Update dependencies for audit

[phaumer]

Proposed changes

Using the zowe-explorer-api brought with it several security audits as it was using older Zowe dependencies. Updating to the latest eliminated most resolutions. The hope is that this could be published as a v2.6.2.

One area I did not want to touch was mocha as I am not familiar with the integration tests anymore, but updating that to a newer version would simply this even further.

Release Notes

Milestone:

Changelog:

Types of changes

What types of changes does your code introduce to Zowe Explorer?
Put an x in the boxes that apply

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Updates to Documentation or Tests (if none of the other choices apply)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This checklist will be used as reference for both the contributor and the reviewer

• I have read the CONTRIBUTOR GUIDANCE wiki
• PR title follows Conventional Commits Guidelines
• PR Description is included
• gif or screenshot is included if visual changes are made
• yarn workspace vscode-extension-for-zowe vscode:prepublish has been executed
• All checks have passed (DCO, Jenkins and Code Coverage)
• I have added unit test and it is passing
• I have added integration test and it is passing
• There is coverage for the code that I have added
• I have tested it manually and there are no regressions found
• I have added necessary documentation (if appropriate)
• Any PR dependencies have been merged and published (if appropriate)

Further comments

[codecov]

Codecov Report

Base: 90.71% // Head: 90.71% // No change to project coverage 👍

Coverage data is based on head (a7dfe6e) compared to base (4aa6d95).
Patch has no changes to coverable lines.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2153   +/-   ##
=======================================
  Coverage   90.71%   90.71%           
=======================================
  Files          86       86           
  Lines        8107     8107           
  Branches     1710     1710           
=======================================
  Hits         7354     7354           
  Misses        752      752           
  Partials        1        1           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[t1m0thyj]

Thanks for updating (and deduping) dependencies 👍

Left a few comments, will approve after testing the branch locally 🙂

[t1m0thyj]

Do we want the version to be "2.7.0-SNAPSHOT" to prepare for the next release on the main branch?

I'm also ok with leaving it as is - it really doesn't matter what the version is since our updated deployment workflow will automatically handle bumping the version when we publish 2.7.0.

[phaumer]

My apologies. I picked the wrong branch it seems.

[t1m0thyj]

Curious about these since I think we were trying to remove as many resolutions as possible 🙂

Do we want to hold off on updating Mocha to a newer version because it would introduce major changes that break our tests?

[phaumer]

Yes, I was just a bit lazy as I have forgotten how to run the integration tests. :-)

json5 seems to be all over the place and could not find a more scoped solution.

[t1m0thyj]

The local integration tests are currently broken until we fix #2103. The Theia integration tests that run on every PR build are using Mocha, so I think we could try updating Mocha and if those tests still pass then it should be good to update 🙂

Regarding json5 being all over the place, I believe it's a fairly new vulnerability so probably not all our dependencies have addressed it yet. I agree keeping the resolution makes sense in that case.

[JillieBeanSim]

the changes work well for me.
if we wanted to release a 2.6.2 this should be rebased against maintenance to avoid publishing 2.7.0 work already on main.

[JillieBeanSim]

Thanks for these updates @phaumer
Closing this PR in favor of #2156 against maintenance for a 2.6.2 release. Commits here are cherry picked into 2156