From 99cc8269d1368717db34adcf609ad6792bf7a779 Mon Sep 17 00:00:00 2001 From: Josh Romero Date: Tue, 7 Mar 2023 00:09:05 +0000 Subject: [PATCH 1/2] [CVE-2020-36632] Bump flat from 4.1.1 to 5.0.2 Signed-off-by: Josh Romero --- package.json | 1 + yarn.lock | 12 +++++------- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/package.json b/package.json index c78d6d7ecff9..1b54e079f5f8 100644 --- a/package.json +++ b/package.json @@ -87,6 +87,7 @@ "!chromedriver/**/axios": "^0.21.4", "chromedriver/**/axios": "^0.27.2", "**/ejs": "^3.1.6", + "**/flat": "^5.0.2", "**/follow-redirects": "^1.15.2", "**/front-matter": "^4.0.2", "**/glob-parent": "^6.0.0", diff --git a/yarn.lock b/yarn.lock index ef6f9fd358b7..3155e50f6951 100644 --- a/yarn.lock +++ b/yarn.lock @@ -9597,12 +9597,10 @@ flat-cache@^2.0.1: rimraf "2.6.3" write "1.0.3" -flat@^4.1.0: - version "4.1.1" - resolved "https://registry.yarnpkg.com/flat/-/flat-4.1.1.tgz#a392059cc382881ff98642f5da4dde0a959f309b" - integrity sha512-FmTtBsHskrU6FJ2VxCnsDb84wu9zhmO3cUX2kGFb5tuwhfXxGciiT0oRY+cck35QmG+NmGh5eLz6lLCpWTqwpA== - dependencies: - is-buffer "~2.0.3" +flat@^4.1.0, flat@^5.0.2: + version "5.0.2" + resolved "https://registry.yarnpkg.com/flat/-/flat-5.0.2.tgz#8ca6fe332069ffa9d324c327198c598259ceb241" + integrity sha512-b6suED+5/3rTpUBdG1gupIl8MPFCAMA0QXwmljLhvCUKcUvdE4gWky9zpuGCcXHOsz4J9wPGNWq6OKpmIzz3hQ== flatted@^2.0.0: version "2.0.0" @@ -11946,7 +11944,7 @@ is-buffer@^1.1.4, is-buffer@^1.1.5: resolved "https://registry.yarnpkg.com/is-buffer/-/is-buffer-1.1.6.tgz#efaa2ea9daa0d7ab2ea13a97b2b8ad51fefbe8be" integrity sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w== -is-buffer@^2.0.0, is-buffer@~2.0.3: +is-buffer@^2.0.0: version "2.0.3" resolved "https://registry.yarnpkg.com/is-buffer/-/is-buffer-2.0.3.tgz#4ecf3fcf749cbd1e472689e109ac66261a25e725" integrity sha512-U15Q7MXTuZlrbymiz95PJpZxu8IlipAp4dtS3wOdgPXx3mqBnslrWU14kxfHB+Py/+2PVKSr37dMAgM2A4uArw== From e8e171a7e5f032e955a03ad43d79ed2ae0bed7fe Mon Sep 17 00:00:00 2001 From: Josh Romero Date: Tue, 7 Mar 2023 00:12:31 +0000 Subject: [PATCH 2/2] add changelog Signed-off-by: Josh Romero --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 47bc0e767094..00980acdd66c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -25,7 +25,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - [CVE-2022-25860] Bumps simple-git from 3.15.1 to 3.16.0 ([#3345](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3345)) - [CVE-2022-2499] Resolve qs from 6.5.2 and 6.7.0 to 6.11.0 in 1.x ([#3451](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3451)) - [CVE-2023-25653] Bump node-jose to 2.2.0 ([#3445](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3445)) - +- [CVE-2020-36632] [REQUIRES PLUGIN VALIDATION] Bump flat from 4.1.1 to 5.0.2 ([#3539](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3539)). To the best of our knowledge, this is a non-breaking change, but if your plugin relies on `mocha` tests, validate that they still work correctly (and plan to migrate them to `jest` [in preparation for `mocha` deprecation](https://github.com/opensearch-project/OpenSearch-Dashboards/issues/1572). ### 📈 Features/Enhancements