[Security] Bump all babel dependencies from 7.16.x to 7.22.9

[joshuarrrr]

Description

Also update proposal plugins to their transform equivalents

Resolves CVE-2023-45133

Issues Resolved

Although #5303 is marked closed by mend, it's preferable to also update the deps upstream of the resolution in #5309.

Screenshot

Testing the changes

I verified that all unit tests pass, and I also built all distributions via yarn build --skip-os-packages. But I'd love to here from other maintainers what else we should do to validate these changes. Try diff-ing all the artifacts, maybe?

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[joshuarrrr]

These proposal comments now all seem outdated (particularly because they reference previous version of TypeScript). But I'm not sure I know enough about the relationship between ES proposals, Typescript, and Babel to know how to investigate whether we still need these plugins at all or to update the comments to explain why we still need them. Any help is appreciated!

[codecov]

Codecov Report

Merging #5428 (61c31aa) into main (088fc66) will increase coverage by 7.89%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main    #5428      +/-   ##
==========================================
+ Coverage   59.07%   66.96%   +7.89%     
==========================================
  Files        2981     3291     +310     
  Lines       56492    63243    +6751     
  Branches     8714    10055    +1341     
==========================================
+ Hits        33372    42351    +8979     
+ Misses      21362    18431    -2931     
- Partials     1758     2461     +703     

Flag	Coverage Δ
Linux_1	35.24% <ø> (-0.01%)	⬇️
Linux_2	55.15% <ø> (?)
Linux_3	43.81% <ø> (?)
Linux_4	35.34% <ø> (+<0.01%)	⬆️
Windows_1	35.26% <ø> (?)
Windows_2	55.12% <ø> (-0.13%)	⬇️
Windows_3	43.82% <ø> (?)
Windows_4	35.34% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
packages/osd-babel-preset/common_preset.js	100.00% <ø> (ø)

... and 785 files with indirect coverage changes

[joshuarrrr]

skipping backport to 1.3

[aggarwalShivani]

Hi @joshuarrrr
I have a query on this merged PR - as per CVE-2023-45133, the fixed version of babel is >=7.23.2.
Why are the babel dependencies then updated to 7.22.9? Isn't this an affected version?

[AMoo-Miki]

@aggarwalShivani , the vulnerability is in @babel/traverse which was bumped to 7.23.2:
https://github.com/opensearch-project/OpenSearch-Dashboards/pull/5428/files#diff-51e4f558fae534656963876761c95b83b6ef5da5103c4adef6768219ed76c2deR1363

The others are not vulnerable on their own.

[AMoo-Miki]

Manually backported with #5464