chore(dependencies): Update lodash to 4.17.21 and patch jshs2 package; upgrade OpenJDK to 21 in Dockerfile

Update debian base image in jdk Dockerfile

Author: gjav92

package.json

@@ -67,7 +67,11 @@
   },
   "resolutions": {
     "es5-ext": "0.10.53",
-    "lodash": "^4.17.0",
+    "lodash": "4.17.21",
+    "**/lodash": "4.17.21",
+    "jshs2/**/lodash": "4.17.21",
+    "**/jshs2/lodash": "4.17.21",
+    "**/form-data": "^2.5.4",
     "@types/node": "^20",
     "@types/ramda": "0.27.40",
     "thrift": "0.20.0"

packages/cubejs-docker/latest-debian-jdk.Dockerfile

@@ -1,5 +1,5 @@
 # syntax=docker/dockerfile-upstream:master-experimental
-FROM node:22.18.0-bookworm-slim AS builder
+FROM node:22-trixie-slim AS builder
 
 WORKDIR /cube
 COPY . .
@@ -12,17 +12,33 @@ RUN yarn config set network-timeout 120000 -g
 RUN apt-get update \
     # python3 package is necessary to install `python3` executable for node-gyp
     # libpython3-dev is needed to trigger post-installer to download native with python
-    && apt-get install -y python3 python3.11 libpython3.11-dev gcc g++ make cmake openjdk-17-jdk-headless \
+    && apt-get install -y python3 python3-dev gcc g++ make cmake openjdk-21-jdk-headless wget \
     && rm -rf /var/lib/apt/lists/*
 
 # We are copying root yarn.lock file to the context folder during the Publish GH
 # action. So, a process will use the root lock file here.
 RUN yarn install --prod \
     # Remove DuckDB sources to reduce image size
     && rm -rf /cube/node_modules/duckdb/src \
-    && yarn cache clean
-
-FROM node:22.18.0-bookworm-slim
+    && yarn cache clean \
+    # FIX CVE-2019-10744: Patch lodash in unmaintained jshs2 package
+    # jshs2 hasn't been updated since 2017 and bundles lodash 3.10.1 with critical vulnerabilities
+    # This is a temporary fix until migration to hive-driver is completed
+    && if [ -d /cube/node_modules/jshs2/node_modules/lodash ]; then \
+        echo "Patching lodash in jshs2 from 3.10.1 to 4.17.21 (CVE-2019-10744 fix)" && \
+        rm -rf /cube/node_modules/jshs2/node_modules/lodash && \
+        cp -r /cube/node_modules/lodash /cube/node_modules/jshs2/node_modules/; \
+    fi
+
+# FIX CVE-2022-41853: Update hsqldb from 2.3.2 to 2.7.1
+# Note: This is a JAR file that cannot be fixed via npm/yarn resolutions
+RUN wget -O /tmp/hsqldb-2.7.1.jar https://repo1.maven.org/maven2/org/hsqldb/hsqldb/2.7.1/hsqldb-2.7.1.jar \
+    && if [ -f /cube/node_modules/@cubejs-backend/jdbc/drivers-10.17/hsqldb.jar ]; then \
+        mv /tmp/hsqldb-2.7.1.jar /cube/node_modules/@cubejs-backend/jdbc/drivers-10.17/hsqldb.jar; \
+    fi \
+    && rm -f /tmp/hsqldb-2.7.1.jar
+
+FROM node:22-trixie-slim
 
 ARG IMAGE_VERSION=unknown
 
@@ -32,7 +48,7 @@ ENV CUBEJS_DOCKER_IMAGE_TAG=latest
 RUN groupadd cube && useradd -ms /bin/bash -g cube cube \
     && DEBIAN_FRONTEND=noninteractive \
     && apt-get update \
-    && apt-get install -y --no-install-recommends libssl3 openjdk-17-jre-headless python3.11 libpython3.11-dev \
+    && apt-get install -y --no-install-recommends libssl3 openjdk-21-jre-headless python3 python3-dev \
     && rm -rf /var/lib/apt/lists/* \
     && mkdir cube \
     && chown -R cube:cube /tmp /cube /usr