DFBUGS-148: [release-4.18] DFBUGS-148: Fix CVE-2024-39249: Force [email protected] via resolutions

[TimothyAsirJeyasing]

The CVE-2024-39249 vulnerability was caused by older versions of async, which were being pulled by dependencies like http-server (via portfinder) and cypress (via getos).

Since these dependencies have not yet updated to a secure version of async, this commit enforces [email protected] using the resolutions field in package.json as a temporary workaround.

• Added "async": "^3.2.6" in resolutions in package.json.
• Ran yarn install, updating yarn.lock accordingly.
• This resolution should be removed once upstream dependencies update async.

BZ: https://issues.redhat.com/browse/DFBUGS-148

[openshift-ci-robot]

@TimothyAsirJeyasing: No Jira issue with key CVE-2024 exists in the tracker at https://issues.redhat.com/.
Once a valid jira issue is referenced in the title of this pull request, request a refresh with /jira refresh.

In response to this:

The CVE-2024-39249 vulnerability was caused by older versions of async, which were being pulled by dependencies like http-server (via portfinder) and cypress (via getos).

Since these dependencies have not yet updated to a secure version of async, this commit enforces [email protected] using the resolutions field in package.json as a temporary workaround.

• Added "async": "^3.2.6" in resolutions in package.json.
• Ran yarn install, updating yarn.lock accordingly.
• This resolution should be removed once upstream dependencies update async.

BZ: https://issues.redhat.com/browse/DFBUGS-148

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: TimothyAsirJeyasing
Once this PR has been reviewed and has the lgtm label, please assign sanjalkatiyar for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@TimothyAsirJeyasing: This pull request references [Jira Issue DFBUGS-148](https://issues.redhat.com//browse/DFBUGS-148), which is invalid:

• expected the bug to target the "odf-4.18" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

The CVE-2024-39249 vulnerability was caused by older versions of async, which were being pulled by dependencies like http-server (via portfinder) and cypress (via getos).

Since these dependencies have not yet updated to a secure version of async, this commit enforces [email protected] using the resolutions field in package.json as a temporary workaround.

• Added "async": "^3.2.6" in resolutions in package.json.
• Ran yarn install, updating yarn.lock accordingly.
• This resolution should be removed once upstream dependencies update async.

BZ: https://issues.redhat.com/browse/DFBUGS-148

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.