[CVE 2022-3517] Bump minimatch to 3.0.5 and [IBM X-Force ID: 220063] unset-value to 2.0.1

[himsgupta1122]

Signed-off-by: himsgupta1122 [email protected]

Description

IBM X-Force ID: 220063

• Unset Value: Image contains unset value package version 1.0.1 and this has been resolved with version 2.0.1

CVE 2022-3517

• Minimatch Package : Image contains 3.0.4 which has an issue and has been fixed with version 3.0.5

Issues Resolved

[List any issues this PR will resolve]

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
  • yarn test:ftr
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[codecov-commenter]

Codecov Report

❗ No coverage uploaded for pull request base (main@8d5e504). Click here to learn what that means.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #2640   +/-   ##
=======================================
  Coverage        ?   66.81%           
=======================================
  Files           ?     3207           
  Lines           ?    61148           
  Branches        ?     9315           
=======================================
  Hits            ?    40856           
  Misses          ?    18060           
  Partials        ?     2232           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[ananzh]

LGTM. Thanks for fixing CVEs for customer!

[ananzh]

I think you might need to add tags for backport. Does these CVEs affect 1.x? Do we need to backport to 1.x? Do we have any conflicts there?

[himsgupta1122]

PR looks good. Thanks for the fix. @himsgupta1122 Does it need to be backport to 2.x? If so, please add a label backport 2.x so it will trigger the auto backport PR

yes, but I dont see the option. Please add the label. Thanks

[opensearch-trigger-bot]

The backport to 1.x failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-1.x 1.x
# Navigate to the new working tree
pushd ../.worktrees/backport-1.x
# Create a new branch
git switch --create backport/backport-2640-to-1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 68baac19664decd8b1cb0a35fa82ba0e9af4f658
# Push it to GitHub
git push --set-upstream origin backport/backport-2640-to-1.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-1.x

Then, create a pull request where the base branch is 1.x and the compare/head branch is backport/backport-2640-to-1.x.