fix(dashboard-ks-extension): resolve ejs template injection vulnerabi…

[zmrlft]

Ⅰ. Describe what this PR does

Fixes template injection vulnerability (GHSA-phwq-j96m-2c2q)(CVE-2022-29078) in ejs@^2.6.1 which is a transitive dependency via @ks-console/server@4.1.1 -> koa-ejs@4.3.0.

Since upstream packages (@ks-console/server and koa-ejs) are already at latest versions, this PR adds a resolutions field in package.json to force all dependencies to use ejs@3.1.10 (contains vulnerability fixes).

Ⅱ. Does this pull request fix one issue?

fixes GHSA-phwq-j96m-2c2q (CVE-2022-29078)

Ⅲ. List the added test cases

No new test cases. This change only enforces a dependency version and doesn't modify application logic.

Ⅳ. Describe how to verify it

1. Check out this branch and run yarn install
2. Verify ejs version: yarn why ejs should show 3.1.10
3. Start the app with yarn dev and confirm extension work normally

Ⅴ. Special notes for reviews

• Uses Yarn resolutions to override transitive dependency version
• Confirm ejs@3.1.10 is installed and application functions correctly after update
• Confirm dependabot no alert

[fluid-e2e-bot]

Hi @zmrlft. Thanks for your PR.

I'm waiting for a fluid-cloudnative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.71%. Comparing base (448d66d) to head (9876d91).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #5266   +/-   ##
=======================================
  Coverage   56.70%   56.71%           
=======================================
  Files         440      440           
  Lines       30369    30369           
=======================================
+ Hits        17220    17223    +3     
+ Misses      11537    11535    -2     
+ Partials     1612     1611    -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[RongGu]

/lgtm
/approve

[fluid-e2e-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RongGu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [RongGu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment