[backport 1.x][CVE-2022-0144] bump shelljs from 0.8.4 to 0.8.5

[ananzh]

• Resolves CVE-2022-0144 by bumping package shelljs to 0.8.5

Signed-off-by: Anan Zhuang [email protected]

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
  • yarn test:ftr
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[kavilla]

Is this a backport or just bumping on the 1.x branch?

Can the commit message be a little more descriptive and include the CVE resolved? Can be accomplished before merging when we have one last chance when editing the commit message.

[joshuarrrr]

Also, is backpack something different than a backport, or just a typo?

[ananzh]

2.0 has bump to 0.8.5
I am not sure why it is not backpacked to 1.x

[kavilla]

2.0 has bump to 0.8.5 I am not sure why it is not backpacked to 1.x

Gotcha, do we have the original PR that this was cherry picked from? Also, #2512 implies it was able to resolve this without touching moment resolutions.

[ananzh]

Also, is backpack something different than a backport, or just a typo?

yeah updated to backport

[ananzh]

will update commit msg after CI check done

[ananzh]

2.0 has bump to 0.8.5 I am not sure why it is not backpacked to 1.x

Gotcha, do we have the original PR that this was cherry picked from? Also, #2512 implies it was able to resolve this without touching moment resolutions.

It is not a cve fix PR, here is the original PR for 2.0:#1409

the moment is changed by running yarn osd bootstrap automatically

yeah just do a quick CI run to see if there is any conflicts. I will update commit msg

[ananzh]

@joshuarrrr @kavilla do I need to update 1.3.6 release not as well?

[joshuarrrr]

As far as I know, it's too late to get this to 1.3.6 now - you'd need to reach out the build team to coordinate if it has to be squeezed into the release.

[zelinh]

We will pick this change into our 1.3.6 release and re-generate the release candidate for OSD. Please also update the release notes to include this. Thanks.

[ananzh]

I see function test fail https://github.com/opensearch-project/OpenSearch-Dashboards/actions/runs/3191842791/jobs/5210233465 due to SessionNotCreatedError, but I don't think it is caused by this PR.

[ananzh]

@zelinh got it. I have fixed the functional test fail and include this change in the release note.