#2052: update vulnerable npm dependencies (npm audit fix) #2087
Conversation
|
Thanks! How did you manage? I was stuck with Your patch seems to break Docker builds though https://github.com/shaarli/Shaarli/actions/runs/9180779024/job/25245995113?pr=2087 #25 [node 3/3] RUN cd shaarli && yarnpkg install && yarnpkg run build && rm -rf node_modules
#25 0.222 yarn install v1.22.18
#25 0.319 [1/4] Resolving packages...
#25 0.538 warning Resolution field "[email protected]" is incompatible with requested version "string-width@^5.1.2"
#25 0.541 warning Resolution field "[email protected]" is incompatible with requested version "string-width@^5.0.1"
#25 0.651 [2/4] Fetching packages...
#25 7.997 error [email protected]: The engine "node" is incompatible with this module. Expected version ">= 14.15.0". Got "12.22.12"
#25 8.004 error Found incompatible module.
#25 8.004 info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
#25 ERROR: process "/bin/sh -c cd shaarli && yarnpkg install && yarnpkg run build && rm -rf node_modules" did not complete successfully: exit code: 1
------
> [node 3/3] RUN cd shaarli && yarnpkg install && yarnpkg run build && rm -rf node_modules:
0.222 yarn install v1.22.18
0.319 [1/4] Resolving packages...
0.538 warning Resolution field "[email protected]" is incompatible with requested version "string-width@^5.1.2"
0.541 warning Resolution field "[email protected]" is incompatible with requested version "string-width@^5.0.1"
0.651 [2/4] Fetching packages...
7.997 error [email protected]: The engine "node" is incompatible with this module. Expected version ">= 14.15.0". Got "12.22.12"
8.004 error Found incompatible module.
8.004 info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
------
WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
Dockerfile:21
--------------------
20 | COPY --from=composer /app/shaarli shaarli
21 | >>> RUN cd shaarli \
22 | >>> && yarnpkg install \
23 | >>> && yarnpkg run build \
24 | >>> && rm -rf node_modules
25 |
--------------------
ERROR: failed to solve: process "/bin/sh -c cd shaarli && yarnpkg install && yarnpkg run build && rm -rf node_modules" did not complete successfully: exit code: 1 |
|
Hi. I think I fixed the docker builds by upgrading node (and alpine which I saw you did in another branch). For the dependencies, I upgraded everything manually. First I edited package.json with all asterisks to get the latest versions of everything. Then I downgraded anything that was broken (and I couldn't fix). Then I put the versions that worked back into package.json. I used Node 18 because that is what I'm using on my servers, but I'm pretty sure everything would work with Node 20. |
|
👍 I think your last changes broke the PR, there are now 35 commits in this PR, some from 2020... https://github.com/shaarli/Shaarli/pull/2087/commits. Can you please check and/or rebase on master? |
|
Sorry about that. I did a rebase and I think it looks ok now. |
|
I just tried building and running the Docker image, it seems there is something wrong with icon fonts, they are missing from the image: ~/GIT/Shaarli (npm-audit-fix =)$ docker build -t shaarli:npm-audit-fix .
...
Successfully tagged localhost/shaarli:npm-audit-fix
~/GIT/Shaarli (npm-audit-fix =)$ docker run --name shaarli --publish 8000:80 localhost/shaarli:npm-audit-fix
~/GIT/Shaarli (npm-audit-fix =)$ docker exec -it shaarli sh
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
/var/www # ls shaarli/tpl/default/css/
markdown.min.css shaarli.min.cssEdit: can confirm that icons are properly displayed when building from master |
|
I updated webpack.config.js, which I think broke with version 5. I was able to run the default and vintage themes both locally and through docker. I'll try to run a docker instance next time: it helps ensure that the environment is completely clean. |
Hi. In this branch I updated all the node packages to the very latest versions that I could. Now the trivy scans pass and github actions no longer warn about using node 16.
The biggest issue I had was stylelint, which checks the default Sass files. It changed significantly, but older versions rely on postcss, and that had a vulnerability in the older versions.
I didn't touch Docker but I think everything else is working fine.