Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump ejs and express versions to address CVEs #1988

Merged
merged 1 commit into from
Jun 7, 2024
Merged

Bump ejs and express versions to address CVEs #1988

merged 1 commit into from
Jun 7, 2024

Conversation

derek-ho
Copy link
Collaborator

@derek-ho derek-ho commented Jun 7, 2024
edited
Loading

Description

Bumps ejs to 3.1.10 to address: CVE-2024-33883
Bumps express to 4.19.2 to address CVE-2024-29041

Category

Maintenance

Why these changes are required?

Address CVEs

What is the old behavior before changes and new behavior after changes?

No diff

Issues Resolved

Don't have one right now

Testing

None

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@derek-ho derek-ho marked this pull request as ready for review June 7, 2024 20:13
@codecov Codecov
Copy link

codecov bot commented Jun 7, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 70.61%. Comparing base (5fbc14e) to head (d456fb9).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1988   +/-   ##
=======================================
  Coverage   70.61%   70.61%           
=======================================
  Files          97       97           
  Lines        2600     2600           
  Branches      380      380           
=======================================
  Hits         1836     1836           
  Misses        668      668           
  Partials       96       96

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@DarshitChanpura DarshitChanpura added the backport 2.x backport to 2.x branch label Jun 7, 2024
@DarshitChanpura DarshitChanpura merged commit 9abc57d into opensearch-project:main Jun 7, 2024
20 checks passed
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jun 7, 2024
@derek-ho @github-actions
Bump ejs and express versions to address CVEs (#1988)
4e9176f 
Signed-off-by: Derek Ho <[email protected]>
(cherry picked from commit 9abc57d)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Jun 7, 2024
Merged
derek-ho added a commit that referenced this pull request Jun 8, 2024
@opensearch-trigger-bot @derek-ho
Bump ejs and express versions to address CVEs (#1988) (#1989)
1abcc59 
Signed-off-by: Derek Ho <[email protected]>
(cherry picked from commit 9abc57d)

Co-authored-by: Derek Ho <[email protected]>
@cwperks
Copy link
Member

cwperks commented Jun 10, 2024

@derek-ho Since the security-dashboards-plugin does not have a direct dependency on either of these, shouldn't the update be done in OSD core? Similar to: https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3542/files

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stephen-crawford stephen-crawford stephen-crawford approved these changes

@DarshitChanpura DarshitChanpura DarshitChanpura approved these changes

@cliu123 cliu123 Awaiting requested review from cliu123

@cwperks cwperks Awaiting requested review from cwperks cwperks is a code owner

@RyanL1997 RyanL1997 Awaiting requested review from RyanL1997 RyanL1997 is a code owner

Assignees
No one assigned
Labels
backport 2.x backport to 2.x branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@derek-ho @cwperks @DarshitChanpura @stephen-crawford