[CVE-2022-48285][1.x] Bump jszip from 3.7.1 to 3.10.1

[ananzh]

Description

This CVE is caught in github. It is about that loadAsync in jszip before 3.8.0 allows Directory Traversal via a crafted ZIP archive. jszip is a dependency of selenium-webdriver . This CVE requires to bump jszip to 3.8.0+. In 1.x, we are currently using [email protected] .

ubuntu@ip-172-31-55-237:~/work/OpenSearch-Dashboards$ yarn why jszip
yarn why v1.22.19
[1/4] Why do we have the module "jszip"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~3.7.2"
warning Resolution field "[email protected]" is incompatible with requested version "shelljs@^0.6.0"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Reasons this module exists
   - "_project_#selenium-webdriver" depends on it
   - Hoisted from "_project_#selenium-webdriver#jszip"
info Disk size without dependencies: "796KB"
info Disk size with unique dependencies: "1.93MB"
info Disk size with transitive dependencies: "2.21MB"
info Number of shared dependencies: 11
Done in 1.05s.

ubuntu@ip-172-31-55-237:~/work/OpenSearch-Dashboards$ yarn why selenium-webdriver
yarn why v1.22.19
[1/4] Why do we have the module "selenium-webdriver"...?
[2/4] Initialising dependency graph...
warning Resolution field "[email protected]" is incompatible with requested version "typescript@~3.7.2"
warning Resolution field "[email protected]" is incompatible with requested version "shelljs@^0.6.0"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "[email protected]"
info Has been hoisted to "selenium-webdriver"
info Reasons this module exists
   - "workspace-aggregator-b86b8a47-7a5d-4547-95f7-e0849c232835" depends on it
   - Specified in "devDependencies"
   - Hoisted from "_project_#selenium-webdriver"
info Disk size without dependencies: "972KB"
info Disk size with unique dependencies: "1.79MB"
info Disk size with transitive dependencies: "3.52MB"
info Number of shared dependencies: 24
Done in 1.04s.

selenium-webdriver doesn’t actively upgrade jszip in package.json, which is still "^3.7.1" and from 4.7.0 they actually start to use 3.10.1 (package-lock). Since we are gradually remove all selenium tests. I think it is a bit waste of time to investigate the changes between "[email protected]" and 4.7.0.

Since there is no breaking changes between 3.7.1 and 3.8.0 on jszip, We could just make a simple resolution.

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
  • yarn test:ftr
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[codecov-commenter]

Codecov Report

Merging #3740 (80adea4) into 1.x (3bd2fb1) will not change coverage.
The diff coverage is n/a.

❗ Current head 80adea4 differs from pull request most recent head 5fbd39d. Consider uploading reports for the commit 5fbd39d to get more accurate results

@@           Coverage Diff           @@
##              1.x    #3740   +/-   ##
=======================================
  Coverage   67.50%   67.50%           
=======================================
  Files        3044     3044           
  Lines       58692    58692           
  Branches     8902     8902           
=======================================
  Hits        39619    39619           
  Misses      16925    16925           
  Partials     2148     2148           

Flag	Coverage Δ
Linux	67.45% <ø> (ø)
Windows	67.45% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 2 files with indirect coverage changes

[joshuarrrr]

@ananzh Marking as draft until you have time to revisit Miki's comments.

[seanneumann]

👍