OpenSearch-Dashboards
OpenSearch-Dashboards copied to clipboard
opensearch-project
Bump tar from 6.1.13 to 6.2.1
Description
Bumps the tar package from 6.1.13 to 6.2.1. It is a complete version of https://github.com/opensearch-project/OpenSearch-Dashboards/pull/6397 which is linked to CVE(https://github.com/opensearch-project/OpenSearch-Dashboards/issues/6488) mentioned here.
Changelog
- chore: Bump tar package from 6.1.13 to 6.2.1
Check List
- [ ] All tests pass
- [ ]
yarn test:jest - [ ]
yarn test:jest_integration
- [ ]
- [ ] New functionality includes testing.
- [ ] New functionality has been documented.
- [ ] Update CHANGELOG.md
- [ ] Commits are signed per the DCO using --signoff
❌ Invalid Changelog Heading
The '## Changelog' heading in your PR description is either missing or malformed. Please make sure that your PR description includes a '## Changelog' heading with proper spelling, capitalization, spacing, and Markdown syntax.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
❌ Changelog Entry Missing Hyphen
Changelog entries must begin with a hyphen (-).
❌ Invalid Prefix For Manual Changeset Creation
Invalid description prefix. Found "Bump tar package from 6.1.13 to 6.2.1". Only "skip" entry option is permitted for manual commit of changeset files.
If you were trying to skip the changelog entry, please use the "skip" entry option in the ##Changelog section of your PR description.
❌ Invalid Prefix For Manual Changeset Creation
Invalid description prefix. Found "chore". Only "skip" entry option is permitted for manual commit of changeset files.
If you were trying to skip the changelog entry, please use the "skip" entry option in the ##Changelog section of your PR description.
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Project coverage is 67.44%. Comparing base (
766a39a) to head (34427cb). Report is 4 commits behind head on main.
Additional details and impacted files
@@ Coverage Diff @@
## main #6492 +/- ##
==========================================
+ Coverage 67.41% 67.44% +0.03%
==========================================
Files 3444 3444
Lines 67839 67849 +10
Branches 11033 11035 +2
==========================================
+ Hits 45734 45764 +30
+ Misses 19439 19418 -21
- Partials 2666 2667 +1
| Flag | Coverage Δ | |
|---|---|---|
| Linux_1 | 33.08% <ø> (+0.01%) |
:arrow_up: |
| Linux_2 | 55.12% <ø> (ø) |
|
| Linux_3 | 45.28% <ø> (+0.02%) |
:arrow_up: |
| Linux_4 | 34.82% <ø> (ø) |
|
| Windows_1 | 33.10% <ø> (+0.01%) |
:arrow_up: |
| Windows_2 | 55.09% <ø> (ø) |
|
| Windows_3 | 45.29% <ø> (+0.02%) |
:arrow_up: |
| Windows_4 | 34.82% <ø> (ø) |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
We need to make sure the package that uses the specific [email protected] is not drastically impacted by this higher version.
Among all the packages that had dependency on tar. The package that locked in the version of tar was geckodriver. The geckodriver package doesn't lock down the packages in general and uses the tar dependency to just extract the dependency file.
if (outFile.indexOf('.tar.gz') >= 0) { tar.extract({ file: archivePath, cwd: targetDirectoryPath }).then(function (err) { if (err) { reject(err); } else { resolve(); } }); }
Hence upgrading the tar dependency wouldn't adversely affect the package geckodriver
Changelog should be security not chore.
Can use this one https://github.com/opensearch-project/OpenSearch-Dashboards/pull/6770 as a reference.
It will create a changelog file automatically in the changelogs/fragments. You could just remove your changelog.md changes.
❌ Entry Too Long
Entry is 104 characters long, which is 4 characters longer than the maximum allowed length of 100 characters. Please revise your entry to be within the maximum length.
Changelog should be
securitynotchore. Can use this one #6770 as a reference. It will create a changelog file automatically in thechangelogs/fragments. You could just remove your changelog.md changes.
Updated the change log