Skip to content

[CVE-2023-45133] Add package resolution for @babel/traverse to 7.23.2 to fix vulnerability#5309

Merged
manasvinibs merged 3 commits intoopensearch-project:mainfrom
manasvinibs:Issue-5303
Oct 17, 2023
Merged

[CVE-2023-45133] Add package resolution for @babel/traverse to 7.23.2 to fix vulnerability#5309
manasvinibs merged 3 commits intoopensearch-project:mainfrom
manasvinibs:Issue-5303

Conversation

@manasvinibs
Copy link
Copy Markdown
Member

@manasvinibs manasvinibs commented Oct 16, 2023

Description

Before fix:

yarn why @babel/traverse
yarn why v1.22.19
[1/4] Why do we have the module "@babel/traverse"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "@babel/traverse@7.17.3"
info Reasons this module exists
   - "_project_#@babel#core" depends on it
   - Hoisted from "_project_#@babel#core#@babel#traverse"
   - Hoisted from "_project_#babel-eslint#@babel#traverse"
   - Hoisted from "_project_#@babel#core#@babel#helper-module-transforms#@babel#traverse"
   - Hoisted from "_project_#@babel#core#@babel#helpers#@babel#traverse"
   - Hoisted from "_project_#@osd#ui-shared-deps#styled-components#@babel#traverse"
   - Hoisted from "_project_#jest#@jest#core#jest-snapshot#@babel#traverse"
   - Hoisted from "_project_#@osd#interpreter#@babel#plugin-transform-runtime#babel-plugin-polyfill-corejs2#@babel#helper-define-polyfill-provider#@babel#traverse"
   - Hoisted from "_project_#@osd#babel-preset#@babel#plugin-proposal-private-methods#@babel#helper-create-class-features-plugin#@babel#helper-replace-supers#@babel#traverse"
   - Hoisted from "_project_#@osd#babel-preset#@babel#preset-env#@babel#plugin-proposal-async-generator-functions#@babel#helper-remap-async-to-generator#@babel#helper-wrap-function#@babel#traverse"
info Disk size without dependencies: "292KB"
info Disk size with unique dependencies: "4.59MB"
info Disk size with transitive dependencies: "6.04MB"
info Number of shared dependencies: 23
Done in 0.86s.

After package resolution fix:

yarn why @babel/traverse
yarn why v1.22.19
[1/4] Why do we have the module "@babel/traverse"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.5.2"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "@babel/traverse@7.23.2"
info Reasons this module exists
   - "_project_#@babel#core" depends on it
   - Hoisted from "_project_#@babel#core#@babel#traverse"
   - Hoisted from "_project_#babel-eslint#@babel#traverse"
   - Hoisted from "_project_#@babel#core#@babel#helper-module-transforms#@babel#traverse"
   - Hoisted from "_project_#@babel#core#@babel#helpers#@babel#traverse"
   - Hoisted from "_project_#@osd#ui-shared-deps#styled-components#@babel#traverse"
   - Hoisted from "_project_#jest#@jest#core#jest-snapshot#@babel#traverse"
   - Hoisted from "_project_#@osd#interpreter#@babel#plugin-transform-runtime#babel-plugin-polyfill-corejs2#@babel#helper-define-polyfill-provider#@babel#traverse"
   - Hoisted from "_project_#@osd#babel-preset#@babel#plugin-proposal-private-methods#@babel#helper-create-class-features-plugin#@babel#helper-replace-supers#@babel#traverse"
   - Hoisted from "_project_#@osd#babel-preset#@babel#preset-env#@babel#plugin-proposal-async-generator-functions#@babel#helper-remap-async-to-generator#@babel#helper-wrap-function#@babel#traverse"
info Disk size without dependencies: "6.52MB"
info Disk size with unique dependencies: "13.78MB"
info Disk size with transitive dependencies: "15.23MB"
info Number of shared dependencies: 24
Done in 0.86s.

Issues Resolved

#5303

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@manasvinibs
Add package resolution for to to fix vulnerability
8d9fe3f 
Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
@codecov
Copy link
Copy Markdown

codecov bot commented Oct 16, 2023
edited
Loading

Codecov Report

Merging #5309 (517dca1) into main (534b2d0) will increase coverage by 11.14%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##             main    #5309       +/-   ##
===========================================
+ Coverage   55.64%   66.79%   +11.14%     
===========================================
  Files        2995     3284      +289     
  Lines       59120    63113     +3993     
  Branches     9436    10049      +613     
===========================================
+ Hits        32900    42159     +9259     
+ Misses      24129    18474     -5655     
- Partials     2091     2480      +389
Flag Coverage Δ
Linux_1 35.25% <ø> (-0.02%) ⬇️
Linux_2 55.20% <ø> (?)
Linux_3 43.84% <ø> (?)
Linux_4 35.35% <ø> (-0.01%) ⬇️
Windows_1 35.26% <ø> (-0.02%) ⬇️
Windows_2 55.16% <ø> (?)
Windows_3 43.84% <ø> (-0.01%) ⬇️
Windows_4 35.35% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 698 files with indirect coverage changes

