Skip to content

Commit

Permalink
build: upgrade dependencies (#870)
Browse files Browse the repository at this point in the history
## What

This PR reapplies #866 that was previously reverted in #869.

It contains upgrade for multiple dependencies to address critical- and
high-level CVE.

In addition to #866, it:

* upgrades `npm` to address
[CVE-2024-21538](https://scout.docker.com/vulnerabilities/id/CVE-2024-21538?s=github&n=cross-spawn&t=npm&vr=%3E%3D7.0.0%2C%3C7.0.5&utm_source=desktop&utm_medium=ExternalLink).
* Sets `NODE_NO_WARNINGS=1` env in Dockerfile
([ref](https://nodejs.org/api/cli.html#node_no_warnings1)) in order to
suppress Node.js deprecation warnings, that may interrupt end-user
automations, that rely on exact CLi output.
* Migrates from `pkg`, which is no longer maintained, to its fork
`@yao-pkg/pkg`.
  • Loading branch information
masontikhonov authored Nov 27, 2024
1 parent 7e49659 commit f0a514c
Show file tree
Hide file tree
Showing 7 changed files with 2,782 additions and 2,529 deletions.
2 changes: 1 addition & 1 deletion .nvmrc
Original file line number Diff line number Diff line change
@@ -1 +1 @@
v18.17.1
v22.11.0
21 changes: 8 additions & 13 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,44 +1,39 @@
# go hub binary
FROM golang:alpine as go
FROM golang:alpine AS go
RUN apk --update add ca-certificates git
RUN go install github.com/github/hub@latest

# python yq binary
FROM six8/pyinstaller-alpine:alpine-3.6-pyinstaller-v3.4 as yq
FROM six8/pyinstaller-alpine:alpine-3.6-pyinstaller-v3.4 AS yq
ARG YQ_VERSION=2.10.0
ENV PATH="/pyinstaller:$PATH"
RUN pip install yq==${YQ_VERSION}
RUN pyinstaller --noconfirm --onefile --log-level DEBUG --clean --distpath /tmp/ $(which yq)

# kubectl binary
FROM bitnami/kubectl:1.27.4 as kubectl
FROM bitnami/kubectl:1.30.6 AS kubectl

# Main
FROM node:18.17.1-alpine3.18

FROM node:22.11.0-alpine3.20
RUN apk --update add --no-cache \
bash \
ca-certificates \
curl \
git \
jq

RUN npm upgrade -g npm
COPY --from=go /go/bin/hub /usr/local/bin/hub
COPY --from=yq /tmp/yq /usr/local/bin/yq
COPY --from=kubectl /opt/bitnami/kubectl/bin/kubectl /usr/local/bin/

WORKDIR /cf-cli

COPY package.json yarn.lock check-version.js run-check-version.js /cf-cli/

RUN yarn install --prod --frozen-lockfile && \
yarn cache clean

COPY . /cf-cli

RUN yarn generate-completion

RUN ln -s $(pwd)/lib/interface/cli/codefresh /usr/local/bin/codefresh

RUN codefresh components update --location components

# Node.js warnings must be suppressed to ensure that automations relying on exact output are not disrupted
ENV NODE_NO_WARNINGS=1
ENTRYPOINT ["codefresh"]
16 changes: 5 additions & 11 deletions Dockerfile-debian
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,10 @@ RUN pip install yq==${YQ_VERSION}
RUN pyinstaller --noconfirm --onefile --log-level DEBUG --clean --distpath /tmp/ $(which yq)

# kubectl binary
FROM bitnami/kubectl:1.27.4 as kubectl
FROM bitnami/kubectl:1.30.6 as kubectl

# Main
FROM node:18.17.1-bullseye-slim

FROM node:22.11.0-bullseye-slim
RUN apt update \
&& apt -y install \
apt-transport-https \
Expand All @@ -26,24 +25,19 @@ RUN apt update \
git \
jq \
&& ln -s /bin/busybox /usr/bin/[[

