From aa878a1347ab30bba3a75b7a4956062291912fe2 Mon Sep 17 00:00:00 2001 From: Anan Zhuang Date: Tue, 6 Dec 2022 22:56:54 +0000 Subject: [PATCH] Bumps simple-git from 3.4.0 to 3.15.0 Resolve CVE-2022-25912. The package simple-git before 3.15. vulnerable to Remote Code Execution (RCE) Signed-off-by: Anan Zhuang --- CHANGELOG.md | 1 + package.json | 2 +- yarn.lock | 8 ++++---- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ff56302c0..1c8bde4f9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) ### Removed ### Fixed ### Security +- [CVE-2022-25912] Bumps simple-git from 3.4.0 to 3.15.0 ([#341](https://github.com/opensearch-project/opensearch-js/pull/341)) ## [2.1] ### Added diff --git a/package.json b/package.json index 6e70572f4..8aef6f4fb 100644 --- a/package.json +++ b/package.json @@ -80,7 +80,7 @@ "proxy": "^1.0.2", "rimraf": "^3.0.2", "semver": "^7.3.5", - "simple-git": "^3.5.0", + "simple-git": "^3.15.0", "simple-statistics": "^7.7.0", "split2": "^3.2.2", "stoppable": "^1.1.0", diff --git a/yarn.lock b/yarn.lock index 6b6032b84..61353c937 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2841,10 +2841,10 @@ signal-exit@^3.0.4, signal-exit@^3.0.6: resolved "https://registry.yarnpkg.com/signal-exit/-/signal-exit-3.0.7.tgz#a9a1767f8af84155114eaabd73f99273c8f59ad9" integrity sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ== -simple-git@^3.5.0: - version "3.13.0" - resolved "https://registry.yarnpkg.com/simple-git/-/simple-git-3.13.0.tgz#36589e201c28cecaca6f3a898e7257c6610e8588" - integrity sha512-VYrs3joeHvWGcN3K135RpGpPjm4AHYeOrclwew6LlfHgq6ozQYIW2yMnmjf4PCgVOuSYCbXkdUjyiFawuJz8MA== +simple-git@^3.15.0: + version "3.15.1" + resolved "https://registry.yarnpkg.com/simple-git/-/simple-git-3.15.1.tgz#57f595682cb0c2475d5056da078a05c8715a25ef" + integrity sha512-73MVa5984t/JP4JcQt0oZlKGr42ROYWC3BcUZfuHtT3IHKPspIvL0cZBnvPXF7LL3S/qVeVHVdYYmJ3LOTw4Rg== dependencies: "@kwsites/file-exists" "^1.1.1" "@kwsites/promise-deferred" "^1.1.1"