From a45dea39423e821bc9b0cb4a8ab315c8f098cd3a Mon Sep 17 00:00:00 2001 From: Anan Zhuang Date: Fri, 15 Sep 2023 08:56:42 -0700 Subject: [PATCH] [1.3][CVE-2023-0842] Bump xml2js from 0.4.22 to 0.6.2 (#5024) * [1.3][CVE-2023-0842] Bump xml2js from 0.4.22 to 0.6.2 * force xml2js to 0.6.2 and fix PR comment --------- Signed-off-by: ananzh Signed-off-by: Anan Zhuang --- CHANGELOG.md | 1 + package.json | 5 +++-- packages/osd-test/package.json | 2 +- yarn.lock | 17 ++++------------- 4 files changed, 9 insertions(+), 16 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d4f15b30bc7d..598ce24f6a37 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - [CVE-2022-21670] Bump `markdown-it` from `10.0.0` to `12.3.2` ([#5016](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5016)) - [CVE-2022-33987] Partially fix security issues for `got` by bumping `@elastic/makelogs` from `6.0.0` to `6.1.1` and updating yarn.lock ([#5006](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5006)) - Bump `yo` from `2.0.6` to `3.1.1` ([#5005]( https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5005)) +- [CVE-2023-0842] Bump `xml2js` from `0.4.22` to `0.6.2` ([#5024](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5024)) ### 📈 Features/Enhancements diff --git a/package.json b/package.json index 64f49420301e..2e6a8976d668 100644 --- a/package.json +++ b/package.json @@ -128,7 +128,8 @@ "**/tough-cookie": "^4.1.3", "**/typescript": "4.0.2", "**/url-parse": "^1.5.8", - "**/unset-value": "^2.0.1" + "**/unset-value": "^2.0.1", + "**/xml2js": "^0.6.2" }, "workspaces": { "packages": [ @@ -498,7 +499,7 @@ "vega-schema-url-parser": "^2.1.0", "vega-tooltip": "^0.24.2", "vinyl-fs": "^3.0.3", - "xml2js": "^0.4.22", + "xml2js": "^0.6.2", "xmlbuilder": "13.0.2", "zlib": "^1.0.5" }, diff --git a/packages/osd-test/package.json b/packages/osd-test/package.json index 8efbba85bd63..7d8d80e52174 100644 --- a/packages/osd-test/package.json +++ b/packages/osd-test/package.json @@ -37,7 +37,7 @@ "rxjs": "^6.5.5", "strip-ansi": "^6.0.0", "tar-fs": "^2.1.0", - "xml2js": "^0.4.22", + "xml2js": "^0.6.2", "zlib": "^1.0.5" } } diff --git a/yarn.lock b/yarn.lock index e07afd0a71c8..d62e6bc6fe79 100644 --- a/yarn.lock +++ b/yarn.lock @@ -20931,14 +20931,6 @@ util-extend@^1.0.1: resolved "https://registry.yarnpkg.com/util-extend/-/util-extend-1.0.3.tgz#a7c216d267545169637b3b6edc6ca9119e2ff93f" integrity sha1-p8IW0mdUUWljeztu3GypEZ4v+T8= -util.promisify@~1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/util.promisify/-/util.promisify-1.0.0.tgz#440f7165a459c9a16dc145eb8e72f35687097030" - integrity sha512-i+6qA2MPhvoKLuxnJNpXAGhg7HphQOSUq2LKMZD0m15EiskXUkMvKdF4Uui0WYeCUGea+o2cw/ZuwehtfsrNkA== - dependencies: - define-properties "^1.1.2" - object.getownpropertydescriptors "^2.0.3" - util@0.10.3, util@^0.10.3: version "0.10.3" resolved "https://registry.yarnpkg.com/util/-/util-0.10.3.tgz#7afb1afe50805246489e3db7fe0ed379336ac0f9" @@ -22183,13 +22175,12 @@ xml-parse-from-string@^1.0.0: resolved "https://registry.yarnpkg.com/xml-parse-from-string/-/xml-parse-from-string-1.0.1.tgz#a9029e929d3dbcded169f3c6e28238d95a5d5a28" integrity sha1-qQKekp09vN7RafPG4oI42VpdWig= -xml2js@^0.4.22, xml2js@^0.4.5: - version "0.4.22" - resolved "https://registry.yarnpkg.com/xml2js/-/xml2js-0.4.22.tgz#4fa2d846ec803237de86f30aa9b5f70b6600de02" - integrity sha512-MWTbxAQqclRSTnehWWe5nMKzI3VmJ8ltiJEco8akcC6j3miOhjjfzKum5sId+CWhfxdOs/1xauYr8/ZDBtQiRw== +xml2js@^0.4.5, xml2js@^0.6.2: + version "0.6.2" + resolved "https://registry.yarnpkg.com/xml2js/-/xml2js-0.6.2.tgz#dd0b630083aa09c161e25a4d0901e2b2a929b499" + integrity sha512-T4rieHaC1EXcES0Kxxj4JWgaUQHDk+qwHcYOCFHfiwKz7tOVPLq7Hjq9dM1WCMhylqMEfP7hMcOIChvotiZegA== dependencies: sax ">=0.6.0" - util.promisify "~1.0.0" xmlbuilder "~11.0.0" xmlbuilder@13.0.2: