#2052: update vulnerable npm dependencies (npm audit fix)

[kcaran]

Hi. In this branch I updated all the node packages to the very latest versions that I could. Now the trivy scans pass and github actions no longer warn about using node 16.

The biggest issue I had was stylelint, which checks the default Sass files. It changed significantly, but older versions rely on postcss, and that had a vulnerability in the older versions.

I didn't touch Docker but I think everything else is working fine.

[nodiscc]

Thanks!

How did you manage? I was stuck with npm audit fix errors in #2052

Your patch seems to break Docker builds though https://github.com/shaarli/Shaarli/actions/runs/9180779024/job/25245995113?pr=2087

#25 [node 3/3] RUN cd shaarli     && yarnpkg install     && yarnpkg run build     && rm -rf node_modules
#25 0.222 yarn install v1.22.18
#25 0.319 [1/4] Resolving packages...
#25 0.538 warning Resolution field "string-width@4.2.3" is incompatible with requested version "string-width@^5.1.2"
#25 0.541 warning Resolution field "string-width@4.2.3" is incompatible with requested version "string-width@^5.0.1"
#25 0.651 [2/4] Fetching packages...
#25 7.997 error babel-loader@9.1.3: The engine "node" is incompatible with this module. Expected version ">= 14.15.0". Got "12.22.12"
#25 8.004 error Found incompatible module.
#25 8.004 info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
#25 ERROR: process "/bin/sh -c cd shaarli     && yarnpkg install     && yarnpkg run build     && rm -rf node_modules" did not complete successfully: exit code: 1
------
 > [node 3/3] RUN cd shaarli     && yarnpkg install     && yarnpkg run build     && rm -rf node_modules:
0.222 yarn install v1.22.18
0.319 [1/4] Resolving packages...
0.538 warning Resolution field "string-width@4.2.3" is incompatible with requested version "string-width@^5.1.2"
0.541 warning Resolution field "string-width@4.2.3" is incompatible with requested version "string-width@^5.0.1"
0.651 [2/4] Fetching packages...
7.997 error babel-loader@9.1.3: The engine "node" is incompatible with this module. Expected version ">= 14.15.0". Got "12.22.12"
8.004 error Found incompatible module.
8.004 info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
------
WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
Dockerfile:21
--------------------
  20 |     COPY --from=composer /app/shaarli shaarli
  21 | >>> RUN cd shaarli \
  22 | >>>     && yarnpkg install \
  23 | >>>     && yarnpkg run build \
  24 | >>>     && rm -rf node_modules
  25 |     
--------------------
ERROR: failed to solve: process "/bin/sh -c cd shaarli     && yarnpkg install     && yarnpkg run build     && rm -rf node_modules" did not complete successfully: exit code: 1

[kcaran]

Hi. I think I fixed the docker builds by upgrading node (and alpine which I saw you did in another branch).

For the dependencies, I upgraded everything manually. First I edited package.json with all asterisks to get the latest versions of everything. Then I downgraded anything that was broken (and I couldn't fix). Then I put the versions that worked back into package.json.

I used Node 18 because that is what I'm using on my servers, but I'm pretty sure everything would work with Node 20.

[nodiscc]

👍

I think your last changes broke the PR, there are now 35 commits in this PR, some from 2020... https://github.com/shaarli/Shaarli/pull/2087/commits. Can you please check and/or rebase on master?

[kcaran]

Sorry about that. I did a rebase and I think it looks ok now.