Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[2.x] [CVE-2020-36632] Bumps flat from 4.1.1 to 5.0.2 #3419

Merged
merged 5 commits into from
Feb 15, 2023

Conversation

ZilongX
Copy link
Collaborator

@ZilongX ZilongX commented Feb 13, 2023

Signed-off-by: Zilong Xia zilongx@amazon.com

Description

Issues Resolved

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

Signed-off-by: Zilong Xia <zilongx@amazon.com>
@ZilongX ZilongX requested a review from a team as a code owner February 13, 2023 01:43
@ZilongX ZilongX added cve Security vulnerabilities detected by Dependabot or Mend v2.6.0 labels Feb 13, 2023
@codecov-commenter
Copy link

codecov-commenter commented Feb 13, 2023

Codecov Report

Merging #3419 (5bc19dd) into 2.x (e025cc1) will increase coverage by 0.05%.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##              2.x    #3419      +/-   ##
==========================================
+ Coverage   66.50%   66.56%   +0.05%     
==========================================
  Files        3203     3203              
  Lines       61331    61331              
  Branches     9453     9453              
==========================================
+ Hits        40787    40823      +36     
+ Misses      18283    18253      -30     
+ Partials     2261     2255       -6     
Flag Coverage Δ
Linux 66.50% <ø> (+<0.01%) ⬆️
Windows 66.50% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...ic/application/models/sense_editor/sense_editor.ts 64.88% <0.00%> (ø)
packages/osd-optimizer/src/node/cache.ts 53.94% <0.00%> (+3.94%) ⬆️
...s/osd-optimizer/src/node/node_auto_tranpilation.ts 87.75% <0.00%> (+4.08%) ⬆️
src/dev/build/lib/config.ts 85.29% <0.00%> (+5.88%) ⬆️
...ges/osd-apm-config-loader/src/config.test.mocks.ts 100.00% <0.00%> (+8.69%) ⬆️
packages/osd-cross-platform/src/path.ts 85.36% <0.00%> (+34.14%) ⬆️
src/setup_node_env/harden/child_process.js 76.92% <0.00%> (+38.46%) ⬆️
src/dev/build/lib/get_build_number.ts 100.00% <0.00%> (+42.85%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

ZilongX and others added 2 commits February 12, 2023 19:54
Signed-off-by: Zilong Xia <zilongx@amazon.com>
seanneumann
seanneumann previously approved these changes Feb 13, 2023
Copy link
Contributor

@seanneumann seanneumann left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

Copy link
Member

@joshuarrrr joshuarrrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ZilongX Thanks for the detailed description.

I think this is probably a better link for looking at the commit diff: hughsk/flat@4.1.1...5.0.2

I have no concerns about this change for OSD core, because we've already removed all mocha tests via #215 (and still just have a lingering item to remove the scaffolding and dependency: #1572)

But because of that we don't have a great way of validating that any plugins with mocha tests configured will be unaffected by this change. So I think we should do an extra callout in the changelog.

CHANGELOG.md Outdated Show resolved Hide resolved
Co-authored-by: Josh Romero <rmerqg@amazon.com>
@joshuarrrr
Copy link
Member

DCO check failed on a merge commit - will be fixed by squash and merge

@joshuarrrr joshuarrrr merged commit dd55d6b into opensearch-project:2.x Feb 15, 2023
@joshuarrrr
Copy link
Member

@ZilongX Any plans to backport to 1.x/1.3?

@joshuarrrr joshuarrrr changed the title [CVE-2020-36632] Bumps flat from 4.1.1 to 5.0.2 [2.x] [CVE-2020-36632] Bumps flat from 4.1.1 to 5.0.2 Feb 15, 2023
@ZilongX
Copy link
Collaborator Author

ZilongX commented Feb 17, 2023

@joshuarrrr , yes backporting to 1.x/1.3 may need some manual efforts though, I'll take a look later. (maybe just 1.3 since there won't be any new minor version release s for 1.x ~)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cve Security vulnerabilities detected by Dependabot or Mend v1.3.9 v2.6.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants