Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: upgrade dependencies #866

Merged
merged 8 commits into from
Nov 21, 2024
Merged

build: upgrade dependencies #866

merged 8 commits into from
Nov 21, 2024

Conversation

masontikhonov
Copy link
Contributor

@masontikhonov masontikhonov commented Nov 17, 2024
edited
Loading

What

This upgrades number of dependencies in order to address known CVE.

@masontikhonov masontikhonov self-assigned this Nov 17, 2024
@masontikhonov masontikhonov changed the title CR-25970--security-fix-critical-and-high-in-codefresh-cli build: upgrade dependencies Nov 20, 2024
@masontikhonov masontikhonov marked this pull request as ready for review November 20, 2024 14:10
@masontikhonov masontikhonov merged commit a8af20c into master Nov 21, 2024
1 check passed
@masontikhonov masontikhonov deleted the CR-25970--security-fix-critical-and-high-in-codefresh-cli branch November 21, 2024 10:00
masontikhonov added a commit that referenced this pull request Nov 21, 2024
@masontikhonov
Revert "build: upgrade dependencies (#866)"
2293660 
This reverts commit a8af20c.
@masontikhonov masontikhonov mentioned this pull request Nov 24, 2024
Merged
masontikhonov added a commit that referenced this pull request Nov 27, 2024
@masontikhonov
build: upgrade dependencies (#870)
f0a514c 
## What

This PR reapplies #866 that was previously reverted in #869.

It contains upgrade for multiple dependencies to address critical- and
high-level CVE.

In addition to #866, it:

* upgrades `npm` to address
[CVE-2024-21538](https://scout.docker.com/vulnerabilities/id/CVE-2024-21538?s=github&n=cross-spawn&t=npm&vr=%3E%3D7.0.0%2C%3C7.0.5&utm_source=desktop&utm_medium=ExternalLink).
* Sets `NODE_NO_WARNINGS=1` env in Dockerfile
([ref](https://nodejs.org/api/cli.html#node_no_warnings1)) in order to
suppress Node.js deprecation warnings, that may interrupt end-user
automations, that rely on exact CLi output.
* Migrates from `pkg`, which is no longer maintained, to its fork
`@yao-pkg/pkg`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yaroslav-codefresh yaroslav-codefresh yaroslav-codefresh approved these changes

@vitalii-codefresh vitalii-codefresh Awaiting requested review from vitalii-codefresh

@ziv-codefresh ziv-codefresh Awaiting requested review from ziv-codefresh ziv-codefresh is a code owner

Assignees

@masontikhonov masontikhonov

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@masontikhonov @yaroslav-codefresh