RUN npm upgrade -g npm
COPY --from=go /go/bin/hub /usr/local/bin/hub
COPY --from=yq /tmp/yq /usr/local/bin/yq
COPY --from=kubectl /opt/bitnami/kubectl/bin/kubectl /usr/local/bin/

WORKDIR /cf-cli

COPY package.json yarn.lock check-version.js run-check-version.js /cf-cli/

RUN yarn install --prod --frozen-lockfile && \
yarn cache clean

COPY . /cf-cli

RUN yarn generate-completion

RUN ln -s $(pwd)/lib/interface/cli/codefresh /usr/local/bin/codefresh

RUN codefresh components update --location components

# Node.js warnings must be suppressed to ensure that automations relying on exact output are not disrupted
ENV NODE_NO_WARNINGS=1
ENTRYPOINT ["codefresh"]
18 changes: 5 additions & 13 deletions Dockerfile-debian-rootless
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,10 @@ RUN pip install yq==${YQ_VERSION}
RUN pyinstaller --noconfirm --onefile --log-level DEBUG --clean --distpath /tmp/ $(which yq)

# kubectl binary
FROM bitnami/kubectl:1.27.4 as kubectl
FROM bitnami/kubectl:1.30.6 as kubectl

# Main
FROM node:18.17.1-bullseye-slim

FROM node:22.11.0-bullseye-slim
RUN apt update \
&& apt -y install \
bash \
Expand All @@ -25,26 +24,18 @@ RUN apt update \
git \
jq \
&& ln -s /bin/busybox /usr/bin/[[

RUN npm upgrade -g npm
COPY --from=go /go/bin/hub /usr/local/bin/hub
COPY --from=yq /tmp/yq /usr/local/bin/yq
COPY --from=kubectl /opt/bitnami/kubectl/bin/kubectl /usr/local/bin/

WORKDIR /cf-cli

COPY package.json yarn.lock check-version.js run-check-version.js /cf-cli/

RUN yarn install --prod --frozen-lockfile && \
yarn cache clean

COPY . /cf-cli

RUN yarn generate-completion

RUN ln -s $(pwd)/lib/interface/cli/codefresh /usr/local/bin/codefresh

RUN codefresh components update --location components

# we keep /root as home directory because cli by default looks for $HOME/.cfconfig
# and we do not want to break user automation if they used to bind their .cfconfig
# to the /root/.cfconfig
Expand All @@ -53,6 +44,7 @@ RUN useradd -m -d /root -s /bin/sh cfu \
&& chgrp -R $(id -g cfu) /root /cf-cli \
&& chmod -R g+rwX /root

# Node.js warnings must be suppressed to ensure that automations relying on exact output are not disrupted
ENV NODE_NO_WARNINGS=1
USER cfu

ENTRYPOINT ["codefresh"]
18 changes: 5 additions & 13 deletions Dockerfile-rootless
Original file line number Diff line number Diff line change
Expand Up @@ -11,37 +11,28 @@ RUN pip install yq==${YQ_VERSION}
RUN pyinstaller --noconfirm --onefile --log-level DEBUG --clean --distpath /tmp/ $(which yq)

# kubectl binary
FROM bitnami/kubectl:1.27.4 as kubectl
FROM bitnami/kubectl:1.30.6 as kubectl

# Main
FROM node:18.17.1-alpine3.18

FROM node:22.11.0-alpine3.20
RUN apk --update add --no-cache \
bash \
ca-certificates \
curl \
git \
jq

RUN npm upgrade -g npm
COPY --from=go /go/bin/hub /usr/local/bin/hub
COPY --from=yq /tmp/yq /usr/local/bin/yq
COPY --from=kubectl /opt/bitnami/kubectl/bin/kubectl /usr/local/bin/

WORKDIR /cf-cli

COPY package.json yarn.lock check-version.js run-check-version.js /cf-cli/

RUN yarn install --prod --frozen-lockfile && \
yarn cache clean

COPY . /cf-cli

RUN yarn generate-completion

RUN ln -s $(pwd)/lib/interface/cli/codefresh /usr/local/bin/codefresh

RUN codefresh components update --location components

# we keep /root as home directory because cli by default looks for $HOME/.cfconfig
# and we do not want to break user automation if they used to bind their .cfconfig
# to the /root/.cfconfig
Expand All @@ -50,6 +41,7 @@ RUN adduser -D -h /root -s /bin/sh cfu \
&& chgrp -R $(id -g cfu) /root /cf-cli \
&& chmod -R g+rwX /root

