Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump sass-lint to 1.13.0 to fix eslint security issue #4338

Merged
merged 2 commits into from
Jun 26, 2023

Conversation

ananzh
Copy link
Member

@ananzh ananzh commented Jun 20, 2023

Description

Currently, OSD is using eslint@2.13.1 due to sass-lint@1.12.1. The original issue #1151 is resolved in 2.0, where we replace sass-lint with stylelint in the PR #1413. We consider this as a breaking change since stylelint and sass-lint do not have the same set of rules and they have different APIs for use in scripts, and they also use different formats for their configuration files. Therefore, the two options are 1) bump sass-lint to a version that uses eslint 4.18.2+ 2) resolve eslint. In this PR, we used option 1.

ubuntu@ip-172-31-55-237:~/work/OpenSearch-Dashboards$ yarn why eslint
yarn why v1.22.19
[1/4] Why do we have the module "eslint"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~4.8.4"
warning Resolution field "shelljs@0.8.5" is incompatible with requested version "shelljs@^0.6.0"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "eslint@6.8.0"
info Has been hoisted to "eslint"
info Reasons this module exists
   - "workspace-aggregator-f56bf295-a343-43db-aeb4-d0029b99cf70" depends on it
   - Specified in "devDependencies"
   - Hoisted from "_project_#eslint"
info Disk size without dependencies: "7.16MB"
info Disk size with unique dependencies: "19.98MB"
info Disk size with transitive dependencies: "43.17MB"
info Number of shared dependencies: 105
=> Found "sass-lint#eslint@2.13.1"
info This module exists because "_project_#sass-lint" depends on it.
Done in 1.39s.

The sass-lint@1.13.0 bumps eslint to 4.19.1 https://github.com/sasstools/sass-lint/blob/v1.13.0/package-lock.json
However this 1.13.0 is released by mistake due to breaking changes shown in this issue complaining no-vendor-prefixes is not usable after the bump:
sasstools/sass-lint#1279

Since OSD does not rely on the no-vendor-prefixes rule of sass-lint, we could try to update sass-lint to the newer version that doesn't include this rule.

Check List

  • All tests pass
    • yarn test:jest
    • yarn test:jest_integration
    • yarn test:ftr
  • New functionality includes testing.
  • New functionality has been documented.
  • Update CHANGELOG.md
  • Commits are signed per the DCO using --signoff

joshuarrrr
joshuarrrr previously approved these changes Jun 20, 2023
@ananzh ananzh added cve Security vulnerabilities detected by Dependabot or Mend backport 1.3 labels Jun 20, 2023
@codecov
Copy link

codecov bot commented Jun 20, 2023

Codecov Report

Merging #4338 (15df590) into 1.x (4626066) will decrease coverage by 0.01%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##              1.x    #4338      +/-   ##
==========================================
- Coverage   67.50%   67.49%   -0.01%     
==========================================
  Files        3044     3044              
  Lines       58692    58692              
  Branches     8902     8902              
==========================================
- Hits        39619    39617       -2     
- Misses      16925    16926       +1     
- Partials     2148     2149       +1     
Flag Coverage Δ
Linux 67.45% <ø> (ø)
Windows 67.45% <ø> (-0.01%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 1 file with indirect coverage changes

AMoo-Miki
AMoo-Miki previously approved these changes Jun 21, 2023
Signed-off-by: Anan Zhuang <ananzh@amazon.com>
@joshuarrrr joshuarrrr merged commit 1f87e83 into opensearch-project:1.x Jun 26, 2023
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jun 26, 2023
)

Signed-off-by: ananzh <ananzh@amazon.com>
Signed-off-by: Anan Zhuang <ananzh@amazon.com>
(cherry picked from commit 1f87e83)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
ananzh pushed a commit that referenced this pull request Jul 1, 2023
) (#4402)

Signed-off-by: ananzh <ananzh@amazon.com>
Signed-off-by: Anan Zhuang <ananzh@amazon.com>
(cherry picked from commit 1f87e83)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 1.3 cve Security vulnerabilities detected by Dependabot or Mend v1.3.12
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants