-
Notifications
You must be signed in to change notification settings - Fork 917
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2022-25758][1.x]Bump scss-tokenizer from 0.3.0 to 0.4.3 #3727
[CVE-2022-25758][1.x]Bump scss-tokenizer from 0.3.0 to 0.4.3 #3727
Conversation
7c25828
to
1d410b3
Compare
CHANGELOG.md
Outdated
@@ -9,6 +9,8 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) | |||
|
|||
### 🛡 Security | |||
|
|||
- [CVE-2022-25758]Bump scss-tokenizer from 0.3.0 to 0.4.3 ([#3727](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3727)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤣 If I'm wrong about whether we prefer a space or not, feel free to ignore and throw a shoe at me
- [CVE-2022-25758]Bump scss-tokenizer from 0.3.0 to 0.4.3 ([#3727](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3727)) | |
- [CVE-2022-25758] Bump scss-tokenizer from 0.3.0 to 0.4.3 ([#3727](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3727)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't worry, we don't condone violence in the workplace.
Codecov Report
📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more @@ Coverage Diff @@
## 1.x #3727 +/- ##
=======================================
Coverage 67.49% 67.50%
=======================================
Files 3044 3044
Lines 58692 58692
Branches 8902 8902
=======================================
+ Hits 39617 39619 +2
+ Misses 16926 16925 -1
+ Partials 2149 2148 -1
Flags with carried forward coverage won't be shown. Click here to find out more. see 1 file with indirect coverage changes Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
1d410b3
to
8cf7d59
Compare
Issue Resolve opensearch-project#1842 Signed-off-by: Anan Zhuang <ananzh@amazon.com>
8cf7d59
to
2b21918
Compare
All tests passed, with 2 approvals. Just need to resolve CHANGELOG conflicts before merging. |
…3789) Issue Resolve #1842 Signed-off-by: Anan Zhuang <ananzh@amazon.com> Co-authored-by: Josh Romero <rmerqg@amazon.com> (cherry picked from commit 5d4fdd2) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Description
scss-tokenizer
is a dependency ofsass-graph
and a nested dependency ofnode-sass
. The latestsass-graph
@v4.0.1 bumpsscss-tokenizer@^0.4.3
here. This change is kicked innode-sass@7.0.3
. In 1.x, we usednode-sass@4.13.1
:We can’t bump node-sass 1) 3 major version upgrades which include breaking changes 2)
node-sass
version 6 already drops support for node 10. See the releases here .So could we resolve it? The sass-graph we are using is @v3.0.5, see below.
sass-graph@3.0.5
uses "scss-tokenizer": "^0.3.0" here. Our target version 0.4.3 is within this range. I don’t see breaking changes here. The fix is to add a resolution to bump it.Issue Resolve
#1842
Check List
yarn test:jest
yarn test:jest_integration
yarn test:ftr