build: upgrade dependencies (#870)

masontikhonov · web-flow · commit f0a514cdadc6 · 2024-11-27T12:01:42.000+04:00
## What This PR reapplies #866 that was previously reverted in #869. It contains upgrade for multiple dependencies to address critical- and high-level CVE. In addition to #866, it: * upgrades `npm` to address [CVE-2024-21538](https://scout.docker.com/vulnerabilities/id/CVE-2024-21538?s=github&n=cross-spawn&t=npm&vr=%3E%3D7.0.0%2C%3C7.0.5&utm_source=desktop&utm_medium=ExternalLink). * Sets `NODE_NO_WARNINGS=1` env in Dockerfile ([ref](https://nodejs.org/api/cli.html#node_no_warnings1)) in order to suppress Node.js deprecation warnings, that may interrupt end-user automations, that rely on exact CLi output. * Migrates from `pkg`, which is no longer maintained, to its fork `@yao-pkg/pkg`.
diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-v18.17.1
+v22.11.0
diff --git a/Dockerfile b/Dockerfile
@@ -1,44 +1,39 @@
 # go hub binary
-FROM golang:alpine as go
+FROM golang:alpine AS go
 RUN apk --update add ca-certificates git
 RUN go install github.com/github/hub@latest
 
 # python yq binary
-FROM six8/pyinstaller-alpine:alpine-3.6-pyinstaller-v3.4 as yq
+FROM six8/pyinstaller-alpine:alpine-3.6-pyinstaller-v3.4 AS yq
 ARG YQ_VERSION=2.10.0
 ENV PATH="/pyinstaller:$PATH"
 RUN pip install yq==${YQ_VERSION}
 RUN pyinstaller --noconfirm --onefile --log-level DEBUG --clean --distpath /tmp/ $(which yq)
 
 # kubectl binary
-FROM bitnami/kubectl:1.27.4 as kubectl
+FROM bitnami/kubectl:1.30.6 AS kubectl
 
 # Main
-FROM node:18.17.1-alpine3.18
-
+FROM node:22.11.0-alpine3.20
 RUN apk --update add --no-cache \
     bash \
     ca-certificates \
     curl \
     git \
     jq
-
+RUN npm upgrade -g npm
 COPY --from=go /go/bin/hub /usr/local/bin/hub
 COPY --from=yq /tmp/yq /usr/local/bin/yq
 COPY --from=kubectl /opt/bitnami/kubectl/bin/kubectl /usr/local/bin/
-
 WORKDIR /cf-cli
-
 COPY package.json yarn.lock check-version.js run-check-version.js /cf-cli/
-
 RUN yarn install --prod --frozen-lockfile && \
     yarn cache clean
-
 COPY . /cf-cli
-
 RUN yarn generate-completion
-
 RUN ln -s $(pwd)/lib/interface/cli/codefresh /usr/local/bin/codefresh
-
 RUN codefresh components update --location components
+
+# Node.js warnings must be suppressed to ensure that automations relying on exact output are not disrupted
+ENV NODE_NO_WARNINGS=1
 ENTRYPOINT ["codefresh"]
diff --git a/Dockerfile-debian b/Dockerfile-debian
@@ -11,11 +11,10 @@ RUN pip install yq==${YQ_VERSION}
 RUN pyinstaller --noconfirm --onefile --log-level DEBUG --clean --distpath /tmp/ $(which yq)
 
 # kubectl binary
-FROM bitnami/kubectl:1.27.4 as kubectl
+FROM bitnami/kubectl:1.30.6 as kubectl
 
 # Main
-FROM node:18.17.1-bullseye-slim
-
+FROM node:22.11.0-bullseye-slim
 RUN apt update \
     && apt -y install \
     apt-transport-https \
@@ -26,24 +25,19 @@ RUN apt update \
     git \
     jq \
     && ln -s /bin/busybox /usr/bin/[[
-
+RUN npm upgrade -g npm
 COPY --from=go /go/bin/hub /usr/local/bin/hub
 COPY --from=yq /tmp/yq /usr/local/bin/yq
 COPY --from=kubectl /opt/bitnami/kubectl/bin/kubectl /usr/local/bin/
-
 WORKDIR /cf-cli
-
 COPY package.json yarn.lock check-version.js run-check-version.js /cf-cli/
-
 RUN yarn install --prod --frozen-lockfile && \
     yarn cache clean
-
 COPY . /cf-cli
-
 RUN yarn generate-completion
-
 RUN ln -s $(pwd)/lib/interface/cli/codefresh /usr/local/bin/codefresh
-
 RUN codefresh components update --location components
 
+# Node.js warnings must be suppressed to ensure that automations relying on exact output are not disrupted
+ENV NODE_NO_WARNINGS=1
 ENTRYPOINT ["codefresh"]
diff --git a/Dockerfile-debian-rootless b/Dockerfile-debian-rootless
@@ -11,11 +11,10 @@ RUN pip install yq==${YQ_VERSION}
 RUN pyinstaller --noconfirm --onefile --log-level DEBUG --clean --distpath /tmp/ $(which yq)
 
 # kubectl binary
-FROM bitnami/kubectl:1.27.4 as kubectl
+FROM bitnami/kubectl:1.30.6 as kubectl
 
 # Main
-FROM node:18.17.1-bullseye-slim
-
+FROM node:22.11.0-bullseye-slim
 RUN apt update \
     && apt -y install \
     bash \
@@ -25,26 +24,18 @@ RUN apt update \
     git \
     jq \
     && ln -s /bin/busybox /usr/bin/[[
-
+RUN npm upgrade -g npm
 COPY --from=go /go/bin/hub /usr/local/bin/hub
 COPY --from=yq /tmp/yq /usr/local/bin/yq
 COPY --from=kubectl /opt/bitnami/kubectl/bin/kubectl /usr/local/bin/
-
 WORKDIR /cf-cli
-
 COPY package.json yarn.lock check-version.js run-check-version.js /cf-cli/
-
 RUN yarn install --prod --frozen-lockfile && \
     yarn cache clean
-
 COPY . /cf-cli
-
 RUN yarn generate-completion
-
 RUN ln -s $(pwd)/lib/interface/cli/codefresh /usr/local/bin/codefresh
-
 RUN codefresh components update --location components
-
 # we keep /root as home directory because cli by default looks for $HOME/.cfconfig
 # and we do not want to break user automation if they used to bind their .cfconfig
 # to the /root/.cfconfig
@@ -53,6 +44,7 @@ RUN useradd -m -d /root -s /bin/sh cfu \
    && chgrp -R $(id -g cfu) /root /cf-cli \
    && chmod -R g+rwX /root
 
+# Node.js warnings must be suppressed to ensure that automations relying on exact output are not disrupted
+ENV NODE_NO_WARNINGS=1
 USER cfu
-
 ENTRYPOINT ["codefresh"]
diff --git a/Dockerfile-rootless b/Dockerfile-rootless
@@ -11,37 +11,28 @@ RUN pip install yq==${YQ_VERSION}
 RUN pyinstaller --noconfirm --onefile --log-level DEBUG --clean --distpath /tmp/ $(which yq)
 
 # kubectl binary
-FROM bitnami/kubectl:1.27.4 as kubectl
+FROM bitnami/kubectl:1.30.6 as kubectl
 
 # Main
-FROM node:18.17.1-alpine3.18
-
+FROM node:22.11.0-alpine3.20
 RUN apk --update add --no-cache \
     bash \
     ca-certificates \
     curl \
     git \
     jq
-
+RUN npm upgrade -g npm
 COPY --from=go /go/bin/hub /usr/local/bin/hub
 COPY --from=yq /tmp/yq /usr/local/bin/yq
 COPY --from=kubectl /opt/bitnami/kubectl/bin/kubectl /usr/local/bin/
-
 WORKDIR /cf-cli
-
 COPY package.json yarn.lock check-version.js run-check-version.js /cf-cli/
-
 RUN yarn install --prod --frozen-lockfile && \
     yarn cache clean
-
 COPY . /cf-cli
-
 RUN yarn generate-completion
-
 RUN ln -s $(pwd)/lib/interface/cli/codefresh /usr/local/bin/codefresh
-
 RUN codefresh components update --location components
-
 # we keep /root as home directory because cli by default looks for $HOME/.cfconfig
 # and we do not want to break user automation if they used to bind their .cfconfig
 # to the /root/.cfconfig
@@ -50,6 +41,7 @@ RUN adduser -D -h /root -s /bin/sh cfu \
    && chgrp -R $(id -g cfu) /root /cf-cli \
    && chmod -R g+rwX /root
 
