Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2024-45590][CVE-2024-45296] Resolve cves for 1.3 by bumping body-parser and path-to-regexp #9007

Merged
merged 1 commit into from
Dec 5, 2024

Conversation

ananzh
Copy link
Member

@ananzh ananzh commented Dec 4, 2024

Description

Resolve CVE-2024-45590 by bumping body-parser from 1.19.0 to 1.20.3
Resolve CVE-2024-45296 by bumping a vary of path-to-regexp to required versions

Issues Resolved

NA

Screenshot

ubuntu@ip-172-31-21-67:~/work/OpenSearch-Dashboards$ yarn why body-parser
yarn why v1.22.19
[1/4] Why do we have the module "body-parser"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~4.8.4"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "_project_#@percy#agent" depends on it
   - Hoisted from "_project_#@percy#agent#body-parser"
   - Hoisted from "_project_#@percy#agent#express#body-parser"
info Disk size without dependencies: "260KB"
info Disk size with unique dependencies: "1.74MB"
info Disk size with transitive dependencies: "6.38MB"
info Number of shared dependencies: 35
Done in 1.24s.
yarn why path-to-regexp
yarn why v1.22.19
[1/4] Why do we have the module "path-to-regexp"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~4.8.4"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Has been hoisted to "path-to-regexp"
info Reasons this module exists
   - "workspace-aggregator-91d1e03a-484e-4382-92ee-fb37e2746776" depends on it
   - Hoisted from "_project_#react-router#path-to-regexp"
   - Hoisted from "_project_#sinon#nise#path-to-regexp"
info Disk size without dependencies: "68KB"
info Disk size with unique dependencies: "100KB"
info Disk size with transitive dependencies: "100KB"
info Number of shared dependencies: 1
=> Found "fetch-mock#[email protected]"
info This module exists because "_project_#fetch-mock" depends on it.
info Disk size without dependencies: "36KB"
info Disk size with unique dependencies: "36KB"
info Disk size with transitive dependencies: "36KB"
info Number of shared dependencies: 0
=> Found "express#[email protected]"
info This module exists because "_project_#@percy#agent#express" depends on it.
info Disk size without dependencies: "16KB"
info Disk size with unique dependencies: "16KB"
info Disk size with transitive dependencies: "16KB"
info Number of shared dependencies: 0
Done in 1.21s.

Testing the changes

Changelog

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@ananzh ananzh changed the title [CVE-2024-45590][CVE-2024-45296] Resolve two cves for 1.3 by bumping body-parser and path-to-regexp [CVE-2024-45590][CVE-2024-45296] Resolve cves for 1.3 by bumping body-parser and path-to-regexp Dec 4, 2024
Copy link

codecov bot commented Dec 4, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 67.44%. Comparing base (d0b47bd) to head (1d3fe28).
Report is 2 commits behind head on 1.3.

Additional details and impacted files
@@            Coverage Diff             @@
##              1.3    #9007      +/-   ##
==========================================
- Coverage   70.72%   67.44%   -3.28%     
==========================================
  Files        3045     3045              
  Lines       58709    58709              
  Branches     8904     8904              
==========================================
- Hits        41520    39597    -1923     
- Misses      16897    16960      +63     
- Partials      292     2152    +1860     
Flag Coverage Δ
Linux ?
Windows 67.44% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@ananzh ananzh added v1.3.20 Issues targeting release v1.3.20 cve Security vulnerabilities detected by Dependabot or Mend labels Dec 4, 2024
@ananzh ananzh merged commit 10c0bae into opensearch-project:1.3 Dec 5, 2024
33 of 53 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cve Security vulnerabilities detected by Dependabot or Mend v1.3.20 Issues targeting release v1.3.20
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants