Skip to content

[backport 1.x][CVE-2022-0144] bump shelljs from 0.8.4 to 0.8.5#2511

Merged
ananzh merged 1 commit intoopensearch-project:1.xfrom
ananzh:fix-shelljs
Oct 6, 2022
Merged

[backport 1.x][CVE-2022-0144] bump shelljs from 0.8.4 to 0.8.5#2511
ananzh merged 1 commit intoopensearch-project:1.xfrom
ananzh:fix-shelljs

Conversation

@ananzh
Copy link
Copy Markdown
Member

@ananzh ananzh commented Oct 5, 2022
edited
Loading

Signed-off-by: Anan Zhuang ananzh@amazon.com

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@ananzh ananzh requested a review from a team October 5, 2022 18:33
@ananzh ananzh changed the title bump shelljs [backpack 1.x] bump shelljs from 0.8.4 to 0.8.5 Oct 5, 2022
@ananzh ananzh self-assigned this Oct 5, 2022
@ananzh ananzh added the cve Security vulnerabilities detected by Dependabot or Mend label Oct 5, 2022
@kavilla
Copy link
Copy Markdown
Member

kavilla commented Oct 5, 2022

Is this a backport or just bumping on the 1.x branch?

Can the commit message be a little more descriptive and include the CVE resolved? Can be accomplished before merging when we have one last chance when editing the commit message.

@joshuarrrr
Copy link
Copy Markdown
Member

joshuarrrr commented Oct 5, 2022

Also, is backpack something different than a backport, or just a typo?

@kavilla kavilla mentioned this pull request Oct 5, 2022
Closed
5 tasks
@ananzh
Copy link
Copy Markdown
Member Author

ananzh commented Oct 5, 2022

2.0 has bump to 0.8.5
I am not sure why it is not backpacked to 1.x

@kavilla
Copy link
Copy Markdown
Member

kavilla commented Oct 5, 2022

2.0 has bump to 0.8.5 I am not sure why it is not backpacked to 1.x

Gotcha, do we have the original PR that this was cherry picked from? Also, #2512 implies it was able to resolve this without touching moment resolutions.

@ananzh ananzh changed the title [backpack 1.x] bump shelljs from 0.8.4 to 0.8.5 [backport 1.x] bump shelljs from 0.8.4 to 0.8.5 Oct 5, 2022
@ananzh
Copy link
Copy Markdown
Member Author

ananzh commented Oct 5, 2022

Also, is backpack something different than a backport, or just a typo?

yeah updated to backport

@ananzh
Copy link
Copy Markdown
Member Author

ananzh commented Oct 5, 2022
edited
Loading

will update commit msg after CI check done

@ananzh
Copy link
Copy Markdown
Member Author

ananzh commented Oct 5, 2022

2.0 has bump to 0.8.5 I am not sure why it is not backpacked to 1.x

Gotcha, do we have the original PR that this was cherry picked from? Also, #2512 implies it was able to resolve this without touching moment resolutions.

It is not a cve fix PR, here is the original PR for 2.0:#1409

the moment is changed by running yarn osd bootstrap automatically

yeah just do a quick CI run to see if there is any conflicts. I will update commit msg

@ananzh
Copy link
Copy Markdown
Member Author

ananzh commented Oct 5, 2022

@joshuarrrr @kavilla do I need to update 1.3.6 release not as well?

@ananzh ananzh added the v1.3.6 label Oct 5, 2022
@joshuarrrr
Copy link
Copy Markdown
Member

joshuarrrr commented Oct 5, 2022

As far as I know, it's too late to get this to 1.3.6 now - you'd need to reach out the build team to coordinate if it has to be squeezed into the release.

@zelinh
Copy link
Copy Markdown
Member

zelinh commented Oct 5, 2022

We will pick this change into our 1.3.6 release and re-generate the release candidate for OSD. Please also update the release notes to include this. Thanks.

@ananzh
Copy link
Copy Markdown
Member Author

ananzh commented Oct 5, 2022

I see function test fail https://github.com/opensearch-project/OpenSearch-Dashboards/actions/runs/3191842791/jobs/5210233465 due to SessionNotCreatedError, but I don't think it is caused by this PR.

@ananzh ananzh changed the title [backport 1.x] bump shelljs from 0.8.4 to 0.8.5 [backport 1.x][CVE-2022-0144] bump shelljs from 0.8.4 to 0.8.5 Oct 5, 2022
@ananzh
[backport 1.x] bump shelljs from 0.8.4 to 0.8.5
c6a9418 
Resolves CVE-2022-0144 by bumping package shelljs to 0.8.5

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
@ananzh
Copy link
Copy Markdown
Member Author

ananzh commented Oct 5, 2022

@zelinh got it. I have fixed the functional test fail and include this change in the release note.

@ananzh ananzh merged commit 38790c5 into opensearch-project:1.x Oct 6, 2022
opensearch-trigger-bot bot pushed a commit that referenced this pull request Oct 6, 2022
@ananzh @github-actions
[backport 1.x] bump shelljs from 0.8.4 to 0.8.5 (#2511)
2794387 
Resolves CVE-2022-0144 by bumping package shelljs to 0.8.5

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
(cherry picked from commit 38790c5)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Oct 6, 2022
Merged
ananzh added a commit that referenced this pull request Oct 6, 2022
@opensearch-trigger-bot @ananzh
[backport 1.x] bump shelljs from 0.8.4 to 0.8.5 (#2511) (#2522)
13c7df4 
Resolves CVE-2022-0144 by bumping package shelljs to 0.8.5

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
(cherry picked from commit 38790c5)

Co-authored-by: Anan Zhuang <ananzh@amazon.com>
@ananzh ananzh added v1.3.7 and removed v1.3.6 labels Oct 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abbyhu2000 abbyhu2000 abbyhu2000 approved these changes

+2 more reviewers

@joshuarrrr joshuarrrr joshuarrrr approved these changes

@kaddy645 kaddy645 kaddy645 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@ananzh ananzh

Labels

backport 1.3 cve Security vulnerabilities detected by Dependabot or Mend v1.3.7

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@ananzh @kavilla @joshuarrrr @zelinh @kaddy645 @abbyhu2000