From ed52b6ff7d1738336d12989a8113b9088eb21fe1 Mon Sep 17 00:00:00 2001
From: Josh Romero <rmerqg@amazon.com>
Date: Wed, 30 Nov 2022 16:00:07 -0800
Subject: [PATCH] [Backport 1.x] Bump loader-utils to 2.0.3 to fix
 CVE-2022-37601 (#2707) (#2953)

Signed-off-by: Zilong Xia <zilongx@amazon.com>
(cherry picked from commit b8f6040e83bc5291f25c983187d04e2516986b48)
---
 CHANGELOG.md                             |  1 +
 package.json                             |  1 +
 packages/osd-optimizer/package.json      | 24 +++++++-------
 packages/osd-ui-shared-deps/package.json |  2 +-
 yarn.lock                                | 42 ++++++------------------
 5 files changed, 25 insertions(+), 45 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b5c265bfad9a..134dceb51f11 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,7 @@ Inspired from [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 * [CVE-2022-23647] Bump prismjs to 1.29.0 ([#2668](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2668))
 * [CVE-2021-24033] Remove storybook package to fix CVE-2021-42740 and CVE-2021-24033 ([#2660](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2660))
 * [CVE-2021-42740] Remove storybook package to fix CVE-2021-42740 and CVE-2021-24033 ([#2660](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2660))
+* [CVE-2022-37601] Bump loader-utils to 2.0.3 ([#2707](https://github.com/opensearch-project/OpenSearch-Dashboards/pull/2707))
 
 ### 📈 Features/Enhancements
 
diff --git a/package.json b/package.json
index 896b7f2bdc3b..325bff8a5b4e 100644
--- a/package.json
+++ b/package.json
@@ -87,6 +87,7 @@
     "**/istanbul-instrumenter-loader/schema-utils": "^1.0.0",
     "**/json-schema": "^0.4.0",
     "**/kind-of": ">=6.0.3",
+    "**/loader-utils": "^2.0.3",
     "**/lodash": "^4.17.21",
     "**/merge": "^2.1.1",
     "**/minimist": "^1.2.5",
diff --git a/packages/osd-optimizer/package.json b/packages/osd-optimizer/package.json
index dd443da2aa5d..d29411f41f33 100644
--- a/packages/osd-optimizer/package.json
+++ b/packages/osd-optimizer/package.json
@@ -17,38 +17,27 @@
     "@osd/std": "1.0.0",
     "@osd/ui-shared-deps": "1.0.0",
     "autoprefixer": "^9.7.4",
-    "babel-loader": "^8.0.6",
     "clean-webpack-plugin": "^3.0.0",
     "compression-webpack-plugin": "^4.0.0",
     "cpy": "^8.0.0",
     "core-js": "^3.6.5",
-    "css-loader": "^3.4.2",
     "dedent": "^0.7.0",
     "del": "^5.1.0",
     "execa": "^4.0.2",
-    "file-loader": "^4.2.0",
     "istanbul-instrumenter-loader": "^3.0.1",
     "jest-diff": "^26.4.2",
     "js-yaml": "^3.14.0",
     "json-stable-stringify": "^1.0.1",
     "lmdb-store": "^0.6.10",
-    "loader-utils": "^1.2.3",
     "node-sass": "sass/node-sass#v5",
     "normalize-path": "^3.0.0",
     "pirates": "^4.0.1",
     "postcss": "^8.2.10",
-    "postcss-loader": "^3.0.0",
-    "raw-loader": "^3.1.0",
     "rxjs": "^6.5.5",
-    "sass-loader": "^8.0.2",
     "source-map-support": "^0.5.19",
-    "style-loader": "^1.1.3",
     "terser-webpack-plugin": "^2.1.2",
     "tinymath": "1.2.1",
-    "url-loader": "^2.2.0",
-    "val-loader": "^1.1.1",
     "watchpack": "^2.1.1",
-    "webpack": "^4.41.5",
     "webpack-merge": "^4.2.2"
   },
   "devDependencies": {
@@ -57,6 +46,17 @@
     "@types/loader-utils": "^1.1.3",
     "@types/source-map-support": "^0.5.3",
     "@types/watchpack": "^1.1.6",
-    "@types/webpack": "^4.41.3"
+    "@types/webpack": "^4.41.3",
+    "babel-loader": "^8.0.6",
+    "css-loader": "^3.4.2",
+    "file-loader": "^4.2.0",
+    "loader-utils": "^1.2.3",
+    "postcss-loader": "^3.0.0",
+    "raw-loader": "^3.1.0",
+    "sass-loader": "^8.0.2",
+    "style-loader": "^1.1.3",
+    "url-loader": "^2.2.0",
+    "val-loader": "^2.1.2",
+    "webpack": "^4.41.5"
   }
 }
diff --git a/packages/osd-ui-shared-deps/package.json b/packages/osd-ui-shared-deps/package.json
index a0b1c016e4b0..51e1a89985e7 100644
--- a/packages/osd-ui-shared-deps/package.json
+++ b/packages/osd-ui-shared-deps/package.json
@@ -44,7 +44,7 @@
     "css-loader": "^3.4.2",
     "del": "^5.1.0",
     "loader-utils": "^1.2.3",
-    "val-loader": "^1.1.1",
+    "val-loader": "^2.1.2",
     "webpack": "^4.41.5"
   }
 }
diff --git a/yarn.lock b/yarn.lock
index 9855b8b9baf6..5587a4c8d354 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -8164,11 +8164,6 @@ emoji-regex@^8.0.0:
   resolved "https://registry.yarnpkg.com/emoji-regex/-/emoji-regex-8.0.0.tgz#e818fd69ce5ccfcb404594f842963bf53164cc37"
   integrity sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==
 
