lightswitch05 · lightswitch05 · Feb 22, 2023 · Feb 22, 2023
diff --git a/.github/bot-scripts/index.js b/.github/bot-scripts/index.js
@@ -7,5 +7,6 @@ module.exports = {
 		require("./renameCommitGetPRInfo")(...args),
 	renameCommitCheck: (...args) => require("./renameCommitCheck")(...args),
 	renameCommitFeedback: (...args) =>
-		require("./renameCommitFeedback")(...args)
+		require("./renameCommitFeedback")(...args),
+	nodeVersionAudit: () => require("./nodeVersionAudit")(),
 };
diff --git a/.github/bot-scripts/nodeVersionAudit.js b/.github/bot-scripts/nodeVersionAudit.js
@@ -0,0 +1,59 @@
+/// <reference path="types.d.ts" />
+// @ts-check
+const fs = require('fs');
+const childProcess = require('child_process');
+
+const baseNodeTagMatch = new RegExp(/^FROM node:(\S+)/);
+
+/**
+ * @param {[string]} dockerfilePaths
+ * @returns {Promise<Set<string>>}
+ */
+async function getNodeTagsFromDockerfile(dockerfilePaths) {
+	const tags = new Set();
+	try {
+		for (const dockerfilePath of dockerfilePaths) {
+			const dockerfile = fs.readFileSync(dockerfilePath, {encoding: 'utf8'});
+			for (const line of dockerfile.split('\n')) {
+				const matches = baseNodeTagMatch.exec(line);
+				if (matches && matches.length === 2) {
+					tags.add(matches[1])
+				}
+			}
+		}
+	} catch (err) {
+		const errorMessage = `Unable to parse dockerfiles: ${dockerfilePaths}`
+		console.error(errorMessage, err);
+		throw new Error(errorMessage)
+	}
+	return tags;
+}
+
+/**
+ * @param {Set<string>} tags
+ * @returns {Promise<void>}
+ */
+async function runNodeVersionAuditForDockerTags(tags) {
+	const options = {
+		timeout: 600000 // 10 minutes
+	}
+	for (const tag of tags) {
+		let out;
+		try {
+			out = childProcess.execFileSync('docker', ['run', '--rm', `node:${tag}`, 'npx', '--no-update-notifier', '--yes', 'node-version-audit@latest', '--fail-security'], options);
+		} catch (error) {
+			// non-zero exit code means either `--fail-security` failed, or something unknown happened
+			console.error(error.stdout.toString());
+			process.exit(error.status);
+		}
+		console.info(out.toString());
+	}
+}
+
+async function main() {
+	const dockerTags = await getNodeTagsFromDockerfile(['./docker/Dockerfile', './docker/Dockerfile.contrib',]);
+	await runNodeVersionAuditForDockerTags(dockerTags);
+	process.exit(0); // success - all secure
+}
+
+module.exports = main;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,7 +16,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [14.x, 16.x, 18.x]
+        node-version: [14.x, 16.x, 18.x, 19.x]
 
     steps:
       - name: Checkout Z-Wave JS UI

diff --git a/.github/workflows/node-version-audit.yml b/.github/workflows/node-version-audit.yml
@@ -0,0 +1,19 @@
+name: Node Version Audit
+
+on:
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+  schedule:
+    - cron: '0 0 16 * *' # run arbitrarily once a month
+  workflow_dispatch:
+
+jobs:
+  node-version-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/github-script@v5
+        with:
+          script: |
+            const bot = require(`${process.env.GITHUB_WORKSPACE}/.github/bot-scripts/index.js`);
+            return bot.nodeVersionAudit();
diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-18.10.0
+18.14.1
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,15 +1,15 @@
 ARG image=zwave-js-ui
 
 # STEP: 1 build
-FROM node:18.10.0-alpine3.16 AS build-zui
+FROM node:18.14.1-alpine3.16 AS build-zui
 
 WORKDIR /usr/src/app
 
 RUN apk --no-cache add \
-    coreutils \	
+    coreutils \
     jq \
     linux-headers \
-    alpine-sdk \	
+    alpine-sdk \
     python3
 
 COPY package.json yarn.lock .yarnrc.yml ./
@@ -54,18 +54,18 @@ RUN if [ ! -z "$updateDevices"  ]; \
     fi
 
 # STEP: 2 (runtime)
-FROM node:18.10.0-alpine3.16
+FROM node:18.14.1-alpine3.16
 
-RUN apk add --no-cache \	
+RUN apk add --no-cache \
     libstdc++ \
     openssl \
-    libgcc \	
-    libusb \	
-    tzdata \	
-    eudev	
+    libgcc \
+    libusb \
+    tzdata \
+    eudev
 
 
-# Copy files from previous build stage	
+# Copy files from previous build stage
 COPY --from=build-zui /usr/src/app /usr/src/app
 
 ENV ZWAVEJS_EXTERNAL_CONFIG=/usr/src/app/store/.config-db

diff --git a/docker/Dockerfile.contrib b/docker/Dockerfile.contrib
@@ -8,7 +8,7 @@ ARG SRC=git-clone-src
 #####################
 
 # Option 1 (default): Clone from git
-FROM node:18.10.0-bullseye AS git-clone-src
+FROM node:18.14.1-bullseye AS git-clone-src
 ARG ZWJ_BRANCH=master
 ARG ZWJ_REPOSITORY=https://github.com/zwave-js/node-zwave-js
 ARG ZUI_BRANCH=master
@@ -20,7 +20,7 @@ RUN git clone -b ${ZWJ_BRANCH} ${ZWJ_REPOSITORY}
 RUN git clone -b ${ZUI_BRANCH} --depth 1 ${ZUI_REPOSITORY}
 
 # Option 2: Copy from local sources
-FROM node:18.10.0-bullseye AS local-copy-src
+FROM node:18.14.1-bullseye AS local-copy-src
 COPY --chown=node node-zwave-js /home/node/node-zwave-js
 COPY --chown=node zwave-js-ui /home/node/zwave-js-ui
 
@@ -91,7 +91,7 @@ RUN mkdir my_dist \
 #####################
 # Setup Final Image #
 #####################
-FROM node:18.10.0-bullseye
+FROM node:18.14.1-bullseye
 LABEL maintainer="robertsLando"
 
 ENV ZWAVEJS_EXTERNAL_CONFIG=/usr/src/app/store/.config-db