Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987 #2166

Merged
merged 5 commits into from
Sep 20, 2022

Conversation

CCongWang
Copy link
Contributor

@CCongWang CCongWang commented Aug 18, 2022

Signed-off-by: CCongWang [email protected]

Description

Upgrade geckodriver to 3.0.2 to use [email protected], which partially fix CVE-2022-33987

Issues Resolved

#1764

Check List

  • New functionality includes testing.
    • All tests pass
      • yarn test:jest
      • yarn test:jest_integration
      • yarn test:ftr
  • New functionality has been documented.
  • Commits are signed per the DCO using --signoff

@CCongWang CCongWang requested a review from a team as a code owner August 18, 2022 22:13
@codecov-commenter
Copy link

codecov-commenter commented Aug 18, 2022

Codecov Report

Merging #2166 (c031614) into main (bebbcca) will increase coverage by 0.00%.
The diff coverage is n/a.

❗ Current head c031614 differs from pull request most recent head 1208bd3. Consider uploading reports for the commit 1208bd3 to get more accurate results

@@           Coverage Diff           @@
##             main    #2166   +/-   ##
=======================================
  Coverage   66.55%   66.55%           
=======================================
  Files        3170     3170           
  Lines       60318    60318           
  Branches     9181     9181           
=======================================
+ Hits        40142    40146    +4     
+ Misses      17983    17980    -3     
+ Partials     2193     2192    -1     
Impacted Files Coverage Δ
packages/osd-optimizer/src/node/cache.ts 52.77% <0.00%> (+2.77%) ⬆️
...s/osd-optimizer/src/node/node_auto_tranpilation.ts 87.75% <0.00%> (+4.08%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

zhongnansu
zhongnansu previously approved these changes Aug 22, 2022
Copy link
Member

@zhongnansu zhongnansu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

ananzh
ananzh previously approved these changes Aug 22, 2022
Copy link
Member

@ananzh ananzh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

package.json Outdated
@@ -370,7 +370,7 @@
"exit-hook": "^2.2.0",
"fetch-mock": "^7.3.9",
"fp-ts": "^2.3.1",
"geckodriver": "^3.0.1",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can backport it if we just handle it resolution

Copy link
Member

@kavilla kavilla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can keep all the resolutions

@ashwin-pc ashwin-pc dismissed stale reviews from ananzh and zhongnansu via d8e2fc8 September 15, 2022 00:38
@kavilla kavilla linked an issue Sep 19, 2022 that may be closed by this pull request
@kavilla kavilla added cve Security vulnerabilities detected by Dependabot or Mend backport 2.x labels Sep 19, 2022
@joshuarrrr joshuarrrr merged commit 06abe83 into opensearch-project:main Sep 20, 2022
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-2166-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 06abe83e0180f391a84c742cf5594866bc747ea2
# Push it to GitHub
git push --set-upstream origin backport/backport-2166-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-2166-to-2.x.

kavilla pushed a commit to kavilla/OpenSearch-Dashboards-1 that referenced this pull request Sep 21, 2022
…rch-project#2166)

* Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987

Signed-off-by: CCongWang <[email protected]>

* Revert change to package.json

* Update yarn.lock

Signed-off-by: CCongWang <[email protected]>
Co-authored-by: Ashwin P Chandran <[email protected]>
Co-authored-by: Ashwin P Chandran <[email protected]>
Co-authored-by: Josh Romero <[email protected]>
@kavilla kavilla added the v2.3.1 label Sep 22, 2022
kavilla added a commit that referenced this pull request Sep 22, 2022
…2397)

* Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987

Signed-off-by: CCongWang <[email protected]>

* Revert change to package.json

* Update yarn.lock

Signed-off-by: CCongWang <[email protected]>
Co-authored-by: Ashwin P Chandran <[email protected]>
Co-authored-by: Ashwin P Chandran <[email protected]>
Co-authored-by: Josh Romero <[email protected]>

Signed-off-by: CCongWang <[email protected]>
Co-authored-by: Cong Wang <[email protected]>
Co-authored-by: Ashwin P Chandran <[email protected]>
Co-authored-by: Ashwin P Chandran <[email protected]>
Co-authored-by: Josh Romero <[email protected]>
opensearch-trigger-bot bot pushed a commit that referenced this pull request Sep 22, 2022
…2397)

* Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987

Signed-off-by: CCongWang <[email protected]>

* Revert change to package.json

* Update yarn.lock

Signed-off-by: CCongWang <[email protected]>
Co-authored-by: Ashwin P Chandran <[email protected]>
Co-authored-by: Ashwin P Chandran <[email protected]>
Co-authored-by: Josh Romero <[email protected]>

Signed-off-by: CCongWang <[email protected]>
Co-authored-by: Cong Wang <[email protected]>
Co-authored-by: Ashwin P Chandran <[email protected]>
Co-authored-by: Ashwin P Chandran <[email protected]>
Co-authored-by: Josh Romero <[email protected]>
(cherry picked from commit 3aacdc3)
kavilla pushed a commit that referenced this pull request Sep 23, 2022
…2397) (#2405)

* Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987
* Revert change to package.json
* Update yarn.lock

Signed-off-by: CCongWang <[email protected]>
Co-authored-by: Ashwin P Chandran <[email protected]>
Co-authored-by: Ashwin P Chandran <[email protected]>
Co-authored-by: Josh Romero <[email protected]>
Co-authored-by: Cong Wang <[email protected]>
(cherry picked from commit 3aacdc3)
@AMoo-Miki AMoo-Miki added v2.4.0 'Issues and PRs related to version v2.4.0' and removed v2.3.1 labels Nov 5, 2022
sipopo pushed a commit to sipopo/OpenSearch-Dashboards that referenced this pull request Dec 16, 2022
…rch-project#2166)

* Upgrade geckodriver to 3.0.2 to partially fix CVE-2022-33987

Signed-off-by: CCongWang <[email protected]>

* Revert change to package.json

* Update yarn.lock

Signed-off-by: CCongWang <[email protected]>
Co-authored-by: Ashwin P Chandran <[email protected]>
Co-authored-by: Ashwin P Chandran <[email protected]>
Co-authored-by: Josh Romero <[email protected]>
Signed-off-by: Sergey V. Osipov <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x cve Security vulnerabilities detected by Dependabot or Mend v2.4.0 'Issues and PRs related to version v2.4.0'
Projects
None yet
Development

Successfully merging this pull request may close these issues.

CVE-2022-33987 (Medium) detected in multiple libraries
8 participants