-emojis-list@^2.0.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/emojis-list/-/emojis-list-2.1.0.tgz#4daa4d9db00f9819880c79fa457ae5b09a1fd389"
-  integrity sha1-TapNnbAPmBmIDHn6RXrlsJof04k=
-
 emojis-list@^3.0.0:
   version "3.0.0"
   resolved "https://registry.yarnpkg.com/emojis-list/-/emojis-list-3.0.0.tgz#5570662046ad29e2e916e71aae260abdff4f6a78"
@@ -13837,19 +13832,10 @@ loader-runner@^2.4.0:
   resolved "https://registry.yarnpkg.com/loader-runner/-/loader-runner-2.4.0.tgz#ed47066bfe534d7e84c4c7b9998c2a75607d9357"
   integrity sha512-Jsmr89RcXGIwivFY21FcRrisYZfvLMTWx5kOLc+JTxtpBOG6xML0vzbc6SEQG2FO9/4Fc3wW4LVcB5DmGflaRw==
 
-loader-utils@1.2.3, loader-utils@^1.0.0, loader-utils@^1.0.2, loader-utils@^1.1.0, loader-utils@^1.2.3:
-  version "1.2.3"
-  resolved "https://registry.yarnpkg.com/loader-utils/-/loader-utils-1.2.3.tgz#1ff5dc6911c9f0a062531a4c04b609406108c2c7"
-  integrity sha512-fkpz8ejdnEMG3s37wGL07iSBDg99O9D5yflE9RGNH3hRdx9SOwYfnGYdZOUIZitN8E+E2vkq3MUMYMvPYl5ZZA==
-  dependencies:
-    big.js "^5.2.2"
-    emojis-list "^2.0.0"
-    json5 "^1.0.1"
-
-loader-utils@^2.0.0:
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/loader-utils/-/loader-utils-2.0.0.tgz#e4cace5b816d425a166b5f097e10cd12b36064b0"
-  integrity sha512-rP4F0h2RaWSvPEkD7BLDFQnvSf+nK+wr3ESUjNTyAGobqrijmW92zc+SO6d4p4B1wh7+B/Jg1mkQe5NYUEHtHQ==
+loader-utils@1.2.3, loader-utils@^1.0.2, loader-utils@^1.1.0, loader-utils@^1.2.3, loader-utils@^2.0.0, loader-utils@^2.0.3:
+  version "2.0.3"
+  resolved "https://registry.yarnpkg.com/loader-utils/-/loader-utils-2.0.3.tgz#d4b15b8504c63d1fc3f2ade52d41bc8459d6ede1"
+  integrity sha512-THWqIsn8QRnvLl0shHYVBN9syumU8pYWEHPTmkiVGd+7K5eFNVSY6AJhRvgGF70gg1Dz+l/k8WicvFCxdEs60A==
   dependencies:
     big.js "^5.2.2"
     emojis-list "^3.0.0"
@@ -18701,14 +18687,6 @@ schema-utils@^0.3.0, schema-utils@^1.0.0:
     ajv-errors "^1.0.0"
     ajv-keywords "^3.1.0"
 
-schema-utils@^0.4.5:
-  version "0.4.7"
-  resolved "https://registry.yarnpkg.com/schema-utils/-/schema-utils-0.4.7.tgz#ba74f597d2be2ea880131746ee17d0a093c68187"
-  integrity sha512-v/iwU6wvwGK8HbU9yi3/nhGzP0yGSuhQMzL6ySiec1FSrZZDkhm4noOSWzrNFo/jEc+SJY6jRTwuwbSXJPDUnQ==
-  dependencies:
-    ajv "^6.1.0"
-    ajv-keywords "^3.1.0"
-
 schema-utils@^2.0.0, schema-utils@^2.0.1, schema-utils@^2.5.0, schema-utils@^2.6.1, schema-utils@^2.6.4, schema-utils@^2.6.6, schema-utils@^2.7.0:
   version "2.7.0"
   resolved "https://registry.yarnpkg.com/schema-utils/-/schema-utils-2.7.0.tgz#17151f76d8eae67fbbf77960c33c676ad9f4efc7"
@@ -21304,13 +21282,13 @@ v8flags@~3.2.0:
   dependencies:
     homedir-polyfill "^1.0.1"
 
-val-loader@^1.1.1:
-  version "1.1.1"
-  resolved "https://registry.yarnpkg.com/val-loader/-/val-loader-1.1.1.tgz#32ba8ed5c3607504134977251db2966499e15ef7"
-  integrity sha512-JLqLXJWCVLXTxbUeHhLpWkgl3+X3U8Bl0vY7rTFZgFSbLJaEtAxuD2ixy/cM8w/gzC7sS3NE5IDSzClDt332sw==
+val-loader@^2.1.2:
+  version "2.1.2"
+  resolved "https://registry.yarnpkg.com/val-loader/-/val-loader-2.1.2.tgz#3f2efaed5791791727df62858ccaa07fc27579e7"
+  integrity sha512-slp7F4QaEE3h2dCKb28ulCkgVYqpbTcx9u/8or+lpWGOn5v7+hrQXZ+dGbblrIf2LBkVZBCiinLh7DgYO4Ds5g==
   dependencies:
-    loader-utils "^1.0.0"
-    schema-utils "^0.4.5"
+    loader-utils "^2.0.0"
+    schema-utils "^3.0.0"
 
 validate-npm-package-license@^3.0.1:
   version "3.0.1"