Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: fix vulnerabilities #3087

Merged
merged 4 commits into from
Nov 6, 2024
Merged

chore: fix vulnerabilities #3087

merged 4 commits into from
Nov 6, 2024
+328 −203

Conversation

mkurapov
Copy link
Contributor

@mkurapov mkurapov commented Nov 6, 2024
edited
Loading

Changes proposed in this pull request

  • Forces dset to be at least 3.1.4
  • Update koa/router to resolve path-to-regexp vulnerability
  • Fix trivy scan failures with fallback registry
  • Update remix-run packages to resolve path-to-regexp vulnerability

Context

Fixes #3082

Checklist

  • Related issues linked using fixes #number
  • Tests added/updated
  • Make sure that all checks pass
  • Bruno collection updated (if necessary)
  • Documentation issue created with user-docs label (if necessary)
  • OpenAPI specs updated (if necessary)

@netlify Netlify
Copy link

netlify bot commented Nov 6, 2024
edited
Loading

Deploy Preview for brilliant-pasca-3e80ec canceled.

Name Link
🔨 Latest commit dc90a6a
🔍 Latest deploy log https://app.netlify.com/sites/brilliant-pasca-3e80ec/deploys/672b6785b0b7bd000812db5c

@github-actions github-actions bot added pkg: backend Changes in the backend package. pkg: auth Changes in the GNAP auth package. pkg: frontend Changes in the frontend package. labels Nov 6, 2024
@mkurapov mkurapov closed this Nov 6, 2024
@mkurapov mkurapov reopened this Nov 6, 2024
@github-actions github-actions bot added the type: ci Changes to the CI label Nov 6, 2024
mkurapov
mkurapov commented Nov 6, 2024
View reviewed changes
.github/workflows/node-build.yml
@@ -338,7 +338,7 @@ jobs:
- name: Scan docker image
run: |
docker images
/tmp/trivy image --ignore-unfixed --format table --vuln-type os,library --exit-code 1 --severity HIGH --input /tmp/${{ github.sha }}-${{ matrix.package }}-${{ matrix.platform.name }}-${{ needs.version-generator.outputs.version }}.tar
/tmp/trivy image --db-repository ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db --java-db-repository ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db --ignore-unfixed --format table --vuln-type os,library --exit-code 1 --severity HIGH --input /tmp/${{ github.sha }}-${{ matrix.package }}-${{ matrix.platform.name }}-${{ needs.version-generator.outputs.version }}.tar
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trivy scan kept failing because of

added fix from here until aquasecurity/trivy#7679 is merged

mkurapov
mkurapov commented Nov 6, 2024
View reviewed changes
package.json
@@ -77,7 +77,8 @@
"undici@<=5.28.2": ">=5.28.3",
"tar@<6.2.1": ">=6.2.1",
"braces@<3.0.3": ">=3.0.3",
"@grpc/grpc-js@>=1.10.0 <1.10.9": ">=1.10.9"
"@grpc/grpc-js@>=1.10.0 <1.10.9": ">=1.10.9",
"dset@<3.1.4": ">=3.1.4"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[email protected] was present in a lot of packages, make sure we take 3.1.4 only

@mkurapov mkurapov marked this pull request as ready for review November 6, 2024 12:53
@mkurapov mkurapov merged commit b3c7fa7 into main Nov 6, 2024
42 checks passed
@mkurapov mkurapov deleted the 3082/mk/fix-vulnerabilities branch November 6, 2024 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@njlie njlie njlie approved these changes

Assignees
No one assigned
Labels
pkg: auth Changes in the GNAP auth package. pkg: backend Changes in the backend package. pkg: frontend Changes in the frontend package. type: ci Changes to the CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix package vulnerabilities (Docker Grype & Trivy Scans)
2 participants
@mkurapov @njlie