Determine how to handle CVEs on transitive dependencies in release branches blocking create-gui-pr workflow

[kleinfreund]

Description

The create-gui-pr workflow fails if there are any critical vulnerabilities in our dependencies. This blocks changes from release branches making their way into kuma.

We need to determine how to update vulnerable transitive dependencies in our lock file so we can merge changes in the release branch and have them land in Kuma.

Notes:

• We want something like npm audit fix but in working. Last time I checked, npm audit fix is unreliable at best and flat out not working at worst. But the principle of "update the vulnerable dependency in our lock file to the earliest non-vulnerable version" is what we’re looking for

• A hacky way to update vulnerable transitive dependencies would look something like this:

  # Create the right lock file entry
  npm install --save-dev package@$NonVulnerableVersion
  # Consolidate the duplicated lock file entries (leaving the newly added one in general)
  npm dedupe
  # Remove the package again (we don’t actually need it, we just install it to generate the right lock file entry)
  npm remove package

[kleinfreund]

1. As a temporary solution, we want to make the create-gui-pr workflow not fail on any reported CVEs (while still generating the report) on release branches.

2. Add a nightly workflow that runs a grype scan and updates vulnerable dependencies in the lock file to a known fixed version (e.g. using the technique showcased in Determine how to handle CVEs on transitive dependencies in release branches blocking create-gui-pr workflow #2498 (comment) or a dedicated tool for this; e.g. something like npm audit fix but working).

3. Maybe ignore current CVEs via a grype configuration file.