.com/ag-grid-react/-/ag-grid-react-31.3.4.tgz#3e0659c455cbf0facb5af457f260fccb8eb87bea" + integrity sha512-WmPASHRFGSTxCMRStWG5bRtln0Ugsdqbb3+Y8sEyGHeLw4hXqfpqie3lT9kqCOl7wPWUjCpwmFdXzRnWPmyyeg== + dependencies: + ag-grid-community "31.3.4" +>>>>>>> 196dd35b ([Bug] CVE fix for ag (#1989)) prop-types "^15.8.1" aggregate-error@^3.0.0: From 723c122a2762243adc0b9780b2f5d2a84a72d5b3 Mon Sep 17 00:00:00 2001 From: Adam Tackett Date: Wed, 24 Jul 2024 14:19:26 -0700 Subject: [PATCH 2/4] backport cve Signed-off-by: Adam Tackett --- yarn.lock | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/yarn.lock b/yarn.lock index f163029bf7..7bc0aa74a7 100644 --- a/yarn.lock +++ b/yarn.lock @@ -359,19 +359,6 @@ acorn@^7.1.1: resolved "https://registry.yarnpkg.com/acorn/-/acorn-7.4.1.tgz#feaed255973d2e77555b83dbc08851a6c63520fa" integrity sha512-nQyp0o1/mNdbTO1PO6kHkwSrmgZ0MT/jCCpNiwbUjGoRN4dlBhqJtoQuCnEOKzgTVwg0ZWiCoQy6SxMebQVh8A== -<<<<<<< HEAD -ag-grid-community@31.2.0: - version "31.2.0" - resolved "https://registry.yarnpkg.com/ag-grid-community/-/ag-grid-community-31.2.0.tgz#376f07a3a7dd5c87d8cb6f660e4e338ec70663d1" - integrity sha512-Ija6X171Iq3mFZASZlriQIIdEFqA71rZIsjQD6KHy5lMmxnoseZTX2neThBav1gvr6SA6n5B2PD6eUHdZnrUfw== - -ag-grid-react@^31.2.0: - version "31.2.0" - resolved "https://registry.yarnpkg.com/ag-grid-react/-/ag-grid-react-31.2.0.tgz#c3e90edd4ccac3fbb113b657ad6192bc2d85e314" - integrity sha512-ObFdPmF3EC7/xWZX8NjrZjURePyFa72MWjb1ZgUqDP7Wq09OSXXyKBN1qXmfUIT3h4o5+os6tCQEqoo7Op+3ZA== - dependencies: - ag-grid-community "31.2.0" -======= ag-grid-community@31.3.4: version "31.3.4" resolved "https://registry.yarnpkg.com/ag-grid-community/-/ag-grid-community-31.3.4.tgz#d9397672d6941aebc633a37b2b32e3637aa05642" @@ -383,7 +370,6 @@ ag-grid-react@^31.3.4: integrity sha512-WmPASHRFGSTxCMRStWG5bRtln0Ugsdqbb3+Y8sEyGHeLw4hXqfpqie3lT9kqCOl7wPWUjCpwmFdXzRnWPmyyeg== dependencies: ag-grid-community "31.3.4" ->>>>>>> 196dd35b ([Bug] CVE fix for ag (#1989)) prop-types "^15.8.1" aggregate-error@^3.0.0: From 878b3ee677c087f2f11b737999de252a18042f41 Mon Sep 17 00:00:00 2001 From: Adam Tackett Date: Wed, 24 Jul 2024 15:09:06 -0700 Subject: [PATCH 3/4] update depend Signed-off-by: Adam Tackett --- package.json | 4 +++- yarn.lock | 26 +++++++++++++------------- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/package.json b/package.json index 438ac5eaaf..64951aa72f 100644 --- a/package.json +++ b/package.json @@ -68,6 +68,8 @@ "yaml": "^2.2.2", "tough-cookie": "^4.1.3", "semver": "^7.5.2", - "@cypress/request": "^3.0.0" + "@cypress/request": "^3.0.0", + "braces": "^3.0.3", + "ws": "^8.18.0" } } \ No newline at end of file diff --git a/yarn.lock b/yarn.lock index 7bc0aa74a7..3c87844b69 100644 --- a/yarn.lock +++ b/yarn.lock @@ -603,12 +603,12 @@ brace-expansion@^1.1.7: balanced-match "^1.0.0" concat-map "0.0.1" -braces@^3.0.2, braces@~3.0.2: - version "3.0.2" - resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.2.tgz#3454e1a462ee8d599e236df336cd9ea4f8afe107" - integrity sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A== +braces@^3.0.2, braces@^3.0.3, braces@~3.0.2: + version "3.0.3" + resolved "https://registry.yarnpkg.com/braces/-/braces-3.0.3.tgz#490332f40919452272d55a8480adc0c441358789" + integrity sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA== dependencies: - fill-range "^7.0.1" + fill-range "^7.1.1" browser-stdout@1.3.1: version "1.3.1" @@ -1398,10 +1398,10 @@ file-entry-cache@^5.0.1: dependencies: flat-cache "^2.0.1" -fill-range@^7.0.1: - version "7.0.1" - resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-7.0.1.tgz#1919a6a7c75fe38b2c7c77e5198535da9acdda40" - integrity sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ== +fill-range@^7.1.1: + version "7.1.1" + resolved "https://registry.yarnpkg.com/fill-range/-/fill-range-7.1.1.tgz#44265d3cac07e3ea7dc247516380643754a05292" + integrity sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg== dependencies: to-regex-range "^5.0.1" @@ -3493,10 +3493,10 @@ write@1.0.3: dependencies: mkdirp "^0.5.1" -ws@8.13.0: - version "8.13.0" - resolved "https://registry.yarnpkg.com/ws/-/ws-8.13.0.tgz#9a9fb92f93cf41512a0735c8f4dd09b8a1211cd0" - integrity sha512-x9vcZYTrFPC7aSIbj7sRCYo7L/Xb8Iy+pW0ng0wt2vCJv7M9HOMy0UoN3rr+IFC7hb7vXoqS+P9ktyLLLhO+LA== +ws@8.13.0, ws@^8.18.0: + version "8.18.0" + resolved "https://registry.yarnpkg.com/ws/-/ws-8.18.0.tgz#0d7505a6eafe2b0e712d232b42279f53bc289bbc" + integrity sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw== x-is-string@^0.1.0: version "0.1.0" From 0c3c3929ad2480088931c832c010c225a202e272 Mon Sep 17 00:00:00 2001 From: Adam Tackett Date: Wed, 24 Jul 2024 15:31:11 -0700 Subject: [PATCH 4/4] update snapshots Signed-off-by: Adam Tackett --- .../search/__tests__/__snapshots__/search.test.tsx.snap | 2 +- .../__tests__/__snapshots__/custom_panel_view.test.tsx.snap | 4 ++-- .../top_menu/__tests__/__snapshots__/top_menu.test.tsx.snap | 2 +- .../common/__tests__/__snapshots__/search_bar.test.tsx.snap | 4 ++-- .../services/__tests__/__snapshots__/services.test.tsx.snap | 6 +++--- .../traces/__tests__/__snapshots__/traces.test.tsx.snap | 6 +++--- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/public/components/common/search/__tests__/__snapshots__/search.test.tsx.snap b/public/components/common/search/__tests__/__snapshots__/search.test.tsx.snap index ef20b90549..56ae657ba5 100644 --- a/public/components/common/search/__tests__/__snapshots__/search.test.tsx.snap +++ b/public/components/common/search/__tests__/__snapshots__/search.test.tsx.snap @@ -571,7 +571,7 @@ exports[`Explorer Search component renders basic component 1`] = ` hasArrow={true} isOpen={false} ownFocus={true} - panelPaddingSize="s" + panelPaddingSize="m" >