[1.3][CVE-2023-0842] Bump xml2js from 0.4.22 to 0.6.2 by ananzh · Pull Request #5024 · opensearch-project/OpenSearch-Dashboards

ananzh · 2023-09-14T18:29:25Z

With the SemVer philosophy, when releasing a patch version, it should not introduce breaking changes, which includes bumping a dependency to its major version. xml2js is a dev dependency in both OSD and package @osd/test . Meanwhile, it is not included in release artifact. Therefore, bumping major versions should not break SemVer rules.

Description

Due to Leonidas-from-XIV/node-xml2js#672 (comment) , try bump xml2js to 0.6.2 to solve cve and avoid regression errors.

Issues Resolved

CVE-2023-0842
#3793

Check List

Signed-off-by: ananzh <ananzh@amazon.com>

joshuarrrr · 2023-09-14T19:05:51Z

 - [CVE-2022-1537] Bump grunt from `1.4.1` to `1.5.3` ([#3723](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3723))
 - [CVE-2022-0436] Bump grunt from `1.4.1` to `1.5.3` ([#3723](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3723))
 - [CVE-2023-26136] Resolve `tough-cookie` to `4.1.3` ([#4682](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4682))
+- [CVE-2023-0842] Bump `xml2js` from `0.4.22` to `0.6.2` ([#5024](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5024))


Wrong section - should be under L10.

eeeee... I need to fix others. thank you.

joshuarrrr · 2023-09-14T19:07:01Z


-xml2js@^0.4.22, xml2js@^0.4.5:
+xml2js@^0.4.5:
  version "0.4.22"


It looks like we still have a sub-dep requiring 0.4.22. To resolve the CVE, do we need to force a resolution?

Yeah you are right. it is brought in by

=> Found "parse-bmfont-xml#xml2js@0.4.23" info This module exists because "_project_#jimp#@jimp#plugins#@jimp#plugin-print#load-bmfont#parse-bmfont-xml" depends on it. info Disk size without dependencies: "72KB" info Disk size with unique dependencies: "504KB" info Disk size with transitive dependencies: "504KB" info Number of shared dependencies: 2

with the latest jimp, we still see xml2js@0.4.23. have to force a resolution. Thank you for checking this carefully. ❤️

codecov · 2023-09-14T19:29:24Z

Codecov Report

Merging #5024 (ae071f0) into 1.3 (2a386b8) will increase coverage by 0.04%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##              1.3    #5024      +/-   ##
==========================================
+ Coverage   67.45%   67.50%   +0.04%     
==========================================
  Files        3044     3044              
  Lines       58692    58692              
  Branches     8902     8902              
==========================================
+ Hits        39593    39619      +26     
+ Misses      16946    16925      -21     
+ Partials     2153     2148       -5

Flag	Coverage Δ
Linux	`67.45% <ø> (ø)`
Windows	`67.45% <ø> (?)`

Flags with carried forward coverage won't be shown. Click here to find out more.

see 6 files with indirect coverage changes

Signed-off-by: ananzh <ananzh@amazon.com>

Signed-off-by: Anan Zhuang <ananzh@amazon.com>

ananzh added cve Security vulnerabilities detected by Dependabot or Mend v1.3.13 labels Sep 14, 2023

ananzh requested review from AMoo-Miki, BSFishy, Flyingliuhub, ZilongX, abbyhu2000, ashwin-pc, joshuarrrr, kavilla, kristenTian, manasvinibs, seanneumann, zengyan-amazon and zhongnansu as code owners September 14, 2023 18:29

[1.3][CVE-2023-0842] Bump xml2js from 0.4.22 to 0.6.2

80e0796

Signed-off-by: ananzh <ananzh@amazon.com>

ananzh force-pushed the 1.3-xml2js branch from 213518b to 80e0796 Compare September 14, 2023 18:30

ZilongX previously approved these changes Sep 14, 2023

View reviewed changes

joshuarrrr reviewed Sep 14, 2023

View reviewed changes

ananzh dismissed ZilongX’s stale review via d5946ef September 14, 2023 19:29

force xml2js to 0.6.2 and fix PR comment

7093096

Signed-off-by: ananzh <ananzh@amazon.com>

ananzh force-pushed the 1.3-xml2js branch from d5946ef to 7093096 Compare September 14, 2023 19:33

ananzh added 2 commits September 14, 2023 14:36

Merge branch '1.3' into 1.3-xml2js

bb8b7b3

Signed-off-by: Anan Zhuang <ananzh@amazon.com>

Merge branch '1.3' into 1.3-xml2js

ae071f0

Signed-off-by: Anan Zhuang <ananzh@amazon.com>

AMoo-Miki approved these changes Sep 15, 2023

View reviewed changes

kavilla approved these changes Sep 15, 2023

View reviewed changes

ananzh merged commit a45dea3 into opensearch-project:1.3 Sep 15, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[1.3][CVE-2023-0842] Bump xml2js from 0.4.22 to 0.6.2#5024

[1.3][CVE-2023-0842] Bump xml2js from 0.4.22 to 0.6.2#5024
ananzh merged 4 commits intoopensearch-project:1.3from
ananzh:1.3-xml2js

ananzh commented Sep 14, 2023 •

edited

Loading

Uh oh!

joshuarrrr Sep 14, 2023

Uh oh!

ananzh Sep 14, 2023

Uh oh!

joshuarrrr Sep 14, 2023

Uh oh!

ananzh Sep 14, 2023

Uh oh!

codecov bot commented Sep 14, 2023 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

ananzh commented Sep 14, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Issues Resolved

Check List

Uh oh!

joshuarrrr Sep 14, 2023

Choose a reason for hiding this comment

Uh oh!

ananzh Sep 14, 2023

Choose a reason for hiding this comment

Uh oh!

joshuarrrr Sep 14, 2023

Choose a reason for hiding this comment

Uh oh!

ananzh Sep 14, 2023

Choose a reason for hiding this comment

Uh oh!

codecov bot commented Sep 14, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

ananzh commented Sep 14, 2023 •

edited

Loading

codecov bot commented Sep 14, 2023 •

edited

Loading