[CVE-2022-1537][CVE-2022-0436][1.x]bump grunt from 1.4.1 to 1.5.3

[ananzh]

Description

Both CVEs can be solved if bump grunt to 1.5.3 . grunt is bumped to 1.5.3 in main via this PR: #1580 . In 1.x, grunt is still at version 1.4.1.

ubuntu@ip-172-31-55-237:~/work/OpenSearch-Dashboards$ yarn why grunt
yarn why v1.22.19
[1/4] Why do we have the module "grunt"...?
[2/4] Initialising dependency graph...
warning Resolution field "typescript@4.0.2" is incompatible with requested version "typescript@~3.7.2"
warning Resolution field "shelljs@0.8.5" is incompatible with requested version "shelljs@^0.6.0"
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "grunt@1.4.1"
info Has been hoisted to "grunt"
info Reasons this module exists
   - "workspace-aggregator-6b45ce1e-ff0d-42ce-a887-ca68054003ee" depends on it
   - Specified in "devDependencies"
   - Hoisted from "_project_#grunt"
   - Hoisted from "_project_#@osd#ui-framework#grunt"
info Disk size without dependencies: "10.39MB"
info Disk size with unique dependencies: "14.16MB"
info Disk size with transitive dependencies: "15.2MB"
info Number of shared dependencies: 31
Done in 1.19s.

This fix could be patched to 1.x because v1.5.3 requires node>=8 and no breaking changes. This is the latest version with no node conflicts. grunt requires node>=16 sincev1.6.0 . Therefore, we need to make a slight change and make the bump range very specific.

Issues Resolved

#1579
#1450

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
  • yarn test:ftr
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[codecov-commenter]

Codecov Report

Merging #3723 (011bb8c) into 1.x (53d2d91) will decrease coverage by 0.05%.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##              1.x    #3723      +/-   ##
==========================================
- Coverage   67.49%   67.45%   -0.05%     
==========================================
  Files        3044     3044              
  Lines       58692    58692              
  Branches     8902     8902              
==========================================
- Hits        39617    39593      -24     
- Misses      16926    16946      +20     
- Partials     2149     2153       +4     

Flag	Coverage Δ
Linux	67.45% <ø> (ø)
Windows	?

Flags with carried forward coverage won't be shown. Click here to find out more.

see 6 files with indirect coverage changes

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[joshuarrrr]

All tests pass (whitesource failure can be ignored) let's fix the changelog conflict and merge.

[opensearch-trigger-bot]

The backport to 1.3 failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/backport-1.3 1.3
# Navigate to the new working tree
pushd ../.worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-3723-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 65deacbe79825cddfac04ce653c3455d5578d371
# Push it to GitHub
git push --set-upstream origin backport/backport-3723-to-1.3
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/backport-1.3

Then, create a pull request where the base branch is 1.3 and the compare/head branch is backport/backport-3723-to-1.3.

[joshuarrrr]

This wasn't backported in time for 1.3.10.