TEZ-4422 : [CVE-2021-43138] Upgrade async from 2.3.0 to 2.6.4

[amanraj2520]

Upgrade async from 2.3.0 to 2.6.4 to fix the vulnerability. Also an upgrade of yarn version to 1.6.0 and frontend maven plugin to 1.8.0 was done along with this change. Link to JIRA : https://issues.apache.org/jira/browse/TEZ-4422

Link to parent JIRA : https://issues.apache.org/jira/browse/TEZ-4419

RFC documentation : https://github.com/yarnpkg/rfcs/blob/master/implemented/0000-selective-versions-resolutions.md

[amanraj2520]

@abstractdog Can you please review this PR. As suggested by you, I am raising individual PR's for the TEZ-4419 parent issue.

[tez-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Comment
+0 🆗	reexec	13m 49s	Docker mode activated.
		_ Prechecks _
+1 💚	dupname	0m 0s	No case conflicting files found.
+1 💚	@author	0m 0s	The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s	The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
		_ master Compile Tests _
+0 🆗	mvndep	6m 49s	Maven dependency ordering for branch
+1 💚	mvninstall	11m 8s	master passed
+1 💚	compile	3m 44s	master passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	compile	3m 21s	master passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚	javadoc	2m 52s	master passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	javadoc	2m 13s	master passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
		_ Patch Compile Tests _
+0 🆗	mvndep	0m 17s	Maven dependency ordering for patch
+1 💚	mvninstall	6m 33s	the patch passed
+1 💚	compile	3m 34s	the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	javac	3m 34s	the patch passed
+1 💚	compile	3m 19s	the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
+1 💚	javac	3m 19s	the patch passed
+1 💚	whitespace	0m 0s	The patch has no whitespace issues.
+1 💚	xml	0m 3s	The patch has no ill-formed XML file.
+1 💚	javadoc	2m 38s	the patch passed with JDK Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1
+1 💚	javadoc	2m 11s	the patch passed with JDK Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
		_ Other Tests _
+1 💚	unit	2m 17s	tez-ui in the patch passed.
+1 💚	unit	70m 6s	root in the patch passed.
+1 💚	asflicense	1m 9s	The patch does not generate ASF License warnings.
		137m 18s

Subsystem	Report/Notes
Docker	ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-217/1/artifact/out/Dockerfile
GITHUB PR	#217
Optional Tests	dupname asflicense javac javadoc unit xml compile
uname	Linux 95e936e1f84c 4.15.0-169-generic #177-Ubuntu SMP Thu Feb 3 10:50:38 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	personality/tez.sh
git revision	master / e5a5578
Default Java	Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Private Build-11.0.15+10-Ubuntu-0ubuntu0.20.04.1 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_312-8u312-b07-0ubuntu1~20.04-b07
Test Results	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-217/1/testReport/
Max. process+thread count	1484 (vs. ulimit of 5500)
modules	C: tez-ui . U: .
Console output	https://ci-hadoop.apache.org/job/tez-multibranch/job/PR-217/1/console
versions	git=2.25.1 maven=3.6.3
Powered by	Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

[abstractdog]

is this related to async upgrade?

[abstractdog]

please confirm this one

[amanraj2520]

@abstractdog I confirm this change

[abstractdog]

is this related to async upgrade?

[abstractdog]

please confirm this one

[amanraj2520]

@abstractdog I confirm this change

[abstractdog]

I mean, this looks like a major version change of yarn, can you please let me know how is this related to the CVE patch (or is it necessary)?
I prefer doing version changes in separate patches if they're not closely related

[amanraj2520]

@abstractdog The yarnVersion was changed since the selective dependency feature is only supported in yarn 1.0 and above. And yarnVersion of 1.6.0 is compatible with frontend maven plugin 1.8.0. That's why I did this change.

[abstractdog]

cool, thanks for clarifying @amanraj2520 !

[abstractdog]

is this related to async upgrade?

[amanraj2520]

@abstractdog Yes these are related to async upgrade. The yark.lock file is automatically updated based on package.json.

[abstractdog]

left minor comments
I'm fine with upgrading single dependencies separately until Ember3 upgrade is not finished (it looks like a huge PR) if they don't clash with each other

[amanraj2520]

@abstractdog @guptanikhil007 Should we first merge the Ember3 upgrade or push these vulnerability fixes first?

[abstractdog]

I don't think it's a problem to merge these version bumps first, and then do Ember3 update later when @jteagles has the bandwidth for it, please let me know @jteagles if have any objections with this

[amanraj2520]

Yes I think we are good with these changes from our side. I have run tests locally as well with this PR. According to me we can go ahead with this merge @abstractdog

[abstractdog]

+1 LGTM

I'm merging in 12 hours if there are no further comments

[amanraj2520]

@abstractdog Can we please merge this PR. I will raise PR's for remaining vulnerabilities as well after this.

[amanraj2520]

@abstractdog Just a gentle reminder, can you please merge this PR

[abstractdog]

merged, sorry for the delay!