[2.x] [CVE-2020-36632] Bumps flat from 4.1.1 to 5.0.2

[ZilongX]

Signed-off-by: Zilong Xia zilongx@amazon.com

Description

• Bump package flat from 4.1.1 to 5.0.2 to resolve CVE-2020-36632 in branch 2.x (release candidate for OSD 2.6.0)
• flat is introduced into OSD by mocha@^7.2.0
• CVE-2020-36632 is fixed from mocha@8.2.0 (https://github.com/mochajs/mocha/blob/v8.2.0/package-lock.json)
• Yet since mocha 8.0.0 brings in a bunch of breaking changes (https://github.com/mochajs/mocha/blob/master/CHANGELOG.md), leveraging resolutions here instead of the major version bumping
• mocha has been bumped up to 10.1.0 in main branch btw ([WS-2021-0638][Security] bump mocha to 10.1.0 #2711), which would be released as part of OSD 3.0.0
• No breaking changes identified for the flat version bump (https://github.com/hughsk/flat/commits/master?before=7a184e7adbe06f2acafab15a9efef667cc452abb+35&branch=master&qualified_name=refs%2Fheads%2Fmaster)
• Actual CVE fix changes - hughsk/flat@20ef0ef

Issues Resolved

• Resolved Upgrade flat to 5.0.1 - autoclosed #3167

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
  • yarn test:ftr
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[codecov-commenter]

Codecov Report

Merging #3419 (5bc19dd) into 2.x (e025cc1) will increase coverage by 0.05%.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##              2.x    #3419      +/-   ##
==========================================
+ Coverage   66.50%   66.56%   +0.05%     
==========================================
  Files        3203     3203              
  Lines       61331    61331              
  Branches     9453     9453              
==========================================
+ Hits        40787    40823      +36     
+ Misses      18283    18253      -30     
+ Partials     2261     2255       -6     

Flag	Coverage Δ
Linux	66.50% <ø> (+<0.01%)	⬆️
Windows	66.50% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...ic/application/models/sense_editor/sense_editor.ts	64.88% <0.00%> (ø)
packages/osd-optimizer/src/node/cache.ts	53.94% <0.00%> (+3.94%)	⬆️
...s/osd-optimizer/src/node/node_auto_tranpilation.ts	87.75% <0.00%> (+4.08%)	⬆️
src/dev/build/lib/config.ts	85.29% <0.00%> (+5.88%)	⬆️
...ges/osd-apm-config-loader/src/config.test.mocks.ts	100.00% <0.00%> (+8.69%)	⬆️
packages/osd-cross-platform/src/path.ts	85.36% <0.00%> (+34.14%)	⬆️
src/setup_node_env/harden/child_process.js	76.92% <0.00%> (+38.46%)	⬆️
src/dev/build/lib/get_build_number.ts	100.00% <0.00%> (+42.85%)	⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[seanneumann]

👍

[joshuarrrr]

@ZilongX Thanks for the detailed description.

I think this is probably a better link for looking at the commit diff: hughsk/flat@4.1.1...5.0.2

I have no concerns about this change for OSD core, because we've already removed all mocha tests via #215 (and still just have a lingering item to remove the scaffolding and dependency: #1572)

But because of that we don't have a great way of validating that any plugins with mocha tests configured will be unaffected by this change. So I think we should do an extra callout in the changelog.

[joshuarrrr]

DCO check failed on a merge commit - will be fixed by squash and merge

[joshuarrrr]

@ZilongX Any plans to backport to 1.x/1.3?

[ZilongX]

@joshuarrrr , yes backporting to 1.x/1.3 may need some manual efforts though, I'll take a look later. (maybe just 1.3 since there won't be any new minor version release s for 1.x ~)