Update several dependencies

[ohltyler]

Signed-off-by: Tyler Ohlsen [email protected]

Description

Updates several dependencies to resolve CVEs

• ansi-regex
• glob-parent
• loader-utils

Note that these all come from upstream core Dashboards. They have been patched by adding them in a resolutions field in package.json, which forces dependencies of all versions to resolve to a version that is patched. I've copied the versions directly from core Dashboards' package.json for version parity and to guarantee we have patched the CVEs for these. After updating package.json, I ran yarn osd bootstrap to update the lockfile.

We only need to backport to 2.x such that the next releases will have these patches.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[ohltyler]

Cypress tests failed, I'm unsure why JS 3.0 is now unavailable as the previous merged PR worked just fine:

Could not determine the dependencies of task ':run'.
> Can't get https://ci.opensearch.org/ci/dbc/distribution-build-opensearch/3.0.0/latest/linux/x64/tar/builds/opensearch/plugins/opensearch-job-scheduler-3.0.0.0.zip

[codecov-commenter]

Codecov Report

Merging #339 (25148f8) into main (d8af147) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #339   +/-   ##
=======================================
  Coverage   52.04%   52.04%           
=======================================
  Files         147      147           
  Lines        5015     5015           
  Branches      965      965           
=======================================
  Hits         2610     2610           
  Misses       2148     2148           
  Partials      257      257           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[ohltyler]

Cypress tests failed, I'm unsure why JS 3.0 is now unavailable as the previous merged PR worked just fine:

Could not determine the dependencies of task ':run'.
> Can't get https://ci.opensearch.org/ci/dbc/distribution-build-opensearch/3.0.0/latest/linux/x64/tar/builds/opensearch/plugins/opensearch-job-scheduler-3.0.0.0.zip

This is due to the latest build not including JS because of some broken builds caused by opensearch-project/anomaly-detection#713.

That issue needs to be addressed, and then later builds may include all plugins, including JS, when we can then retry the workflow

[amitgalitz]

are we trying to include this in 2.4? or is it okay to wait for AD fix so CI passes here?

[ohltyler]

are we trying to include this in 2.4? or is it okay to wait for AD fix so CI passes here?

We can wait for the AD fix. Not needed in 2.4.

[ohltyler]

It will be fixed in opensearch-project/anomaly-detection#714, and then after some time once the infra builds have AD and JS we can re-run CI here.

[ohltyler]

opensearch-project/sql#1065 is still blocking a 3.0 build

[ohltyler]

3.0 is consistently failing still - will go ahead and merge and re-run CI once there is an available build.