[1.3] Fix CVE dependencies

[RyanL1997]

Signed-off-by: Ryan Liang [email protected]

Description

Upgrade loader-utils to 2.0.4 and above to fix CVE-2022-37601
Upgrade loader-utils to 2.0.4 and above to fix CVE-2022-37603
Upgrade glob-parent to 6.0.0 and above to fix CVE-2020-28469
Upgrade decode-uri-component to 0.2.2 and above to fix CVE-2022-38900

Category

Maintenance

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[codecov-commenter]

Codecov Report

Merging #1308 (f46674a) into 1.3 (25d60ce) will not change coverage.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@           Coverage Diff           @@
##              1.3    #1308   +/-   ##
=======================================
  Coverage   72.02%   72.02%           
=======================================
  Files          88       88           
  Lines        1916     1916           
  Branches      250      250           
=======================================
  Hits         1380     1380           
  Misses        480      480           
  Partials       56       56           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[peternied]

Please update the pull request description with more details about this change.

Mend isn't reporting link any issues have been fixed, how do we know these changes are correct?

[peternied]

Please include the CVE referenced in the change like was done here, opensearch-project/security#2350

Multiple entries, one on each line is a good way to do this.

[DarshitChanpura]

Why delete yarn.lock? If needed you can push updated yarn.lock. Check out this link that talks about whether or not yarn.lock should be deleted.
Apologies. I do see that it is not deleted.

Also, can you add a brief description of why this change is required or point to the issue that requires this change?

[cwperks]

@DarshitChanpura This does not delete the yarn.lock, there are just a lot of lines deleted. I believe a lot of these dependencies were coming from storybook from OSD core which was deleted so there were a lot of deletions in this yarn.lock as well.

For some additional context, main does not have a yarn.lock, but 1.3 does. The reason for that is because of the backport of the SAML integration tests which needed to lock in a version of selenium that was compatible with node 10.24.1.

[DarshitChanpura]

@DarshitChanpura This does not delete the yarn.lock, there are just a lot of lines deleted. I believe a lot of these dependencies were coming from storybook from OSD core which was deleted so there were a lot of deletions in this yarn.lock as well.

Yep I saw 4/5 red bars on yarn.lock and concluded it was deleted 🤦 .

For some additional context, main does not have a yarn.lock, but 1.3 does. The reason for that is because of the backport of the SAML integration tests which needed to lock in a version of selenium that was compatible with node 10.24.1.

Yep, it was introduced with that PR and that is why I was trying to make sure it wasn't deleted.

[RyanL1997]

@peternied @DarshitChanpura Thanks for the review, and I just attach the dependencies names and version number with the issue links.

[cwperks]

@RyanL1997 Can you rebase this with the latest from 1.3? The version increment was just merged.

[RyanL1997]

Update: I also run the sanity tests with this changes and it is all good.

[opensearch-trigger-bot]

The backport to 1.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.x 1.x
# Navigate to the new working tree
cd .worktrees/backport-1.x
# Create a new branch
git switch --create backport/backport-1308-to-1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 8e101672d9e9c8bc0bb03d88c9aac7054a2f79e0
# Push it to GitHub
git push --set-upstream origin backport/backport-1308-to-1.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.x

Then, create a pull request where the base branch is 1.x and the compare/head branch is backport/backport-1308-to-1.x.