[1.3][CVE-2023-0842] Bump xml2js from 0.4.22 to 0.6.2 (#5024)

ananzh · web-flow · commit a45dea39423e · 2023-09-15T08:56:42.000-07:00
* [1.3][CVE-2023-0842] Bump xml2js from 0.4.22 to 0.6.2 * force xml2js to 0.6.2 and fix PR comment --------- Signed-off-by: ananzh <ananzh@amazon.com> Signed-off-by: Anan Zhuang <ananzh@amazon.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 - [CVE-2022-21670] Bump `markdown-it` from `10.0.0` to `12.3.2` ([#5016](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5016))
 - [CVE-2022-33987] Partially fix security issues for `got` by bumping `@elastic/makelogs` from `6.0.0` to `6.1.1` and updating yarn.lock ([#5006](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5006))
 - Bump `yo` from `2.0.6` to `3.1.1` ([#5005]( https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5005))
+- [CVE-2023-0842] Bump `xml2js` from `0.4.22` to `0.6.2` ([#5024](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5024))
 
 ### 📈 Features/Enhancements
 
diff --git a/package.json b/package.json
@@ -128,7 +128,8 @@
     "**/tough-cookie": "^4.1.3",
     "**/typescript": "4.0.2",
     "**/url-parse": "^1.5.8",
-    "**/unset-value": "^2.0.1"
+    "**/unset-value": "^2.0.1",
+    "**/xml2js": "^0.6.2"
   },
   "workspaces": {
     "packages": [
@@ -498,7 +499,7 @@
     "vega-schema-url-parser": "^2.1.0",
     "vega-tooltip": "^0.24.2",
     "vinyl-fs": "^3.0.3",
-    "xml2js": "^0.4.22",
+    "xml2js": "^0.6.2",
     "xmlbuilder": "13.0.2",
     "zlib": "^1.0.5"
   },
diff --git a/packages/osd-test/package.json b/packages/osd-test/package.json
@@ -37,7 +37,7 @@
     "rxjs": "^6.5.5",
     "strip-ansi": "^6.0.0",
     "tar-fs": "^2.1.0",
-    "xml2js": "^0.4.22",
+    "xml2js": "^0.6.2",
     "zlib": "^1.0.5"
   }
 }
diff --git a/yarn.lock b/yarn.lock
@@ -20931,14 +20931,6 @@ util-extend@^1.0.1:
   resolved "https://registry.yarnpkg.com/util-extend/-/util-extend-1.0.3.tgz#a7c216d267545169637b3b6edc6ca9119e2ff93f"
   integrity sha1-p8IW0mdUUWljeztu3GypEZ4v+T8=
 
-util.promisify@~1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/util.promisify/-/util.promisify-1.0.0.tgz#440f7165a459c9a16dc145eb8e72f35687097030"
-  integrity sha512-i+6qA2MPhvoKLuxnJNpXAGhg7HphQOSUq2LKMZD0m15EiskXUkMvKdF4Uui0WYeCUGea+o2cw/ZuwehtfsrNkA==
-  dependencies:
-    define-properties "^1.1.2"
-    object.getownpropertydescriptors "^2.0.3"
-
 util@0.10.3, util@^0.10.3:
   version "0.10.3"
   resolved "https://registry.yarnpkg.com/util/-/util-0.10.3.tgz#7afb1afe50805246489e3db7fe0ed379336ac0f9"
@@ -22183,13 +22175,12 @@ xml-parse-from-string@^1.0.0:
   resolved "https://registry.yarnpkg.com/xml-parse-from-string/-/xml-parse-from-string-1.0.1.tgz#a9029e929d3dbcded169f3c6e28238d95a5d5a28"
   integrity sha1-qQKekp09vN7RafPG4oI42VpdWig=
 
-xml2js@^0.4.22, xml2js@^0.4.5:
-  version "0.4.22"
-  resolved "https://registry.yarnpkg.com/xml2js/-/xml2js-0.4.22.tgz#4fa2d846ec803237de86f30aa9b5f70b6600de02"
-  integrity sha512-MWTbxAQqclRSTnehWWe5nMKzI3VmJ8ltiJEco8akcC6j3miOhjjfzKum5sId+CWhfxdOs/1xauYr8/ZDBtQiRw==
+xml2js@^0.4.5, xml2js@^0.6.2:
+  version "0.6.2"
+  resolved "https://registry.yarnpkg.com/xml2js/-/xml2js-0.6.2.tgz#dd0b630083aa09c161e25a4d0901e2b2a929b499"
+  integrity sha512-T4rieHaC1EXcES0Kxxj4JWgaUQHDk+qwHcYOCFHfiwKz7tOVPLq7Hjq9dM1WCMhylqMEfP7hMcOIChvotiZegA==
   dependencies:
     sax ">=0.6.0"
-    util.promisify "~1.0.0"
     xmlbuilder "~11.0.0"
 
 xmlbuilder@13.0.2:

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@`
`37`	`37`	`"rxjs": "^6.5.5",`
`38`	`38`	`"strip-ansi": "^6.0.0",`
`39`	`39`	`"tar-fs": "^2.1.0",`
`40`		`- "xml2js": "^0.4.22",`
	`40`	`+ "xml2js": "^0.6.2",`
`41`	`41`	`"zlib": "^1.0.5"`
`42`	`42`	`}`
`43`	`43`	`}`