From 364832d4a91cb0edc61d8eaebd8b324e640729ba Mon Sep 17 00:00:00 2001 From: Anan Zhuang Date: Thu, 11 May 2023 14:54:00 -0700 Subject: [PATCH] [CVE-2022-48285][1.x] Bump jszip from 3.7.1 to 3.10.1 (#3740) * [CVE-2022-48285][1.x] Bump jszip from 3.7.1 to 3.10.1 loadAsync in JSZip before 3.8.0 allows Directory Traversal via a crafted ZIP archive. This CVE requires to bump jszip to 3.8.0+. Signed-off-by: Anan Zhuang * remove unecessary resolution remove yarn.lock entry, clean and bootstrap Signed-off-by: Josh Romero --------- Signed-off-by: Anan Zhuang Signed-off-by: Josh Romero Co-authored-by: Josh Romero Co-authored-by: Sean Neumann <1413295+seanneumann@users.noreply.github.com> --- CHANGELOG.md | 1 + yarn.lock | 14 +++++++------- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 575b1fec595e..5775e504a714 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - [CVE-2022-25858] Bump terser from `4.8.0` to `4.8.1` ([#3726](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3726)) - [CVE-2021-35065] Bump glob-parent from `6.0.0` to `6.0.2` ([#3742](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3742)) - [CVE-2022-25851] Bump jpeg-js from `0.4.1` to `0.4.4` ([#3741](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3741)) +- [CVE-2022-48285] Bump jszip from `3.7.1` to `3.10.1` ([#3740](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3740)) ### 📈 Features/Enhancements diff --git a/yarn.lock b/yarn.lock index 1826c9577d09..b0c10ce1b0b9 100644 --- a/yarn.lock +++ b/yarn.lock @@ -13551,14 +13551,14 @@ jsx-ast-utils@^2.2.1, jsx-ast-utils@^2.4.1: object.assign "^4.1.0" jszip@^3.2.2: - version "3.7.1" - resolved "https://registry.yarnpkg.com/jszip/-/jszip-3.7.1.tgz#bd63401221c15625a1228c556ca8a68da6fda3d9" - integrity sha512-ghL0tz1XG9ZEmRMcEN2vt7xabrDdqHHeykgARpmZ0BiIctWxM47Vt63ZO2dnp4QYt/xJVLLy5Zv1l/xRdh2byg== + version "3.10.1" + resolved "https://registry.yarnpkg.com/jszip/-/jszip-3.10.1.tgz#34aee70eb18ea1faec2f589208a157d1feb091c2" + integrity sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g== dependencies: lie "~3.3.0" pako "~1.0.2" readable-stream "~2.3.6" - set-immediate-shim "~1.0.1" + setimmediate "^1.0.5" junk@^3.1.0: version "3.1.0" @@ -18968,7 +18968,7 @@ set-harmonic-interval@^1.0.1: resolved "https://registry.yarnpkg.com/set-harmonic-interval/-/set-harmonic-interval-1.0.1.tgz#e1773705539cdfb80ce1c3d99e7f298bb3995249" integrity sha512-AhICkFV84tBP1aWqPwLZqFvAwqEoVA9kxNMniGEUvzOlm4vLmOFLiTT3UZ6bziJTy4bOVpzWGTfSCbmaayGx8g== -set-immediate-shim@^1.0.0, set-immediate-shim@~1.0.1: +set-immediate-shim@^1.0.0: version "1.0.1" resolved "https://registry.yarnpkg.com/set-immediate-shim/-/set-immediate-shim-1.0.1.tgz#4b2b1b27eb808a9f8dcc481a58e5e56f599f3f61" integrity sha1-SysbJ+uAip+NzEgaWOXlb1mfP2E= @@ -18983,10 +18983,10 @@ set-value@^2.0.0, set-value@^2.0.1: is-plain-object "^2.0.3" split-string "^3.0.1" -setimmediate@^1.0.4: +setimmediate@^1.0.4, setimmediate@^1.0.5: version "1.0.5" resolved "https://registry.yarnpkg.com/setimmediate/-/setimmediate-1.0.5.tgz#290cbb232e306942d7d7ea9b83732ab7856f8285" - integrity sha1-KQy7Iy4waULX1+qbg3Mqt4VvgoU= + integrity sha512-MATJdZp8sLqDl/68LfQmbP8zKPLQNV6BIZoIgrscFDQ+RsvK/BxeDQOgyxKKoh0y/8h3BqVFnCqQ/gd+reiIXA== setprototypeof@1.1.0: version "1.1.0"