# Node.js warnings must be suppressed to ensure that automations relying on exact output are not disrupted
ENV NODE_NO_WARNINGS=1
USER cfu

ENTRYPOINT ["codefresh"]
26 changes: 10 additions & 16 deletions package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "codefresh",
"version": "0.88.2",
"version": "0.88.3",
"description": "Codefresh command line utility",
"main": "index.js",
"preferGlobal": true,
Expand All @@ -9,7 +9,7 @@
"test": "jest .spec.js --coverage",
"e2e": "bash e2e/e2e.spec.sh",
"eslint": "eslint --fix lib/logic/**",
"pkg": "pkg . -t node16-alpine-x64,node16-alpine-arm64,node16-macos-x64,node16-linux-x64,node16-win-x64,node16-linux-arm64 --out-path ./dist",
"pkg": "npx pkg . -t node22-alpine-x64,node22-alpine-arm64,node22-macos-x64,node22-linux-x64,node22-win-x64,node22-linux-arm64 --out-path ./dist",
"serve-docs": "yarn build-local-docs && cd temp && hugo server -D",
"serve-docs-beta": "ALLOW_BETA_COMMANDS=true yarn build-local-docs && cd temp && hugo server -D",
"build-local-docs": "node ./docs/index.js",
Expand All @@ -32,17 +32,10 @@
"assets": "lib/**/*.hbs"
},
"resolutions": {
"websocket-extensions": "^0.1.4",
"lodash": "^4.17.21",
"json-schema": "^0.4.0",
"ajv": "^6.12.6",
"normalize-url": "^4.5.1",
"ansi-regex": "^5.0.1",
"y18n": "^4.0.1",
"shelljs": "^0.8.5",
"codefresh-sdk/swagger-client/qs": "6.9.7",
"kubernetes-client/qs": "6.9.7",
"**/request/qs": "6.5.3"
"kubernetes-client/@kubernetes/client-node": ">=0.22.2",
"tough-cookie": "^4.1.3"
},
"dependencies": {
"@codefresh-io/docker-reference": "^0.0.5",
Expand All @@ -64,7 +57,7 @@
"figlet": "^1.4.0",
"filesize": "^3.5.11",
"firebase": "git+https://github.com/codefresh-io/firebase.git#80b2ed883ff281cd67b53bd0f6a0bbd6f330fed5",
"flat": "^4.1.1",
"flat": "^5.0.2",
"inquirer": "^7.1.0",
"js-yaml": "^3.10.0",
"kefir": "^3.8.1",
Expand All @@ -79,7 +72,7 @@
"promise-retry": "^2.0.1",
"recursive-readdir": "^2.2.3",
"request": "^2.88.0",
"request-promise": "^4.2.2",
"request-promise": "^4.2.6",
"requestretry": "^7.0.2",
"rimraf": "^2.6.2",
"semver": "^7.5.4",
Expand All @@ -92,13 +85,13 @@
},
"devDependencies": {
"@types/node-forge": "^1.0.1",
"@yao-pkg/pkg": "^6.1.1",
"eslint": "^7.32.0",
"eslint-config-airbnb-base": "^15.0.0",
"eslint-plugin-import": "^2.25.4",
"eslint-plugin-jest": "^27.6.3",
"hugo-cli": "^0.5.4",
"jest": "^29.7.0",
"pkg": "5.5.2"
"jest": "^29.7.0"
},
"bugs": {
"url": "https://github.com/codefresh-io/cli/issues"
Expand All @@ -114,5 +107,6 @@
"setupFiles": [
"./test-setup.js"
]
}
},
"packageManager": "[email protected]+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
}
Loading

0 comments on commit f0a514c

Please sign in to comment.