In v1.3.13 Update library dependecies to reduce the CVEs reported

[rafariossaa]

When running trivy scanner on the container image opensearchproject/opensearch-dashboards:1.3.13 a number of CVEs and GHSA are reported.

I have look for the CVEs in the project's issues and found that serveral of them could not be updated due to breaking changes, but I would like to know if there will be some upgrading of:

$ trivy image --vuln-type library  opensearchproject/opensearch-dashboards:1.3.13
...
│ ammo (package.json)       │ GHSA-mg85-8mv5-ffjr │ HIGH     │ 3.0.1             │               │ Denial of Service in ammo                                    │
│                           │                     │          │                   │               │ https://github.com/advisories/GHSA-mg85-8mv5-ffjr       

...
│ hapi (package.json)       │ GHSA-7hx8-2rxv-66xv │          │ 17.6.0            │               │ Denial of Service in hapi                                    │
│                           │                     │          │                   │               │ https://github.com/advisories/GHSA-7hx8-2rxv-66xv            │

...

| subtext (package.json)    │ GHSA-2mvq-xp48-4c77 │ HIGH     │ 6.0.7             │               │ Denial of Service in subtext                                 │
│                           │                     │          │                   │               │ https://github.com/advisories/GHSA-2mvq-xp48-4c77            │
│                           ├─────────────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                           │ GHSA-5854-jvxx-2cg9 │          │                   │               │ Denial of Service in subtext                                 │
│                           │                     │          │                   │               │ https://github.com/advisories/GHSA-5854-jvxx-2cg9            │
│                           ├─────────────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                           │ GHSA-g64q-3vg8-8f93 │          │                   │               │ Prototype Pollution in subtext                               │
│                           │                     │          │                   │               │ https://github.com/advisories/GHSA-g64q-3vg8-8f93            │

[joshuarrrr]

@rafariossaa We have multiple scanners and systems in place to help us monitor dependency vulnerabilities, but thanks for lending a hand. In short, none of these are fixable in the 1.x line (which includes any future 1.3.x patch releases), because the hapi update required is incompatible with the node version supported by this release line. All of these are fixed in main and 2.x`. cc @ananzh @seanneumann @davidlago

GHSA-mg85-8mv5-ffjr:
In main and 2.x, we upgraded hapi directly from v17 to v20 in this PR, #1146. We can’t bump hapi in 1.x because it requests node 12+ since version 19 (hapijs/hapi#4017).

GHSA-7hx8-2rxv-66xv:
All Versions of hapi are vulnerable to Denial of Service. We need to replace/bump hapi to @hapi/hapi, which is a breaking change. The public @hapi/hapi starts from v20.0.0. Since @hapi/hapi v19 (not npm public), it doesn’t support node 10 any more, see here (hapijs/hapi#4017). Therefore, we won’t be able to fix this in 1.x.

GHSA-2mvq-xp48-4c77:
This package is not actively maintained and the fix is in @hapi/subtext where version 6.1.2. To use @hapi/subtext , we need to replace/bump hapi to @hapi/hapi v20+, which is a breaking change. Therefore, we won’t be able to fix this in 1.x.