(security): update webpack-dev-server to address cves

[d-buckner]

Description

This addresses 11 CVEs associated with webpack-dev-server v3.

Resolved CVE	Vulnerable Library
CVE-2024-37890	ws-6.2.2
CVE-2024-43796	express-4.19.2
CVE-2024-45590	body-parser-1.20.2
CVE-2024-21536	http-proxy-middleware-0.19.1
CVE-2024-47764	cookie-0.6.0
CVE-2024-29415	ip-1.1.9
CVE-2024-29180	webpack-dev-middleware-3.7.2
CVE-2024-52798	path-to-regexp-0.1.7
CVE-2024-45296	path-to-regexp-0.1.7
CVE-2024-43800	serve-static-1.15.0
CVE-2024-43799	send-0.18.0

Issues Resolved

fixes #389

Verification

I was able to diff the dist artifacts with and without these changes. The only change across all of the generated artifacts is in the charts_theme module.

/******/ 	// Load entry module and return exports
- /******/ 	return __webpack_require__(__webpack_require__.s = "./themes/charts/themes.ts");
+ /******/ 	return __webpack_require__(__webpack_require__.s = 0);
/******/ })

I've validated that the imported chart theme object is identical as is the type definition file.

I've also manually validated the docs pages.

Check List

• New functionality includes testing.
• New functionality has been documented.
• All tests pass
  • yarn lint
  • yarn test-unit
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[virajsanghvi]

How have we tested the impact of this change? Can we validate it doesn't have impact on generated artifacts?

[virajsanghvi]

We'd want to to move the existing unreleased items to 1.18 and then add this to the unreleased section

[d-buckner]

Makes sense, I'll update this

[d-buckner]

How have we tested the impact of this change? Can we validate it doesn't have impact on generated artifacts?

I've done cursory testing with the integration tests and by running the dev server. I'm planning on also doing the following

1. update webpack-cli since I realize it's mismatched with webpack itself. One breaking change I know I'll have to address is the deprecation of the --output-library-target override we use to compile the charts to commonjs.
2. diff the dist folder with a build with and without this change.

@virajsanghvi Let me know if this doesn't properly address your comment.

[d-buckner]

I've updated with the webpack-cli update and I've added the verification process in the PR description.

[d-buckner]

These are no longer directly configurable from the cli after the update. I've updated these to get passed into the webpack config.

[AMoo-Miki]

nit: Anything you see around /* OUI -> EUI Aliases */ was semi-automatically added when we were adding aliases and are meant to be semi-automatically removable. Pulling this into a util function, while the originals code blocks will be removed with the next major release, the util will be left over.

PS: noticed that it would still be used by the OUI version after the next major version.

[d-buckner]

Gotcha. The util is also used for the non-aliased build.