From ca154e3264b4fd64659d75bf173a711e176edc6a Mon Sep 17 00:00:00 2001
From: himsgupta1122 <hmsgupt@gmail.com>
Date: Wed, 26 Oct 2022 05:37:50 -0700
Subject: [PATCH 1/4] Security-CVEs fixes guidelines

Signed-off-by: himsgupta1122 <hmsgupt@gmail.com>
---
 SECURITY.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index 0b85ca04ed26..09f214d4637f 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,3 +1,10 @@
 ## Reporting a Vulnerability
 
-If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com. Please do **not** create a public GitHub issue.
\ No newline at end of file
+If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com. Please do **not** create a public GitHub issue.
+
+For Security-CVE related fix - 
+1. For direct dependency - Use ```yarn upgrade package``` to update the package and in order to enforce as sub-deps please add nested-dep step 2.
+
+2. For nested dependency/sub-deps - In order to enforce package above Vx.y.z, we can add version in the resolutions [section](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/) for all the package sub-deps or specific package sub-dep. For more on version updates please see 
+[Why](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/#toc-why-would-you-want-to-do-this) and [How](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/#toc-how-to-use-it) to upgrade.
+

From c2bf3b3a3f9925c2aa9b3cd274576ccb2064c99e Mon Sep 17 00:00:00 2001
From: himsgupta1122 <hmsgupt@gmail.com>
Date: Wed, 26 Oct 2022 05:45:05 -0700
Subject: [PATCH 2/4] styling

Signed-off-by: himsgupta1122 <hmsgupt@gmail.com>
---
 SECURITY.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 09f214d4637f..6d220227b5c1 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,10 +1,10 @@
 ## Reporting a Vulnerability
 
-If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com. Please do **not** create a public GitHub issue.
+- If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/) or directly via email to aws-security@amazon.com. Please do **not** create a public GitHub issue.
 
-For Security-CVE related fix - 
-1. For direct dependency - Use ```yarn upgrade package``` to update the package and in order to enforce as sub-deps please add nested-dep step 2.
+- For Security-CVE related fix - 
+    - For direct dependency - Use ```yarn upgrade package``` to update the package and in order to enforce as sub-deps please add nested-dep step2.
 
-2. For nested dependency/sub-deps - In order to enforce package above Vx.y.z, we can add version in the resolutions [section](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/) for all the package sub-deps or specific package sub-dep. For more on version updates please see 
+    - For nested dependency/sub-deps - In order to enforce package above Vx.y.z, we can add version in the resolutions [section](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/) for all the package sub-deps or specific package sub-dep. For more on version updates please see 
 [Why](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/#toc-why-would-you-want-to-do-this) and [How](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/#toc-how-to-use-it) to upgrade.
 

From 4af07e2e6381e43fcd2031e7a1279ba6ada34d7b Mon Sep 17 00:00:00 2001
From: himsgupta1122 <hmsgupt@gmail.com>
Date: Mon, 31 Oct 2022 13:57:25 -0700
Subject: [PATCH 3/4] add example

Signed-off-by: himsgupta1122 <hmsgupt@gmail.com>
---
 SECURITY.md | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index 6d220227b5c1..ebf985b7523a 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -7,4 +7,16 @@
 
     - For nested dependency/sub-deps - In order to enforce package above Vx.y.z, we can add version in the resolutions [section](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/) for all the package sub-deps or specific package sub-dep. For more on version updates please see 
 [Why](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/#toc-why-would-you-want-to-do-this) and [How](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/#toc-how-to-use-it) to upgrade.
-
+       ```
+      Example: foobar@1.x vulnerable package and 1.y is the fix 
+      step 1: 
+      For direct dependency checks: 
+              run: yarn upgrade foobar@1.y 
+      Step 2.
+      Check for sub deps foobar in other package. 
+              If foobar@1.x exists for subdeps in yarn.lock file
+              Then edit the package.json file and add **/foobar@1.y in resolution section as shown below to enforce the 1.y.
+                'resolutions': { "**/foobar": "^1.y", 
+                                 "**/foo": "^2.x" ,
+                                 "**/bar": "^3.k"}
+      
\ No newline at end of file

From 14bc9acab0fce07641a66aeb44dd8d7e9586c376 Mon Sep 17 00:00:00 2001
From: himsgupta1122 <hmsgupt@gmail.com>
Date: Wed, 2 Nov 2022 12:48:43 -0700
Subject: [PATCH 4/4] add documention

Signed-off-by: himsgupta1122 <hmsgupt@gmail.com>
---
 SECURITY.md | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index ebf985b7523a..f450e11235ba 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -7,11 +7,14 @@
 
     - For nested dependency/sub-deps - In order to enforce package above Vx.y.z, we can add version in the resolutions [section](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/) for all the package sub-deps or specific package sub-dep. For more on version updates please see 
 [Why](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/#toc-why-would-you-want-to-do-this) and [How](https://classic.yarnpkg.com/lang/en/docs/selective-version-resolutions/#toc-how-to-use-it) to upgrade.
-       ```
+    - To add the CVEs fix to previous versions, add label ex: backport 1.x. 
+  
+      ```
       Example: foobar@1.x vulnerable package and 1.y is the fix 
       step 1: 
       For direct dependency checks: 
-              run: yarn upgrade foobar@1.y 
+              run: yarn upgrade foobar@1.y to update the package.json 
+              and yarn install to update the yarn.lock file
       Step 2.
       Check for sub deps foobar in other package. 
               If foobar@1.x exists for subdeps in yarn.lock file
@@ -19,4 +22,6 @@
                 'resolutions': { "**/foobar": "^1.y", 
                                  "**/foo": "^2.x" ,
                                  "**/bar": "^3.k"}
-      
\ No newline at end of file
+              Then run: yarn install for updating yarn.lock file
+
+    
\ No newline at end of file