[Maintenance] Bumps re2 and supertest (#3018)

* Removes manual resolution on `qs`. The latest version of `supertest` depends on v6.11.0. * Adds steps for upgrading `re2`. * Addresses CVE-2022-24999 (no issue opened) Signed-off-by: Tommy Markley <5437176+tmarkley@users.noreply.github.com> Signed-off-by: Tommy Markley <5437176+tmarkley@users.noreply.github.com>
opensearch-project · Jan 25, 2023 · 846706f · 846706f
1 parent 52769f2
commit 846706f
Show file tree

Hide file tree

Showing 5 changed files with 295 additions and 336 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -121,6 +121,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - Removes `minimatch` manual resolution ([#3019](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3019))
 - Remove `github-checks-reporter`, an unused dependency ([#3126](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3126))
 - Upgrade `vega-lite` dependency to ^5.6.0 ([#3076](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3076))
+- Bumps `re2` and `supertest` ([3018](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3018))
 
 ### 🪛 Refactoring
 

diff --git a/package.json b/package.json
@@ -91,7 +91,6 @@
     "**/loader-utils": "^2.0.4",
     "**/node-jose": "^2.1.0",
     "**/nth-check": "^2.0.1",
-    "**/qs": "^6.10.3",
     "**/trim": "^0.0.3",
     "**/typescript": "4.0.2",
     "**/unset-value": "^2.0.1",
@@ -197,7 +196,7 @@
     "pegjs": "0.10.0",
     "proxy-from-env": "1.0.0",
     "query-string": "^6.13.2",
-    "re2": "^1.15.4",
+    "re2": "1.17.4",
     "react": "^16.14.0",
     "react-dom": "^16.12.0",
     "react-input-range": "^1.3.0",
@@ -320,7 +319,7 @@
     "@types/sinon": "^7.0.13",
     "@types/strip-ansi": "^5.2.1",
     "@types/styled-components": "^5.1.19",
-    "@types/supertest": "^2.0.11",
+    "@types/supertest": "^2.0.12",
     "@types/supertest-as-promised": "^2.0.38",
     "@types/tapable": "^1.0.6",
     "@types/tar": "^4.0.3",
@@ -446,7 +445,7 @@
     "strip-ansi": "^6.0.0",
     "stylelint": "^14.5.2",
     "stylelint-config-standard-scss": "^3.0.0",
-    "supertest": "^6.2.2",
+    "supertest": "^6.3.3",
     "supertest-as-promised": "^4.0.2",
     "tape": "^5.0.1",
     "topojson-client": "3.0.0",

diff --git a/src/dev/build/tasks/patch_native_modules_task.test.ts b/src/dev/build/tasks/patch_native_modules_task.test.ts
@@ -67,8 +67,8 @@ it('patch native modules task downloads the correct platform package', async ()
           "destination": <absolute path>/.native_modules/re2/linux-arm64-83.tar.gz,
           "log": <ToolingLog>,
           "retries": 3,
-          "sha256": "f25124adc64d269a513b99abd4a5eed8d7a929db565207f8ece1f3b7b7931668",
-          "url": "https://d1v1sj258etie.cloudfront.net/node-re2/releases/download/1.15.4/linux-arm64-83.tar.gz",
+          "sha256": "d86ced75b794fbf518b90908847b3c09a50f3ff5a2815aa30f53080f926a2873",
+          "url": "https://d1v1sj258etie.cloudfront.net/node-re2/releases/download/1.17.4/linux-arm64-83.tar.gz",
         },
       ],
     ]

diff --git a/src/dev/build/tasks/patch_native_modules_task.ts b/src/dev/build/tasks/patch_native_modules_task.ts
@@ -52,31 +52,42 @@ interface Package {
   >;
 }
 
+// Process for updating urls and checksums after bumping the version of `re2`:
+// 1. Match `version` with the version in the yarn.lock file.
+// 2. Update the url to match the version.
+//    2a. If a Node.js update occurs, the node module version must match as
+//        well (i.e. '83'). See https://nodejs.org/en/download/releases/#ref-1.
+// 3. Generate the new checksum by executing the following commands:
+//    3a. `wget {url}`
+//    3b. `sha256sum {downloaded file name}`
+//    3c. For `linux-arm64`, the sha256 can also be found by replacing
+//        "linux-arm64-83.tar.gz" in the url with "sha256sum.txt.asc"
+//        and copying the sha256 from that file.
 const packages: Package[] = [
   {
     name: 're2',
-    version: '1.15.4',
+    version: '1.17.4',
     destinationPath: 'node_modules/re2/build/Release/re2.node',
     extractMethod: 'gunzip',
     archives: {
       'darwin-x64': {
-        url: 'https://github.com/uhop/node-re2/releases/download/1.15.4/darwin-x64-83.gz',
-        sha256: 'b45cd8296fd6eb2a091399c20111af43093ba30c99ed9e5d969278f5ff69ba8f',
+        url: 'https://github.com/uhop/node-re2/releases/download/1.17.4/darwin-x64-83.gz',
+        sha256: '9112ed93c1544ecc6397f7ff20bd2b28f3b04c7fbb54024e10f9a376a132a87d',
       },
       'linux-x64': {
-        url: 'https://github.com/uhop/node-re2/releases/download/1.15.4/linux-x64-83.gz',
-        sha256: '1bbc3f90f0ba105772b37c04e3a718f69544b4df01dda00435c2b8e50b2ad0d9',
+        url: 'https://github.com/uhop/node-re2/releases/download/1.17.4/linux-x64-83.gz',
+        sha256: '86e03540783a18c41f81df0aec320b1f64aca6cbd3a87fc1b7a9b4109c5f5986',
       },
       'linux-arm64': {
         url:
-          'https://d1v1sj258etie.cloudfront.net/node-re2/releases/download/1.15.4/linux-arm64-83.tar.gz',
-        sha256: 'f25124adc64d269a513b99abd4a5eed8d7a929db565207f8ece1f3b7b7931668',
+          'https://d1v1sj258etie.cloudfront.net/node-re2/releases/download/1.17.4/linux-arm64-83.tar.gz',
+        sha256: 'd86ced75b794fbf518b90908847b3c09a50f3ff5a2815aa30f53080f926a2873',
         overriddenExtractMethod: 'untar',
         overriddenDestinationPath: 'node_modules/re2/build/Release',
       },
       'win32-x64': {
-        url: 'https://github.com/uhop/node-re2/releases/download/1.15.4/win32-x64-83.gz',
-        sha256: 'efe939d3cda1d64ee3ee3e60a20613b95166d55632e702c670763ea7e69fca06',
+        url: 'https://github.com/uhop/node-re2/releases/download/1.17.4/win32-x64-83.gz',
+        sha256: '2f842d9757288afd4bd5dec0e7b370a4c3e89ac98050598b17abb9e8e00e3294',
       },
     },
   },