From 0d0d05dcbc75dd5016f7b8d78abfcf6bffa94765 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Wed, 21 Jun 2023 04:25:41 +0000
Subject: [PATCH 1/2] [1.x backport] Bump `joi` to v14 to avoid the possibility
 of prototype poisoning in a nested dependency (#4211)

Backport PR
https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3952

Signed-off-by: Miki <miki@amazon.com>
Co-authored-by: Miki <miki@amazon.com>
(cherry picked from commit 4626066ade35ab02dd59ea032dcad9310a37ace3)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
---
 package.json                            |  2 +-
 packages/osd-config-schema/package.json |  2 +-
 packages/osd-test/package.json          |  2 +-
 yarn.lock                               | 17 +++++++++++++----
 4 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/package.json b/package.json
index 77a90433681..d31dfb001e3 100644
--- a/package.json
+++ b/package.json
@@ -206,7 +206,7 @@
     "inert": "^5.1.0",
     "inline-style": "^2.0.0",
     "ip-cidr": "^2.1.0",
-    "joi": "^13.5.2",
+    "joi": "^14.3.1",
     "js-yaml": "^3.14.0",
     "json-stable-stringify": "^1.0.1",
     "json-stringify-safe": "5.0.1",
diff --git a/packages/osd-config-schema/package.json b/packages/osd-config-schema/package.json
index e6e6aed20d8..88e52b36f98 100644
--- a/packages/osd-config-schema/package.json
+++ b/packages/osd-config-schema/package.json
@@ -16,7 +16,7 @@
   },
   "peerDependencies": {
     "lodash": "^4.17.21",
-    "joi": "^13.5.2",
+    "joi": "^14.3.1",
     "moment": "^2.24.0",
     "type-detect": "^4.0.8"
   }
diff --git a/packages/osd-test/package.json b/packages/osd-test/package.json
index 3d36be8507f..8efbba85bd6 100644
--- a/packages/osd-test/package.json
+++ b/packages/osd-test/package.json
@@ -31,7 +31,7 @@
     "exit-hook": "^2.2.0",
     "getopts": "^2.2.5",
     "glob": "^7.1.7",
-    "joi": "^13.5.2",
+    "joi": "^14.3.1",
     "lodash": "^4.17.21",
     "parse-link-header": "^2.0.0",
     "rxjs": "^6.5.5",
diff --git a/yarn.lock b/yarn.lock
index 750d8ad21c4..291ebd78b52 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -11130,9 +11130,9 @@ hoek@5.x.x, hoek@^5.0.4:
   integrity sha512-Alr4ZQgoMlnere5FZJsIyfIjORBqZll5POhDsF4q64dPuJR6rNxXdDxtHSQq8OXRurhmx+PWYEE8bXRROY8h0w==
 
 hoek@6.x.x:
-  version "6.0.3"
-  resolved "https://registry.yarnpkg.com/hoek/-/hoek-6.0.3.tgz#7884360426d927865a0a1251fc9c59313af5b798"
-  integrity sha512-TU6RyZ/XaQCTWRLrdqZZtZqwxUVr6PDMfi6MlWNURZ7A6czanQqX4pFE1mdOUQR9FdPCsZ0UzL8jI/izZ+eBSQ==
+  version "6.1.3"
+  resolved "https://registry.yarnpkg.com/hoek/-/hoek-6.1.3.tgz#73b7d33952e01fe27a38b0457294b79dd8da242c"
+  integrity sha512-YXXAAhmF9zpQbC7LEcREFtXfGq5K1fmd+4PHkBq8NUqmzW3G+Dq10bI/i0KucLRwss3YYFQ0fSfoxBZYiGUqtQ==
 
 hoist-non-react-statics@^2.5.5, hoist-non-react-statics@^3.0.0, hoist-non-react-statics@^3.1.0, hoist-non-react-statics@^3.3.0, hoist-non-react-statics@^3.3.2:
   version "3.3.2"
@@ -13248,7 +13248,7 @@ jju@~1.4.0:
   resolved "https://registry.yarnpkg.com/jju/-/jju-1.4.0.tgz#a3abe2718af241a2b2904f84a625970f389ae32a"
   integrity sha1-o6vicYryQaKykE+EpiWXDzia4yo=
 
-joi@13.x.x, joi@^13.5.2:
+joi@13.x.x:
   version "13.7.0"
   resolved "https://registry.yarnpkg.com/joi/-/joi-13.7.0.tgz#cfd85ebfe67e8a1900432400b4d03bbd93fb879f"
   integrity sha512-xuY5VkHfeOYK3Hdi91ulocfuFopwgbSORmIwzcwHKESQhC7w1kD5jaVSPnqDxS2I8t3RZ9omCKAxNwXN5zG1/Q==
@@ -13257,6 +13257,15 @@ joi@13.x.x, joi@^13.5.2:
     isemail "3.x.x"
     topo "3.x.x"
 
+joi@^14.3.1:
+  version "14.3.1"
+  resolved "https://registry.yarnpkg.com/joi/-/joi-14.3.1.tgz#164a262ec0b855466e0c35eea2a885ae8b6c703c"
+  integrity sha512-LQDdM+pkOrpAn4Lp+neNIFV3axv1Vna3j38bisbQhETPMANYRbFJFUyOZcOClYvM/hppMhGWuKSFEK9vjrB+bQ==
+  dependencies:
+    hoek "6.x.x"
+    isemail "3.x.x"
+    topo "3.x.x"
+
 jpeg-js@^0.4.0:
   version "0.4.4"
   resolved "https://registry.yarnpkg.com/jpeg-js/-/jpeg-js-0.4.4.tgz#a9f1c6f1f9f0fa80cdb3484ed9635054d28936aa"

From 37a79d517f3b3d5a25dd003c1f65ff968629e011 Mon Sep 17 00:00:00 2001
From: Josh Romero <rmerqg@amazon.com>
Date: Thu, 22 Jun 2023 20:08:05 +0000
Subject: [PATCH 2/2] update changelog

Signed-off-by: Josh Romero <rmerqg@amazon.com>
---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index e98bbd74dbd..41ae02d7dcf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - [CVE-2022-1537] Bump grunt from `1.5.2` to `1.5.3` ([#4276](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/4276))
 - [CVE-2022-25858] Bump terser from `4.8.0` to `4.8.1` ([#3726](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3726))
 - [CVE-2021-3765] Update `@microsoft/api-documenter` and `@microsoft/api-extractor` versions to bump validator from `8.2.0` to `13.9.0` ([#3725](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3725))
+- Bump `joi` to v14 to avoid the possibility of prototype poisoning in a nested dependency ([#3952](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3952))
 
 ### 📈 Features/Enhancements