-
Notifications
You must be signed in to change notification settings - Fork 289
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#2052: update vulnerable npm dependencies (npm audit fix) #2087
base: master
Are you sure you want to change the base?
Conversation
Thanks! How did you manage? I was stuck with Your patch seems to break Docker builds though https://github.com/shaarli/Shaarli/actions/runs/9180779024/job/25245995113?pr=2087 #25 [node 3/3] RUN cd shaarli && yarnpkg install && yarnpkg run build && rm -rf node_modules
#25 0.222 yarn install v1.22.18
#25 0.319 [1/4] Resolving packages...
#25 0.538 warning Resolution field "string-width@4.2.3" is incompatible with requested version "string-width@^5.1.2"
#25 0.541 warning Resolution field "string-width@4.2.3" is incompatible with requested version "string-width@^5.0.1"
#25 0.651 [2/4] Fetching packages...
#25 7.997 error babel-loader@9.1.3: The engine "node" is incompatible with this module. Expected version ">= 14.15.0". Got "12.22.12"
#25 8.004 error Found incompatible module.
#25 8.004 info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
#25 ERROR: process "/bin/sh -c cd shaarli && yarnpkg install && yarnpkg run build && rm -rf node_modules" did not complete successfully: exit code: 1
------
> [node 3/3] RUN cd shaarli && yarnpkg install && yarnpkg run build && rm -rf node_modules:
0.222 yarn install v1.22.18
0.319 [1/4] Resolving packages...
0.538 warning Resolution field "string-width@4.2.3" is incompatible with requested version "string-width@^5.1.2"
0.541 warning Resolution field "string-width@4.2.3" is incompatible with requested version "string-width@^5.0.1"
0.651 [2/4] Fetching packages...
7.997 error babel-loader@9.1.3: The engine "node" is incompatible with this module. Expected version ">= 14.15.0". Got "12.22.12"
8.004 error Found incompatible module.
8.004 info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
------
WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
Dockerfile:21
--------------------
20 | COPY --from=composer /app/shaarli shaarli
21 | >>> RUN cd shaarli \
22 | >>> && yarnpkg install \
23 | >>> && yarnpkg run build \
24 | >>> && rm -rf node_modules
25 |
--------------------
ERROR: failed to solve: process "/bin/sh -c cd shaarli && yarnpkg install && yarnpkg run build && rm -rf node_modules" did not complete successfully: exit code: 1 |
Hi. I think I fixed the docker builds by upgrading node (and alpine which I saw you did in another branch). For the dependencies, I upgraded everything manually. First I edited package.json with all asterisks to get the latest versions of everything. Then I downgraded anything that was broken (and I couldn't fix). Then I put the versions that worked back into package.json. I used Node 18 because that is what I'm using on my servers, but I'm pretty sure everything would work with Node 20. |
👍 I think your last changes broke the PR, there are now 35 commits in this PR, some from 2020... https://github.com/shaarli/Shaarli/pull/2087/commits. Can you please check and/or rebase on master? |
Sorry about that. I did a rebase and I think it looks ok now. |
Hi. In this branch I updated all the node packages to the very latest versions that I could. Now the trivy scans pass and github actions no longer warn about using node 16.
The biggest issue I had was stylelint, which checks the default Sass files. It changed significantly, but older versions rely on postcss, and that had a vulnerability in the older versions.
I didn't touch Docker but I think everything else is working fine.