[Security] Bump all babel dependencies from 7.16.x to 7.22.9
#5428
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
joshuarrrr
requested review from
ananzh,
kavilla,
seanneumann,
AMoo-Miki,
ashwin-pc,
abbyhu2000,
zengyan-amazon,
kristenTian,
zhongnansu,
manasvinibs,
ZilongX,
Flyingliuhub,
BSFishy and
curq
as code owners
joshuarrrr
commented
Nov 3, 2023
Comment on lines
36
to
37
| // Optional Chaining proposal is stage 4 (https://github.com/tc39/proposal-optional-chaining) | ||
| // Need this since we are using TypeScript 3.7+ |
There was a problem hiding this comment.
These proposal comments now all seem outdated (particularly because they reference previous version of TypeScript). But I'm not sure I know enough about the relationship between ES proposals, Typescript, and Babel to know how to investigate whether we still need these plugins at all or to update the comments to explain why we still need them. Any help is appreciated!
Codecov Report
@@ Coverage Diff @@
## main #5428 +/- ##
==========================================
+ Coverage 59.07% 66.96% +7.89%
==========================================
Files 2981 3291 +310
Lines 56492 63243 +6751
Branches 8714 10055 +1341
==========================================
+ Hits 33372 42351 +8979
+ Misses 21362 18431 -2931
- Partials 1758 2461 +703
Flags with carried forward coverage won't be shown. Click here to find out more.
|
ZilongX
previously approved these changes
Nov 7, 2023
manasvinibs
previously approved these changes
Nov 8, 2023
ananzh
previously approved these changes
Nov 8, 2023
Update proposal plugins to their transform equivalents Resolves CVE-2023-45133 Signed-off-by: Josh Romero <rmerqg@amazon.com>
Signed-off-by: Josh Romero <rmerqg@amazon.com>
AMoo-Miki
dismissed stale reviews from ananzh, manasvinibs, and ZilongX
via
61c31aa
AMoo-Miki
force-pushed
the
security/update-babel-deps-7.22.9
branch
from
e9c8134
to
61c31aa
Compare
ananzh
approved these changes
Nov 10, 2023
manasvinibs
approved these changes
Nov 10, 2023
ananzh
pushed a commit
to ananzh/OpenSearch-Dashboards
that referenced
this pull request
Nov 13, 2023
…opensearch-project#5428) * chore: Bump all babel dependencies from `7.16.x` to `7.22.9` Update proposal plugins to their transform equivalents Resolves CVE-2023-45133 Backport PR opensearch-project#5428 --------- Signed-off-by: Josh Romero <rmerqg@amazon.com>
ananzh
pushed a commit
to ananzh/OpenSearch-Dashboards
that referenced
this pull request
Nov 13, 2023
…opensearch-project#5428) * chore: Bump all babel dependencies from `7.16.x` to `7.22.9` Update proposal plugins to their transform equivalents Resolves CVE-2023-45133 Backport PR opensearch-project#5428 --------- Signed-off-by: Josh Romero <rmerqg@amazon.com>
ananzh
pushed a commit
to ananzh/OpenSearch-Dashboards
that referenced
this pull request
Nov 14, 2023
…opensearch-project#5428) * chore: Bump all babel dependencies from `7.16.x` to `7.22.9` Update proposal plugins to their transform equivalents Resolves CVE-2023-45133 Backport PR opensearch-project#5428 --------- Signed-off-by: Josh Romero <rmerqg@amazon.com>
3 tasks
7 tasks
ananzh
pushed a commit
to ananzh/OpenSearch-Dashboards
that referenced
this pull request
Nov 15, 2023
opensearch-project#5428) * chore: Bump all babel dependencies from `7.16.x` to `7.22.9` Update proposal plugins to their transform equivalents Resolves CVE-2023-45133 Backport PR opensearch-project#5428 --------- Signed-off-by: Josh Romero <rmerqg@amazon.com>
7 tasks
AMoo-Miki
pushed a commit
to ananzh/OpenSearch-Dashboards
that referenced
this pull request
Nov 16, 2023
opensearch-project#5428) * chore: Bump all babel dependencies from `7.16.x` to `7.22.9` Update proposal plugins to their transform equivalents Resolves CVE-2023-45133 Backport PR opensearch-project#5428 --------- Signed-off-by: Josh Romero <rmerqg@amazon.com> Signed-off-by: Miki <miki@amazon.com>
AMoo-Miki
pushed a commit
to ananzh/OpenSearch-Dashboards
that referenced
this pull request
Nov 16, 2023
opensearch-project#5428) * chore: Bump all babel dependencies from `7.16.x` to `7.22.9` Update proposal plugins to their transform equivalents Resolves CVE-2023-45133 Backport PR opensearch-project#5428 --------- Signed-off-by: Josh Romero <rmerqg@amazon.com> Signed-off-by: Miki <miki@amazon.com>
ananzh
added a commit
to ananzh/OpenSearch-Dashboards
that referenced
this pull request
Nov 16, 2023
Signed-off-by: ananzh <ananzh@amazon.com>
ananzh
added a commit
that referenced
this pull request
Nov 16, 2023
ananzh
added a commit
to ananzh/OpenSearch-Dashboards
that referenced
this pull request
Nov 17, 2023
… to conflicts Backport PR opensearch-project#5491 Signed-off-by: ananzh <ananzh@amazon.com>
ananzh
added a commit
to ananzh/OpenSearch-Dashboards
that referenced
this pull request
Nov 17, 2023
…e to conflicts Backport PR opensearch-project#5491 Signed-off-by: ananzh <ananzh@amazon.com>
AMoo-Miki
pushed a commit
that referenced
this pull request
Nov 17, 2023
) Backport PR #5491 Signed-off-by: ananzh <ananzh@amazon.com>
AMoo-Miki
pushed a commit
that referenced
this pull request
Nov 17, 2023
Backport PR #5491 Signed-off-by: ananzh <ananzh@amazon.com>
|
skipping backport to 1.3 |
This was referenced Dec 13, 2023
Merged
|
Hi @joshuarrrr |
|
@aggarwalShivani , the vulnerability is in @babel/traverse which was bumped to 7.23.2: The others are not vulnerable on their own. |
|
Manually backported with #5464 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Also update proposal plugins to their transform equivalents
Resolves CVE-2023-45133
Issues Resolved
Although #5303 is marked closed by mend, it's preferable to also update the deps upstream of the resolution in #5309.
Screenshot
Testing the changes
I verified that all unit tests pass, and I also built all distributions via
yarn build --skip-os-packages. But I'd love to here from other maintainers what else we should do to validate these changes. Try diff-ing all the artifacts, maybe?Check List
yarn test:jestyarn test:jest_integration