Skip to content

[Security] Fix CVE-2026-33671, CVE-2026-33672, CVE-2026-33750, CVE-2026-33532, CVE-2026-2391#1399

Open
jackiehanyang wants to merge 1 commit intoopensearch-project:mainfrom
jackiehanyang:fix/cve-lockfile-refresh
Open

[Security] Fix CVE-2026-33671, CVE-2026-33672, CVE-2026-33750, CVE-2026-33532, CVE-2026-2391#1399
jackiehanyang wants to merge 1 commit intoopensearch-project:mainfrom
jackiehanyang:fix/cve-lockfile-refresh

Conversation

@jackiehanyang
Copy link
Copy Markdown
Contributor

@jackiehanyang jackiehanyang commented Apr 2, 2026

Description

Lockfile refresh to resolve 5 CVEs in transitive dependencies. All patched versions fall within existing semver ranges — only yarn.lock is changed, no package.json modifications.

Escalation Ladder

Step 1 — Lockfile refresh: ✅ Resolved all 5 CVEs. No further escalation needed.

CVEs Fixed

CVE Package Before After Severity Parent Chain
CVE-2026-33671 picomatch 2.3.1 2.3.2 High (7.5) lint-staged > micromatch > picomatch
CVE-2026-33672 picomatch 2.3.1 2.3.2 Moderate (5.3) lint-staged > micromatch > picomatch
CVE-2026-33750 brace-expansion 1.1.12 1.1.13 Moderate (6.5) @elastic/eslint-import-resolver-kibana > glob-all > glob > minimatch > brace-expansion
CVE-2026-33532 yaml 1.10.2 1.10.3 Moderate (4.3) lint-staged > cosmiconfig > yaml
CVE-2026-2391 qs 6.14.1 6.14.2 Low (3.7) cypress > @cypress/request > qs

Verification

$ yarn audit
0 vulnerabilities found - Packages audited: 418

Issues Resolved

Resolves CVE-2026-33671, CVE-2026-33672, CVE-2026-33750, CVE-2026-33532, CVE-2026-2391.

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@jackiehanyang
[Security] Fix CVE-2026-33671, CVE-2026-33672, CVE-2026-33750, CVE-20…
b0bd29b 
…26-33532, CVE-2026-2391

Lockfile refresh to resolve patched versions of transitive dependencies:
- picomatch 2.3.1 -> 2.3.2 (fixes CVE-2026-33671, CVE-2026-33672)
- brace-expansion 1.1.12 -> 1.1.13 (fixes CVE-2026-33750)
- yaml 1.10.2 -> 1.10.3 (fixes CVE-2026-33532)
- qs 6.14.1 -> 6.14.2 (fixes CVE-2026-2391)

All fixes resolved within existing semver ranges. No package.json changes required.

Signed-off-by: Jackie <jkhanjob@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lezzago lezzago Awaiting requested review from lezzago lezzago is a code owner

@AWSHurneyt AWSHurneyt Awaiting requested review from AWSHurneyt AWSHurneyt is a code owner

@amsiglan amsiglan Awaiting requested review from amsiglan amsiglan is a code owner

@sbcd90 sbcd90 Awaiting requested review from sbcd90 sbcd90 is a code owner

@eirsep eirsep Awaiting requested review from eirsep eirsep is a code owner

@getsaurabh02 getsaurabh02 Awaiting requested review from getsaurabh02 getsaurabh02 is a code owner

@praveensameneni praveensameneni Awaiting requested review from praveensameneni praveensameneni is a code owner

@bowenlan-amzn bowenlan-amzn Awaiting requested review from bowenlan-amzn bowenlan-amzn is a code owner

@rishabhmaurya rishabhmaurya Awaiting requested review from rishabhmaurya rishabhmaurya is a code owner

@riysaxen-amzn riysaxen-amzn Awaiting requested review from riysaxen-amzn riysaxen-amzn is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jackiehanyang