Skip to content

opensearch-dashboards-3/3.4.0 package update #77246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aborrero merged 5 commits into from
Jan 9, 2026
Merged

opensearch-dashboards-3/3.4.0 package update #77246

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6310f02
opensearch-dashboards-3/3.4.0 package update
Jan 5, 2026
d6d7033
Cleaned up obsolete patch
AmberArcadia Jan 6, 2026
3fdd780
Updated 2nd commit
AmberArcadia Jan 6, 2026
245d726
opensearch-dashboards-3: refresh CVE bumps
AmberArcadia Jan 7, 2026
3b58908
Refreshed CVE bumps
AmberArcadia Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 32 additions & 12 deletions opensearch-dashboards-3.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
package:
name: opensearch-dashboards-3
version: "3.2.0" # when updating please check if we can remove the patched package.json for the reporting plugin
epoch: 2
version: "3.4.0" # when updating please check if we can remove the patched package.json for the reporting plugin
epoch: 0
description: Open source visualization dashboards for OpenSearch
copyright:
- license: Apache-2.0
Expand Down Expand Up @@ -60,11 +60,7 @@ pipeline:
with:
repository: https://github.com/opensearch-project/OpenSearch-Dashboards.git
tag: ${{package.version}}
expected-commit: 9d91d4639ea0e0cbb909ccfda66de3288d0f02d7

- uses: patch
with:
patches: CVE-2025-9287-fix.patch
expected-commit: c1d92e84395038f5f99e64e27b00c00fbabcd075

- runs: |
# Workaround for "OpenSearch Dashboards should not be run as root. Use --allow-root to continue."
Expand All @@ -90,7 +86,7 @@ pipeline:
jq --argjson resolutions "$resolutions" '.resolutions += $resolutions' package.json > temp.json && mv temp.json package.json

# fix CVE-2023-28155
devDependencies='{"cypress": "^13.5.1"}'
devDependencies='{"cypress": "^13.17.0"}'
jq --argjson devDependencies "$devDependencies" '.devDependencies += $devDependencies' package.json > temp.json && mv temp.json package.json

# fix CVE-2025-9288
Expand All @@ -101,6 +97,18 @@ pipeline:
devDependencies='{"cipher-base": "^1.0.5"}'
jq --argjson devDependencies "$devDependencies" '.devDependencies += $devDependencies' package.json > temp.json && mv temp.json package.json

# fix High CVE-2025-15284 (GHSA-6rw7-vpxm-498p)
dependencies='{"qs": "^6.14.1"}'
jq --argjson dependencies "$dependencies" '.dependencies += $dependencies' package.json > temp.json && mv temp.json package.json

# fix CVE-2025-54798 (GHSA-52f5-9888-hmc6)
dependencies='{"tmp": "^0.2.4"}'
jq --argjson dependencies "$dependencies" '.dependencies += $dependencies' package.json > temp.json && mv temp.json package.json

# fix CVE-2025-57352 (GHSA-rx8g-88g5-qh64)
dependencies='{"min-document": "^2.19.1"}'
jq --argjson dependencies "$dependencies" '.dependencies += $dependencies' package.json > temp.json && mv temp.json package.json

yarn osd bootstrap --allow-root

yarn build-platform --skip-os-packages --skip-archives --release --allow-root
Expand All @@ -125,7 +133,7 @@ subpackages:
repository: https://github.com/opensearch-project/opensearch-build
tag: ${{package.version}}
destination: opensearch-build
expected-commit: 1b1df96f89316f534c2f30206fbd79d08992f288 # will need to be manually updated when opensearch dashboard auto update happens
expected-commit: 9917c3edf20efcd4db8328b732a6cfc4673675ca # will need to be manually updated when opensearch dashboard auto update happens
- runs: |
install -Dm755 opensearch-build/docker/release/config/opensearch-dashboards/opensearch-dashboards-docker-entrypoint-2.x.sh ${{targets.contextdir}}/usr/share/opensearch-dashboards/opensearch-dashboards-docker-entrypoint.sh
install -Dm655 opensearch-build/config/opensearch_dashboards-2.x.yml ${{targets.contextdir}}/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml
Expand Down Expand Up @@ -153,11 +161,23 @@ subpackages:
# CVE-2025-7783
jq '.dependencies["form-data"] = "4.0.4"' package.json > temp.json && mv temp.json package.json

dependencies='{"cypress": "^13.5.1"}'
dependencies='{"cypress": "^13.17.0"}'
jq --argjson dependencies "$dependencies" '.dependencies += $dependencies' package.json > temp.json && mv temp.json package.json

# fix CVE-2025-68428 (GHSA-f8cm-6447-x5h2)
dependencies='{"jspdf": "^4.0.0"}'
jq --argjson dependencies "$dependencies" '.dependencies += $dependencies' package.json > temp.json && mv temp.json package.json

# fix CVE-2025-15284 (GHSA-6rw7-vpxm-498p)
dependencies='{"qs": "^6.14.1"}'
jq --argjson dependencies "$dependencies" '.dependencies += $dependencies' package.json > temp.json && mv temp.json package.json

# fix CVE-2025-54798 (GHSA-52f5-9888-hmc6)
dependencies='{"tmp": "^0.2.4"}'
jq --argjson dependencies "$dependencies" '.dependencies += $dependencies' package.json > temp.json && mv temp.json package.json

# fix CVE-2025-29907
dependencies='{"jspdf": "^3.0.1"}'
# fix CVE-2025-57352 (GHSA-rx8g-88g5-qh64)
dependencies='{"min-document": "^2.19.1"}'
jq --argjson dependencies "$dependencies" '.dependencies += $dependencies' package.json > temp.json && mv temp.json package.json

yarn osd bootstrap --allow-root 2>/dev/null
Expand Down
35 changes: 0 additions & 35 deletions opensearch-dashboards-3/CVE-2025-9287-fix.patch
View file
Open in desktop

This file was deleted.

Loading