@manasvinibs manasvinibs added high severity High severity CVE cve Security vulnerabilities detected by Dependabot or Mend labels Oct 16, 2023
ananzh
ananzh previously approved these changes Oct 16, 2023
View reviewed changes
@manasvinibs manasvinibs changed the title [CVE-2023-45133] Add package resolution for to to fix vulnerability [CVE-2023-45133] Add package resolution for @babel/traverse to 7.23.2 to fix vulnerability Oct 16, 2023
@joshuarrrr
Further consolidate locked deps
4973099 
Signed-off-by: Josh Romero <rmerqg@amazon.com>
joshuarrrr
joshuarrrr previously approved these changes Oct 16, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@joshuarrrr joshuarrrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@joshuarrrr
Revert "Further consolidate locked deps"
517dca1 
This reverts commit 4973099.

Signed-off-by: Josh Romero <rmerqg@amazon.com>
@manasvinibs manasvinibs requested a review from ananzh October 16, 2023 23:01
@joshuarrrr joshuarrrr mentioned this pull request Oct 17, 2023
Closed
BSFishy
BSFishy reviewed Oct 17, 2023
View reviewed changes
Comment thread package.json
"**/xml2js": "^0.5.0",
"**/yaml": "^2.2.2"
"**/yaml": "^2.2.2",
"**/@babel/traverse": "^7.23.2"
Copy link
Copy Markdown
Contributor

@BSFishy BSFishy Oct 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't seem to me like a resolution is necessary. All the versions in the lock file are compatible with this version, so it should only need to be an update to the lock file.

With a grain of salt, though. I don't know how this project handles CVE's in terms of what optimizer does/guaranteeing that all plugins use this version too

Copy link
Copy Markdown
Member Author

@manasvinibs manasvinibs Oct 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think adding package resolution will install the dependencies rightly to the desired version. Also, I think its a standard practice to add package resolution and to avoid directly editing the lock file as it can break somethings. I don't know how this package is any different from other ones we have dealt with.

Copy link
Copy Markdown
Member

@joshuarrrr joshuarrrr Oct 17, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, @BSFishy is right that it's not necessary; simply removing the entries from the yarn.lock and re-running the bootstrap command would be sufficient. But for CVEs, I think it's kind of nice to enforce a minimum range via a resolution, in case some dep decided to go backwards, so I'm fine with it either way.

@manasvinibs manasvinibs merged commit a351f90 into opensearch-project:main Oct 17, 2023
@opensearch-trigger-bot
Copy link
Copy Markdown
Contributor

opensearch-trigger-bot bot commented Oct 17, 2023

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch-Dashboards/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch-Dashboards/backport-2.x
# Create a new branch
git switch --create backport/backport-5309-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 a351f908b7ad28fedbb0534f2758cdcea693ffd8
# Push it to GitHub
git push --set-upstream origin backport/backport-5309-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch-Dashboards/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-5309-to-2.x.

@joshuarrrr
Copy link
Copy Markdown
Member

joshuarrrr commented Oct 17, 2023

@manasvinibs Looks like you'll need to manually backport.

manasvinibs added a commit to manasvinibs/OpenSearch-Dashboards that referenced this pull request Oct 18, 2023
@manasvinibs @joshuarrrr
[CVE-2023-45133] Add package resolution for @babel/traverse to `7.2…
4a7b9fc 
…3.2` to fix vulnerability (opensearch-project#5309)

* Add package resolution for  to  to fix vulnerability

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>

* Further consolidate locked deps

Signed-off-by: Josh Romero <rmerqg@amazon.com>

* Revert "Further consolidate locked deps"

This reverts commit 4973099.

Signed-off-by: Josh Romero <rmerqg@amazon.com>

---------

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
Signed-off-by: Josh Romero <rmerqg@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit a351f90)
@manasvinibs manasvinibs mentioned this pull request Oct 18, 2023
Merged
7 tasks
manasvinibs added a commit to manasvinibs/OpenSearch-Dashboards that referenced this pull request Oct 26, 2023
@manasvinibs @joshuarrrr
[CVE-2023-45133] Add package resolution for @babel/traverse to `7.2…
289c78d 
…3.2` to fix vulnerability (opensearch-project#5309)

* Add package resolution for  to  to fix vulnerability

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>

* Further consolidate locked deps

Signed-off-by: Josh Romero <rmerqg@amazon.com>

* Revert "Further consolidate locked deps"

This reverts commit 4973099.

Signed-off-by: Josh Romero <rmerqg@amazon.com>

---------

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
Signed-off-by: Josh Romero <rmerqg@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit a351f90)
manasvinibs added a commit to manasvinibs/OpenSearch-Dashboards that referenced this pull request Oct 27, 2023
@manasvinibs @joshuarrrr
[CVE-2023-45133] Add package resolution for @babel/traverse to `7.2…
55b2905 
…3.2` to fix vulnerability (opensearch-project#5309)

* Add package resolution for  to  to fix vulnerability

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>

* Further consolidate locked deps

Signed-off-by: Josh Romero <rmerqg@amazon.com>

* Revert "Further consolidate locked deps"

This reverts commit 4973099.

