[2.5][CVE-2022-37601][CVE-2022-37599] Bump loader-utils to 2.0.4

[ananzh]

Issue Resolved:
#3306

Signed-off-by: Anan Zhuang ananzh@amazon.com

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
  • yarn test:ftr
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[codecov-commenter]

Codecov Report

Merging #3319 (50ca819) into 2.5 (7123e11) will decrease coverage by 0.06%.
The diff coverage is n/a.

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##              2.5    #3319      +/-   ##
==========================================
- Coverage   66.55%   66.49%   -0.06%     
==========================================
  Files        3203     3203              
  Lines       61327    61327              
  Branches     9452     9452              
==========================================
- Hits        40815    40781      -34     
- Misses      18256    18284      +28     
- Partials     2256     2262       +6     

Flag	Coverage Δ
Linux	66.49% <ø> (ø)
Windows	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
src/dev/build/lib/get_build_number.ts	57.14% <0.00%> (-42.86%)	⬇️
src/setup_node_env/harden/child_process.js	38.46% <0.00%> (-38.47%)	⬇️
packages/osd-cross-platform/src/path.ts	51.21% <0.00%> (-34.15%)	⬇️
...ges/osd-apm-config-loader/src/config.test.mocks.ts	91.30% <0.00%> (-8.70%)	⬇️
src/dev/build/lib/config.ts	79.41% <0.00%> (-5.89%)	⬇️
packages/osd-optimizer/src/node/cache.ts	50.00% <0.00%> (-1.32%)	⬇️
...ic/application/models/sense_editor/sense_editor.ts	64.00% <0.00%> (-0.89%)	⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[ananzh]

tests fail due to no 2.5.1 snapshots
but 2.x tests are all good

[joshuarrrr]

Where is the loader-utils@^1.2.3 still coming from? Given the updates to osd-shared-deps and osd-optimizer, I wouldn't think we'd still need a resolution from that version. From a nested dep?

[ananzh]

Yeah 1.2.3 is from nested dep of 3 packages listed below

string-replace-loader@^2.2.0:
  version "2.3.0"
  resolved "https://registry.yarnpkg.com/string-replace-loader/-/string-replace-loader-2.3.0.tgz#7f29be7d73c94dd92eccd5c5a15651181d7ecd3d"
  integrity sha512-HYBIHStViMKLZC/Lehxy42OuwsBaPzX/LjcF5mkJlE2SnHXmW6SW6eiHABTXnY8ZCm/REbdJ8qnA0ptmIzN0Ng==
  dependencies:
    loader-utils "^1.2.3"
    schema-utils "^2.6.5"

url-loader@^2.2.0:
  version "2.3.0"
  resolved "https://registry.yarnpkg.com/url-loader/-/url-loader-2.3.0.tgz#e0e2ef658f003efb8ca41b0f3ffbf76bab88658b"
  integrity sha512-goSdg8VY+7nPZKUEChZSEtW5gjbS66USIGCeSJ1OVOJ7Yfuh/36YxCwMi5HVEJh6mqUYOoy3NJ0vlOMrWsSHog==
  dependencies:
    loader-utils "^1.2.3"
    mime "^2.4.4"
    schema-utils "^2.5.0"

webpack@^4.41.5:
  version "4.46.0"
  resolved "https://registry.yarnpkg.com/webpack/-/webpack-4.46.0.tgz#bf9b4404ea20a073605e0a011d188d77cb6ad542"
  integrity sha512-6jJuJjg8znb/xRItk7bkT0+Q7AHCYjjFnvKIWQPkNIOyRqoCGvkOs0ipeQzrqz4l5FtN5ZI/ukEHroeX/o1/5Q==
  dependencies:
    "@webassemblyjs/ast" "1.9.0"
    "@webassemblyjs/helper-module-context" "1.9.0"
    "@webassemblyjs/wasm-edit" "1.9.0"
    "@webassemblyjs/wasm-parser" "1.9.0"
    acorn "^6.4.1"
    ajv "^6.10.2"
    ajv-keywords "^3.4.1"
    chrome-trace-event "^1.0.2"
    enhanced-resolve "^4.5.0"
    eslint-scope "^4.0.3"
    json-parse-better-errors "^1.0.2"
    loader-runner "^2.4.0"
    loader-utils "^1.2.3"
    memory-fs "^0.4.1"
    micromatch "^3.1.10"
    mkdirp "^0.5.3"
    neo-async "^2.6.1"
    node-libs-browser "^2.2.1"
    schema-utils "^1.0.0"
    tapable "^1.1.3"
    terser-webpack-plugin "^1.4.3"
    watchpack "^1.7.4"
    webpack-sources "^1.4.1"

automation not passing

[ananzh]

Test failed due to Snapshots for 2.5.1 are not available. Below is an example.

● uiSettings/routes › doc exists › delete route › returns a 200 and deletes the setting

    Snapshots for 2.5.1 are not available

      31 |  */
      32 | exports.createCliError = function (message) {
    > 33 |   const error = new Error(message);
         |                 ^
      34 |   error.isCliError = true;
      35 |   return error;
      36 | };

      at createCliError (packages/osd-opensearch/target/errors.js:33:17)
      at getArtifactSpecForSnapshotFromUrl (packages/osd-opensearch/target/artifact.js:262:11)
          at runMicrotasks (<anonymous>)
      at Function.getSnapshot (packages/osd-opensearch/target/artifact.js:299:26)
      at Object.installSnapshot [as downloadSnapshot] (packages/osd-opensearch/target/install/snapshot.js:73:20)
      at installSnapshot (packages/osd-opensearch/target/install/snapshot.js:105:7)
      at Cluster.installSnapshot (packages/osd-opensearch/target/cluster.js:179:9)
      at OpenSearchTestCluster.start (packages/osd-test/src/legacy_opensearch/legacy_opensearch_test_cluster.js:95:24)
      at Object.startOpenSearch (src/core/test_helpers/osd_server.ts:265:7)
      at Object.startServers (src/core/server/ui_settings/integration_tests/lib/servers.ts:70:22)

[ananzh]

2.5 is not an active branch any more since we cut 2.6. close it