+# Node.js warnings must be suppressed to ensure that automations relying on exact output are not disrupted
+ENV NODE_NO_WARNINGS=1
 USER cfu
-
 ENTRYPOINT ["codefresh"]
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "codefresh",
-  "version": "0.88.2",
+  "version": "0.88.3",
   "description": "Codefresh command line utility",
   "main": "index.js",
   "preferGlobal": true,
@@ -9,7 +9,7 @@
     "test": "jest .spec.js --coverage",
     "e2e": "bash e2e/e2e.spec.sh",
     "eslint": "eslint --fix lib/logic/**",
-    "pkg": "pkg . -t node16-alpine-x64,node16-alpine-arm64,node16-macos-x64,node16-linux-x64,node16-win-x64,node16-linux-arm64 --out-path ./dist",
+    "pkg": "npx pkg . -t node22-alpine-x64,node22-alpine-arm64,node22-macos-x64,node22-linux-x64,node22-win-x64,node22-linux-arm64 --out-path ./dist",
     "serve-docs": "yarn build-local-docs && cd temp && hugo server -D",
     "serve-docs-beta": "ALLOW_BETA_COMMANDS=true yarn build-local-docs && cd temp && hugo server -D",
     "build-local-docs": "node ./docs/index.js",
@@ -32,17 +32,10 @@
     "assets": "lib/**/*.hbs"
   },
   "resolutions": {
-    "websocket-extensions": "^0.1.4",
-    "lodash": "^4.17.21",
     "json-schema": "^0.4.0",
-    "ajv": "^6.12.6",
-    "normalize-url": "^4.5.1",
     "ansi-regex": "^5.0.1",
-    "y18n": "^4.0.1",
-    "shelljs": "^0.8.5",
-    "codefresh-sdk/swagger-client/qs": "6.9.7",
-    "kubernetes-client/qs": "6.9.7",
-    "**/request/qs": "6.5.3"
+    "kubernetes-client/@kubernetes/client-node": ">=0.22.2",
+    "tough-cookie": "^4.1.3"
   },
   "dependencies": {
     "@codefresh-io/docker-reference": "^0.0.5",
@@ -64,7 +57,7 @@
     "figlet": "^1.4.0",
     "filesize": "^3.5.11",
     "firebase": "git+https://github.com/codefresh-io/firebase.git#80b2ed883ff281cd67b53bd0f6a0bbd6f330fed5",
-    "flat": "^4.1.1",
+    "flat": "^5.0.2",
     "inquirer": "^7.1.0",
     "js-yaml": "^3.10.0",
     "kefir": "^3.8.1",
@@ -79,7 +72,7 @@
     "promise-retry": "^2.0.1",
     "recursive-readdir": "^2.2.3",
     "request": "^2.88.0",
-    "request-promise": "^4.2.2",
+    "request-promise": "^4.2.6",
     "requestretry": "^7.0.2",
     "rimraf": "^2.6.2",
     "semver": "^7.5.4",
@@ -92,13 +85,13 @@
   },
   "devDependencies": {
     "@types/node-forge": "^1.0.1",
+    "@yao-pkg/pkg": "^6.1.1",
     "eslint": "^7.32.0",
     "eslint-config-airbnb-base": "^15.0.0",
     "eslint-plugin-import": "^2.25.4",
     "eslint-plugin-jest": "^27.6.3",
     "hugo-cli": "^0.5.4",
-    "jest": "^29.7.0",
-    "pkg": "5.5.2"
+    "jest": "^29.7.0"
   },
   "bugs": {
     "url": "https://github.com/codefresh-io/cli/issues"
@@ -114,5 +107,6 @@
     "setupFiles": [
       "./test-setup.js"
     ]
-  }
+  },
+  "packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
 }
diff --git a/yarn.lock b/yarn.lock
