Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce vuln and changed docker images #4590

Closed
wants to merge 9 commits into from
Closed

Reduce vuln and changed docker images #4590

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
2f7e059
Bump jsonata from 2.0.3 to 2.0.4
dependabot[bot] Mar 17, 2024
6fa7d75
Bump nodemailer from 6.6.5 to 6.9.9
dependabot[bot] Mar 17, 2024
c99f3ea
Bump ip from 2.0.0 to 2.0.1
dependabot[bot] Mar 17, 2024
af9b6cc
Bump follow-redirects from 1.15.5 to 1.15.6
dependabot[bot] Mar 17, 2024
a622da8
Bump jose from 4.15.4 to 4.15.5
dependabot[bot] Mar 17, 2024
4e2e6ea
Bump undici from 5.28.2 to 5.28.3
dependabot[bot] Mar 17, 2024
39d74b4
Update builder-go.dockerfile
bruhwhyamisobad Mar 17, 2024
66ea72f
Update debian-base.dockerfile
bruhwhyamisobad Mar 17, 2024
7d08dad
fix: package.json to reduce vulnerabilities
snyk-bot Mar 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docker/builder-go.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
# Build in Golang
# Run npm run build-healthcheck-armv7 in the host first, another it will be super slow where it is building the armv7 healthcheck
############################################
FROM golang:1.19-buster
FROM golang:bookworm
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't remove the go version.
Updating the go version should be fine as by their stability guarantee, but don't remove it

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It can updated to 1.21.x

WORKDIR /app
ARG TARGETPLATFORM
COPY ./extra/ ./extra/
Expand Down
2 changes: 1 addition & 1 deletion docker/debian-base.dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# If the image changed, the second stage image should be changed too
FROM node:20-bookworm-slim AS base2-slim
FROM node:bookworm-slim AS base2-slim
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

don't remove the node version here. It is here for a reason

ARG TARGETPLATFORM

# Specify --no-install-recommends to skip unused dependencies, make the base much smaller!
Expand Down
40 changes: 20 additions & 20 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

12 changes: 6 additions & 6 deletions package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,8 +79,8 @@
"@louislam/sqlite3": "15.1.6",
"@vvo/tzdb": "^6.125.0",
"args-parser": "~1.3.0",
"axios": "~0.28.0",
"axios-ntlm": "1.3.0",
"axios": "~1.6.4",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Until axios provides a migration guide or documents what (breaking) changes have been made, just bumping the version is too risky for us.

They litterally only state the folling in their changelog:

There are multiple deprecations, refactors and fixes provided in this release. Please read through the full release notes to see how this may impact your project and use case.

"axios-ntlm": "1.3.1",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at said changelog, bumping to 1.3.2 should be fine too

"badge-maker": "~3.3.1",
"bcryptjs": "~2.4.3",
"chardet": "~1.4.0",
Expand All @@ -106,7 +106,7 @@
"iconv-lite": "~0.6.3",
"isomorphic-ws": "^5.0.0",
"jsesc": "~3.0.2",
"jsonata": "^2.0.3",
"jsonata": "^2.0.4",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changelog looks fine for this one

"jsonwebtoken": "~9.0.0",
"jwt-decode": "~3.1.2",
"kafkajs": "^2.2.4",
Expand All @@ -115,13 +115,13 @@
"liquidjs": "^10.7.0",
"mitt": "~3.0.1",
"mongodb": "~4.17.1",
"mqtt": "~4.3.7",
"mqtt": "~5.3.5",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are doing a major version bump here with a lot of intermediate versions.

Have you carefully read through the changelog? Have you tested that this feature still works?

"mssql": "~8.1.4",
"mysql2": "~3.6.2",
"nanoid": "~3.3.4",
"node-cloudflared-tunnel": "~1.0.9",
"node-radius-client": "~1.0.0",
"nodemailer": "~6.6.5",
"nodemailer": "~6.9.9",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changelog looks fine for this one

"nostr-tools": "^1.13.1",
"notp": "~2.0.3",
"openid-client": "^5.4.2",
Expand Down Expand Up @@ -186,7 +186,7 @@
"qrcode": "~1.5.0",
"rollup-plugin-visualizer": "^5.6.0",
"sass": "~1.42.1",
"stylelint": "^15.10.1",
"stylelint": "^16.1.0",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a Breaking change!

See https://stylelint.io/changelog/#1600

Removed: Node.js less than 18.12.0 support

There are also some deprecation warnings in the current stle configuration => these need to be migrated first, as they are removed in v16

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea and check the check-linter run it going crazy

"stylelint-config-standard": "~25.0.0",
"terser": "~5.15.0",
"test": "~3.3.0",
Expand Down
Loading