[CVE-2022-25758][1.x]Bump scss-tokenizer from 0.3.0 to 0.4.3

[ananzh]

Description

scss-tokenizer is a dependency of sass-graph and a nested dependency of node-sass. The latest sass-graph @v4.0.1 bumps scss-tokenizer@^0.4.3 here. This change is kicked in node-sass@7.0.3. In 1.x, we used node-sass@4.13.1 :

ubuntu@ip-172-31-55-237:~/work/OpenSearch-Dashboards$ yarn why scss-tokenizer
yarn why v1.22.19
[1/4] Why do we have the module "scss-tokenizer"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~3.7.2"
warning Resolution field "shelljs@0.8.5" is incompatible with requested version "shelljs@^0.6.0"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "scss-tokenizer@0.3.0"
info Reasons this module exists
   - "_project_#@osd#optimizer#node-sass#sass-graph" depends on it
   - Hoisted from "_project_#@osd#optimizer#node-sass#sass-graph#scss-tokenizer"
info Disk size without dependencies: "432KB"
info Disk size with unique dependencies: "1.27MB"
info Disk size with transitive dependencies: "1.27MB"
info Number of shared dependencies: 2
Done in 1.04s.

ubuntu@ip-172-31-55-237:~/work/OpenSearch-Dashboards$ yarn why node-sass
yarn why v1.22.19
[1/4] Why do we have the module "node-sass"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~3.7.2"
warning Resolution field "shelljs@0.8.5" is incompatible with requested version "shelljs@^0.6.0"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "node-sass@4.13.1"
info Reasons this module exists
   - "_project_#@osd#optimizer" depends on it
   - Hoisted from "_project_#@osd#optimizer#node-sass"
   - Hoisted from "_project_#@osd#ui-framework#node-sass"
info Disk size without dependencies: "7.79MB"
info Disk size with unique dependencies: "14.53MB"
info Disk size with transitive dependencies: "34.02MB"
info Number of shared dependencies: 205
Done in 1.29s.

We can’t bump node-sass 1) 3 major version upgrades which include breaking changes 2) node-sass version 6 already drops support for node 10. See the releases here .

So could we resolve it? The sass-graph we are using is @v3.0.5, see below.

ubuntu@ip-172-31-55-237:~/work/OpenSearch-Dashboards$ yarn why sass-graph
yarn why v1.22.19
[1/4] Why do we have the module "sass-graph"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~3.7.2"
warning Resolution field "shelljs@0.8.5" is incompatible with requested version "shelljs@^0.6.0"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "sass-graph@3.0.5"
info Reasons this module exists
   - "_project_#@osd#optimizer#node-sass" depends on it
   - Hoisted from "_project_#@osd#optimizer#node-sass#sass-graph"
info Disk size without dependencies: "36KB"
info Disk size with unique dependencies: "5.77MB"
info Disk size with transitive dependencies: "7.84MB"
info Number of shared dependencies: 40
Done in 1.12s.

sass-graph@3.0.5 uses "scss-tokenizer": "^0.3.0" here. Our target version 0.4.3 is within this range. I don’t see breaking changes here. The fix is to add a resolution to bump it.

Issue Resolve

#1842

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
  • yarn test:ftr
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[joshuarrrr]

🤣 If I'm wrong about whether we prefer a space or not, feel free to ignore and throw a shoe at me

Suggested change

	- [CVE-2022-25758]Bump scss-tokenizer from 0.3.0 to 0.4.3 ([#3727](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3727))
	- [CVE-2022-25758] Bump scss-tokenizer from 0.3.0 to 0.4.3 ([#3727](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/3727))

[ananzh]

Don't worry, we don't condone violence in the workplace.

[codecov-commenter]

Codecov Report

Merging #3727 (8cf7d59) into 1.x (bf1c65f) will increase coverage by 0.00%.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@           Coverage Diff           @@
##              1.x    #3727   +/-   ##
=======================================
  Coverage   67.49%   67.50%           
=======================================
  Files        3044     3044           
  Lines       58692    58692           
  Branches     8902     8902           
=======================================
+ Hits        39617    39619    +2     
+ Misses      16926    16925    -1     
+ Partials     2149     2148    -1     

Flag	Coverage Δ
Linux	67.45% <ø> (+<0.01%)	⬆️
Windows	67.45% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

see 1 file with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[joshuarrrr]

All tests passed, with 2 approvals. Just need to resolve CHANGELOG conflicts before merging.