Signed-off-by: Josh Romero <rmerqg@amazon.com>

---------

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
Signed-off-by: Josh Romero <rmerqg@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit a351f90)
@joshuarrrr joshuarrrr mentioned this pull request Nov 3, 2023
Merged
7 tasks
manasvinibs added a commit that referenced this pull request Nov 7, 2023
@manasvinibs @joshuarrrr
[CVE-2023-45133] Add package resolution for @babel/traverse to `7.2…
ea0e856 
…3.2` to fix vulnerability (#5309) (#5320)

* Add package resolution for  to  to fix vulnerability

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>

* Further consolidate locked deps

Signed-off-by: Josh Romero <rmerqg@amazon.com>

* Revert "Further consolidate locked deps"

This reverts commit 4973099.

Signed-off-by: Josh Romero <rmerqg@amazon.com>

---------

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
Signed-off-by: Josh Romero <rmerqg@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit a351f90)

Co-authored-by: Josh Romero <rmerqg@amazon.com>
opensearch-trigger-bot bot pushed a commit that referenced this pull request Nov 15, 2023
@github-actions
[CVE-2023-45133] Add package resolution for @babel/traverse to `7.2…
cc55e29 
…3.2` to fix vulnerability (#5309) (#5320)

* Add package resolution for  to  to fix vulnerability

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>

* Further consolidate locked deps

Signed-off-by: Josh Romero <rmerqg@amazon.com>

* Revert "Further consolidate locked deps"

This reverts commit 4973099.

Signed-off-by: Josh Romero <rmerqg@amazon.com>

---------

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
Signed-off-by: Josh Romero <rmerqg@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit a351f90)

Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit ea0e856)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
joshuarrrr pushed a commit that referenced this pull request Nov 16, 2023
@opensearch-trigger-bot @github-actions
[CVE-2023-45133] Add package resolution for @babel/traverse to `7.2…
034aa49 
…3.2` to fix vulnerability (#5309) (#5320) (#5480)

* Add package resolution for  to  to fix vulnerability

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>

* Further consolidate locked deps

Signed-off-by: Josh Romero <rmerqg@amazon.com>

* Revert "Further consolidate locked deps"

This reverts commit 4973099.

Signed-off-by: Josh Romero <rmerqg@amazon.com>

---------

Signed-off-by: Manasvini B Suryanarayana <manasvis@amazon.com>
Signed-off-by: Josh Romero <rmerqg@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit a351f90)

Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit ea0e856)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@joshuarrrr joshuarrrr added the v2.11.1 Issues targeting release v2.11.1 label Nov 16, 2023
@opensearch-trigger-bot
Copy link
Copy Markdown
Contributor

opensearch-trigger-bot bot commented Dec 1, 2023

The backport to 1.3 failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch-Dashboards/backport-1.3 1.3
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch-Dashboards/backport-1.3
# Create a new branch
git switch --create backport/backport-5309-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 a351f908b7ad28fedbb0534f2758cdcea693ffd8
# Push it to GitHub
git push --set-upstream origin backport/backport-5309-to-1.3
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch-Dashboards/backport-1.3

Then, create a pull request where the base branch is 1.3 and the compare/head branch is backport/backport-5309-to-1.3.

@abbyhu2000 abbyhu2000 mentioned this pull request Dec 1, 2023
Merged
7 tasks
@manasvinibs
Copy link
Copy Markdown
Member Author

manasvinibs commented Jan 31, 2024

Manual backport to 2.x - #5320
Manual backport to 1.3 - #5564

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ananzh ananzh ananzh approved these changes

@kavilla kavilla Awaiting requested review from kavilla kavilla is a code owner

@seanneumann seanneumann Awaiting requested review from seanneumann

@AMoo-Miki AMoo-Miki Awaiting requested review from AMoo-Miki AMoo-Miki is a code owner

@ashwin-pc ashwin-pc Awaiting requested review from ashwin-pc ashwin-pc is a code owner

@abbyhu2000 abbyhu2000 Awaiting requested review from abbyhu2000 abbyhu2000 is a code owner

@zengyan-amazon zengyan-amazon Awaiting requested review from zengyan-amazon zengyan-amazon is a code owner

@kristenTian kristenTian Awaiting requested review from kristenTian

@zhongnansu zhongnansu Awaiting requested review from zhongnansu zhongnansu is a code owner

@ZilongX ZilongX Awaiting requested review from ZilongX ZilongX is a code owner

@Flyingliuhub Flyingliuhub Awaiting requested review from Flyingliuhub Flyingliuhub is a code owner

@curq curq Awaiting requested review from curq

+2 more reviewers

@joshuarrrr joshuarrrr joshuarrrr approved these changes

@BSFishy BSFishy BSFishy left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport 1.3 backport 2.x cve Security vulnerabilities detected by Dependabot or Mend distinguished-contributor high severity High severity CVE v2.11.1 Issues targeting release v2.11.1 v2.12.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@manasvinibs @joshuarrrr @BSFishy @ananzh @abbyhu2000