[Backport 1.3][CVE-2022-1537] Bump grunt from 1.5.2 to 1.5.3

[ZilongX]

Description

• This one is to fix CVE-2022-1537 in 1.3 branch targeting release 1.3.11
• This is a manual backport of
  [CVE-2022-1537][CVE-2022-0436][1.x]bump grunt from 1.4.1 to 1.5.3 #3723 tailored for 1.3 as Node 10 is in use for OSD 1.3
• Lock both major and minor as grunt 1.6 does requires Node 16+

Issues Resolved

#1579

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
  • yarn test:ftr
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[joshuarrrr]

This is a manual backport of
#3723 tailored for 1.3 as Node 10 is in use for OSD 1.3

@ZilongX doesn't 1.x also use Node 10? Not sure I follow why 1.3 would need a different type of fix from 1.x.

[codecov]

Codecov Report

Merging #4277 (c2188e2) into 1.3 (b48264e) will increase coverage by 0.00%.
The diff coverage is n/a.

@@           Coverage Diff           @@
##              1.3    #4277   +/-   ##
=======================================
  Coverage   67.45%   67.46%           
=======================================
  Files        3044     3044           
  Lines       58692    58692           
  Branches     8902     8902           
=======================================
+ Hits        39593    39595    +2     
+ Misses      16946    16945    -1     
+ Partials     2153     2152    -1     

Flag	Coverage Δ
Linux	67.46% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 1 file with indirect coverage changes

[ananzh]

@ZilongX Why not bump in 1.x then backport to 1.3 or is there a PR that I missed?
Meanwhile ^1.5.2 already include 1.5.3. Clean yarn.lock and bootstrap should update to 1.5.3 if that is the latest 1.5.x. But I m okay with the change.

[ZilongX]

This is a manual backport of
#3723 tailored for 1.3 as Node 10 is in use for OSD 1.3

@ZilongX doesn't 1.x also use Node 10? Not sure I follow why 1.3 would need a different type of fix from 1.x.

Depends on where are we cutting the release tag for 1.3.11, based on current release behaviors the new patch for 1.3.x seems to be cutting from 1.3 rather than 1.x.

So basically 1.x would only be used for any new minor version (like 1.4) which I don't think is in the scope, correct me if I'm wrong here though.

1.x is pretty lagging behind comparing to 1.3 : 1.x...1.3 fyi

[ZilongX]

@ZilongX Why not bump in 1.x then backport to 1.3 or is there a PR that I missed? Meanwhile ^1.5.2 already include 1.5.3. Clean yarn.lock and bootstrap should update to 1.5.3 if that is the latest 1.5.x. But I m okay with the change.

Like replied above to @joshuarrrr is 1.x still in use ? Per my current understanding the new release (like 1.3.11) would be cut from branch 1.3 rather than 1.x so basically we may just need to keep 1.3 branch update to date.

^1.5.2 already include 1.5.3 -> yes and no, the caret (^) only locks the first none-zero version, in this case the major 1, so if you try a lock fresh it would actually bring the dependency to 1.6.something which would break OSD 1.3 as grunt 1.6 requires Node 16+.

On the other hand the tilde (~) would actually lock both major and minor and only allow patch version in such case.

[ananzh]

@ZilongX Aha I remembered this.

This fix could be patched to 1.x because v1.5.3 requires node>=8 and no breaking changes. This is the latest version with no node conflicts. grunt requires node>=16 sincev1.6.0 . Therefore, we need to make a slight change and make the bump range very specific.

Thanks for the explain. I modified the title to add [Backport 1.3].