Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2022-29622] resolve formidable to ^3.2.4 #2710

Closed
wants to merge 1 commit into from
Closed

[CVE-2022-29622] resolve formidable to ^3.2.4 #2710

wants to merge 1 commit into from

Conversation

ananzh
Copy link
Member

@ananzh ananzh commented Nov 1, 2022

Description

Currently the latest superagent still uses formidable@2.0.1 which causes the security issue.
https://github.com/visionmedia/superagent/blob/e8d532632bea846e6a8c7677a268dca3641271e7/package.json#L27

Formidable bump to v3.2.4 includes breaking changes: https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md

In this PR, we resolve formidable to 3.2.4+. The fix will not be backported to 2.x.

Issues Resolved

#1593

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

@ananzh ananzh requested a review from a team as a code owner November 1, 2022 05:30
@ananzh ananzh self-assigned this Nov 1, 2022
@ananzh ananzh added v3.0.0 cve Security vulnerabilities detected by Dependabot or Mend labels Nov 1, 2022
@ananzh
[CVE-2022-29622] resolve formidable to ^3.2.4
a384869 
Currently the latest superagent still uses formidable@2.0.1
which causes the security issue.
https://github.com/visionmedia/superagent/blob/e8d532632bea846e6a8c7677a268dca3641271e7/package.json#L27

Formidable bump to v3.2.4 includes breaking changes:
https://github.com/node-formidable/formidable/blob/master/CHANGELOG.md

In this PR, we resolve formidable to 3.2.4+. The fix will not be
backported to 2.x.

Issue Resolved:
opensearch-project#1593

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
@ananzh ananzh force-pushed the resolve-formidable branch from 0bfb7ee to a384869 Compare November 1, 2022 05:32
@kavilla
Copy link
Member

kavilla commented Nov 2, 2022

this should require code changes correct?

@ananzh ananzh closed this Nov 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ananzh ananzh

Labels
cve Security vulnerabilities detected by Dependabot or Mend v3.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ananzh @kavilla