[CVE-2024-4067][CVE-2024-4068] Bump packages dependent on braces ve…

…rsions lower than 3.0.3 (opensearch-project#6911)

Bumped packages:
* `@amoo-miki/webpack` to `4.46.0-xxhash.1`
* `micromatch` to `4.0.7`
* `@types/watchpack` to `2.4.4`
* `watchpack` to `2.4.1`

Removed:
* `@types/globby`

cherry-picked from 418bf19

Signed-off-by: Miki <miki@amazon.com>

.eslintrc.js

@@ -272,26 +272,22 @@ module.exports = {
  basePath: __dirname,
  zones: [
  {
- target: ['(src)/**/*', '!src/core/**/*'],
+ target: ['src/**/*', '!src/core/**/*'],
  from: ['src/core/utils/**/*'],
  errorMessage: `Plugins may only import from src/core/server and src/core/public.`,
  },
  {
- target: ['(src)/plugins/*/server/**/*'],
- from: ['(src)/plugins/*/public/**/*'],
+ target: ['src/plugins/*/server/**/*'],
+ from: ['src/plugins/*/public/**/*'],
  errorMessage: `Server code can not import from public, use a common directory.`,
  },
  {
- target: ['(src)/plugins/*/common/**/*'],
- from: ['(src)/plugins/*/(server|public)/**/*'],
+ target: ['src/plugins/*/common/**/*'],
+ from: ['src/plugins/*/(server|public)/**/*'],
  errorMessage: `Common code can not import from server or public, use a common directory.`,
  },
  {
- target: [
- 'src/legacy/**/*',
- '(src)/plugins/**/(public|server)/**/*',
- 'examples/**/*',
- ],
+ target: ['src/legacy/**/*', 'src/plugins/**/(public|server)/**/*', 'examples/**/*'],
  from: [
  'src/core/public/**/*',
  '!src/core/public/index.ts', // relative import
@@ -320,30 +316,30 @@ module.exports = {
  {
  target: [
  'src/legacy/**/*',
- '(src)/plugins/**/(public|server)/**/*',
+ 'src/plugins/**/(public|server)/**/*',
  'examples/**/*',
- '!(src)/**/*.test.*',
+ '!src/**/*.test.*',
  ],
  from: [
- '(src)/plugins/**/(public|server)/**/*',
- '!(src)/plugins/**/(public|server)/mocks/index.{js,mjs,ts}',
- '!(src)/plugins/**/(public|server)/(index|mocks).{js,mjs,ts,tsx}',
+ 'src/plugins/**/(public|server)/**/*',
+ '!src/plugins/**/(public|server)/mocks/index.{js,mjs,ts}',
+ '!src/plugins/**/(public|server)/(index|mocks).{js,mjs,ts,tsx}',
  ],
  allowSameFolder: true,
  errorMessage: 'Plugins may only import from top-level public and server modules.',
  },
  {
  target: [
- '(src)/plugins/**/*',
- '!(src)/plugins/**/server/**/*',
+ 'src/plugins/**/*',
+ '!src/plugins/**/server/**/*',
 
  'examples/**/*',
  '!examples/**/server/**/*',
  ],
  from: [
  'src/core/server',
  'src/core/server/**/*',
- '(src)/plugins/*/server/**/*',
+ 'src/plugins/*/server/**/*',
  'examples/**/server/**/*',
  ],
  errorMessage:
@@ -355,7 +351,7 @@ module.exports = {
  errorMessage: 'The core cannot depend on any plugins.',
  },
  {
- target: ['(src)/plugins/*/public/**/*'],
+ target: ['src/plugins/*/public/**/*'],
  from: ['ui/**/*'],
  errorMessage: 'Plugins cannot import legacy UI code.',
  },

changelogs/fragments/6911.yml

@@ -0,0 +1,2 @@
+security:
+- [CVE-2024-4067][CVE-2024-4068] Bump packages dependent on `braces` versions lower than 3.0.3 ([#6911](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/6911))

package.json

@@ -87,6 +87,7 @@
  "**/@types/node": "~18.7.0",
  "**/ansi-regex": "^5.0.1",
  "**/async": "^3.2.3",
+ "**/cpy/globby": "^10.0.1",
  "**/d3-color": "^3.1.0",
  "**/flat": "^5.0.2",
  "**/elasticsearch/agentkeepalive": "^4.5.0",
@@ -110,11 +111,11 @@
  "**/trim": "^0.0.3",
  "**/typescript": "4.0.2",
  "**/unset-value": "^2.0.1",
+ "**/watchpack-chokidar2/chokidar": "^3.5.3",
  "**/minimatch": "^3.0.5",
  "**/eslint-plugin-mocha-next/mocha": "npm:mocha@^10.1.0",
  "**/xml2js": "^0.5.0",
  "**/yaml": "^2.2.2"
-
  },
  "workspaces": {
  "packages": [
@@ -239,7 +240,6 @@
  "uuid": "3.3.2",
  "whatwg-fetch": "^3.0.0",
  "yauzl": "^2.10.0"
-
  },
  "devDependencies": {
  "@babel/core": "^7.22.9",
@@ -296,7 +296,6 @@
  "@types/getopts": "^2.0.1",
  "@types/getos": "^3.0.0",
  "@types/glob": "^7.1.3",
- "@types/globby": "^8.0.0",
  "@types/hapi__cookie": "^10.1.4",
  "@types/hapi__h2o2": "^8.3.3",
  "@types/hapi__hapi": "^20.0.10",

