From d802a3ef5b3c75418e2cf4d5f480e48274842dfd Mon Sep 17 00:00:00 2001 From: Anan Zhuang Date: Fri, 30 Sep 2022 10:35:41 -0700 Subject: [PATCH] fix d3-color and potential security issue (#2454) * Resolve sub-dependent d3-color version and potencial security issue * Addresses potential ReDoS issue from d3-color version < 3.1.0 Signed-off-by: Anan Zhuang --- CHANGELOG.md | 1 + package.json | 3 ++- src/dev/jest/config.js | 4 ++-- yarn.lock | 7 +------ 4 files changed, 6 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 64060f1c90ca..e939c228279d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -40,6 +40,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) * Bump moment-timezone from 0.5.34 to 0.5.37 ([#2361](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2361)) * [CVE-2022-33987] Upgrade geckodriver to 3.0.2 ([#2166](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2166)) * Bumps percy-agent to use non-beta version ([#2415](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2415)) +* Resolve sub-dependent d3-color version and potential security issue ([#2454](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2454)) ### 📈 Features/Enhancements diff --git a/package.json b/package.json index e80842008e9a..e87881fdb400 100644 --- a/package.json +++ b/package.json @@ -82,6 +82,7 @@ "**/ansi-regex": "^5.0.1", "**/async": "^3.2.3", "**/axios": "^0.27.2", + "**/d3-color": "^3.1.0", "**/glob-parent": "^6.0.0", "**/hoist-non-react-statics": "^3.3.2", "**/json-schema": "^0.4.0", @@ -460,4 +461,4 @@ "node": "14.20.0", "yarn": "^1.21.1" } -} +} \ No newline at end of file diff --git a/src/dev/jest/config.js b/src/dev/jest/config.js index e44837218b46..ea36e33fb30b 100644 --- a/src/dev/jest/config.js +++ b/src/dev/jest/config.js @@ -91,9 +91,9 @@ export default { '^.+\\.html?$': 'jest-raw-loader', }, transformIgnorePatterns: [ - // ignore all node_modules except monaco-editor which requires babel transforms to handle dynamic import() + // ignore all node_modules except those which require babel transforms to handle dynamic import() // since ESM modules are not natively supported in Jest yet (https://github.com/facebook/jest/issues/4842) - '[/\\\\]node_modules(?![\\/\\\\](monaco-editor|weak-lru-cache|ordered-binary))[/\\\\].+\\.js$', + '[/\\\\]node_modules(?![\\/\\\\](monaco-editor|weak-lru-cache|ordered-binary|d3-color))[/\\\\].+\\.js$', 'packages/osd-pm/dist/index.js', ], snapshotSerializers: [ diff --git a/yarn.lock b/yarn.lock index 83c310cb05b7..2c8df6850b10 100644 --- a/yarn.lock +++ b/yarn.lock @@ -6633,12 +6633,7 @@ d3-collection@1, d3-collection@^1.0.7: resolved "https://registry.yarnpkg.com/d3-collection/-/d3-collection-1.0.7.tgz#349bd2aa9977db071091c13144d5e4f16b5b310e" integrity sha512-ii0/r5f4sjKNTfh84Di+DpztYwqKhEyUlKoPrzUFfeSkWxjW49xU2QzO9qrPrNkpdI0XJkfzvmTu8V2Zylln6A== -d3-color@1, d3-color@^1.4.0: - version "1.4.1" - resolved "https://registry.yarnpkg.com/d3-color/-/d3-color-1.4.1.tgz#c52002bf8846ada4424d55d97982fef26eb3bc8a" - integrity sha512-p2sTHSLCJI2QKunbGb7ocOh7DgTAn8IrLx21QRc/BSnodXM4sv6aLQlnfpvehFMLZEfBc6g9pH9SWQccFYfJ9Q== - -"d3-color@1 - 3", d3-color@^3.0.1: +d3-color@1, "d3-color@1 - 3", d3-color@^1.4.0, d3-color@^3.0.1, d3-color@^3.1.0: version "3.1.0" resolved "https://registry.yarnpkg.com/d3-color/-/d3-color-3.1.0.tgz#395b2833dfac71507f12ac2f7af23bf819de24e2" integrity sha512-zg/chbXyeBtMQ1LbD/WSoW2DpC3I0mpmPdW+ynRTj/x2DAWYrIY7qeZIHidozwV24m4iavr15lNwIwLxRmOxhA==