packages/osd-ace/package.json

@@ -14,7 +14,7 @@
  "@osd/babel-preset": "1.0.0",
  "raw-loader": "^4.0.2",
  "typescript": "4.0.2",
- "webpack": "npm:@amoo-miki/webpack@4.46.0-rc.2"
+ "webpack": "npm:@amoo-miki/webpack@4.46.0-xxhash.1"
  },
  "@osd/pm": {
  "web": true

packages/osd-eslint-import-resolver-opensearch-dashboards/package.json

@@ -19,6 +19,6 @@
  "glob-all": "^3.2.1",
  "lru-cache": "^4.1.5",
  "resolve": "^1.7.1",
- "webpack": "npm:@amoo-miki/webpack@4.46.0-rc.2"
+ "webpack": "npm:@amoo-miki/webpack@4.46.0-xxhash.1"
  }
 }

packages/osd-eslint-plugin-eslint/package.json

@@ -11,7 +11,7 @@
  "babel-eslint": "^10.0.3"
  },
  "dependencies": {
- "micromatch": "3.1.10",
+ "micromatch": "^4.0.7",
  "dedent": "^0.7.0",
  "eslint-module-utils": "2.5.0"
  }

packages/osd-eslint-plugin-eslint/rules/no_restricted_paths.test.js

@@ -370,7 +370,7 @@ ruleTester.run('@osd/eslint/no-restricted-paths', rule, {
  },
 
  {
- // Does not allow to import deeply within Core, using "src/core/..." Webpack alias.
+ // Does not allow to require deeply within Core, using "src/core/..." Webpack alias.
  code: 'const d = require("src/core/server/saved_objects")',
  filename: path.join(__dirname, './testfiles/no_restricted_paths/client/a.js'),
  options: [
@@ -393,6 +393,32 @@ ruleTester.run('@osd/eslint/no-restricted-paths', rule, {
  ],
  },
 
+ {
+ // Does not allow to import deeply within Core, using "src/core/...".
+ code: `
+ import { X as XX } from 'src/core/public';
+ import { X as XY } from 'src/core/server';`,
+ filename: path.join(__dirname, './testfiles/no_restricted_paths/client/a.js'),
+ options: [
+ {
+ basePath: __dirname,
+ zones: [
+ {
+ target: ['**/testfiles/**/*', '!**/testfiles/**/server/**/*'],
+ from: ['src/core/server', 'src/core/server/**/*'],
+ },
+ ],
+ },
+ ],
+ errors: [
+ {
+ message: 'Unexpected path "src/core/server" imported in restricted zone.',
+ line: 3,
+ column: 31,
+ },
+ ],
+ },
+
  {
  // Does not allow to import "ui/kfetch".
  code: 'const d = require("ui/kfetch")',

packages/osd-interpreter/package.json

@@ -31,7 +31,7 @@
  "style-loader": "^1.1.3",
  "supports-color": "^7.0.0",
  "url-loader": "^2.2.0",
- "webpack": "npm:@amoo-miki/webpack@4.46.0-rc.2",
+ "webpack": "npm:@amoo-miki/webpack@4.46.0-xxhash.1",
  "webpack-cli": "^4.9.2"
  }
 }

packages/osd-monaco/package.json

@@ -22,7 +22,7 @@
  "raw-loader": "^4.0.2",
  "supports-color": "^7.0.0",
  "typescript": "4.0.2",
- "webpack": "npm:@amoo-miki/webpack@4.46.0-rc.2",
+ "webpack": "npm:@amoo-miki/webpack@4.46.0-xxhash.1",
  "webpack-cli": "^4.9.2"
  }
 }

packages/osd-optimizer/package.json

@@ -45,7 +45,7 @@
  "@types/compression-webpack-plugin": "^6.0.6",
  "@types/loader-utils": "^1.1.3",
  "@types/source-map-support": "^0.5.3",
- "@types/watchpack": "^1.1.6",
+ "@types/watchpack": "^2.4.4",
  "@types/webpack": "^4.41.31",
  "babel-loader": "^8.2.3",
  "comment-stripper": "^0.0.4",
@@ -59,6 +59,6 @@
  "style-loader": "^1.1.3",
  "url-loader": "^2.2.0",
  "val-loader": "^2.1.2",
- "webpack": "npm:@amoo-miki/webpack@4.46.0-rc.2"
+ "webpack": "npm:@amoo-miki/webpack@4.46.0-xxhash.1"
  }
 }

packages/osd-optimizer/src/integration_tests/basic_optimization.test.ts

@@ -74,7 +74,7 @@ beforeAll(async () => {
  await cpy('**/*', MOCK_REPO_DIR, {
  cwd: MOCK_REPO_SRC,
  parents: true,
- deep: true,
+ deep: Infinity,
  });
 });
 

packages/osd-optimizer/src/integration_tests/bundle_cache.test.ts

@@ -54,7 +54,7 @@ beforeEach(async () => {
  await cpy('**/*', MOCK_REPO_DIR, {
  cwd: MOCK_REPO_SRC,
  parents: true,
- deep: true,
+ deep: Infinity,
  });
 });
 

packages/osd-optimizer/src/optimizer/watcher.ts

@@ -94,7 +94,7 @@ export class Watcher {
  take(1)
  ),
 
- // call watchpack.watch after listerners are setup
+ // call watchpack.watch after listeners are set up
  Rx.defer(() => {
  const watchPaths: string[] = [];
 
@@ -104,7 +104,11 @@ export class Watcher {
  }
  }
 
- this.watchpack.watch(watchPaths, [], startTime);
+ this.watchpack.watch({
+ files: watchPaths,
+ startTime,
+ });
+
  return Rx.EMPTY;
  })
  );