Feature/213 fix security issues

CHANGELOG.md

@@ -8,9 +8,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ### Changed
 - [#211] Target javascript version to es6
+- Update used version of nodejs to 18.7.0
+- Update used version of yarn to 1.22.19
+- Update java base image to v17.0.9-1
 
 ### Fixed
 - [#211] Fix integration tests after upgrading CAS
+- [#213] Eliminate CVEs by switching from the deprecated lib momentjs to dayjs
 
 ## [v1.7.1-1] - 2023-03-31
 ### Fixed

Dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin:17.0.6_10-jdk as builder
+FROM eclipse-temurin:17.0.9_9-jdk as builder
 
 ENV SMEAGOL_DIR=/usr/src/smeagol
 COPY mvnw pom.xml package.json yarn.lock .prettierrc ${SMEAGOL_DIR}/
@@ -16,7 +16,7 @@ RUN set -x \
 
 
 
-FROM registry.cloudogu.com/official/java:17.0.6-1
+FROM registry.cloudogu.com/official/java:17.0.9-1
 LABEL NAME="official/smeagol" \
       VERSION="1.7.1-1" \
       maintainer="hello@cloudogu.com"

docs/development/Setup_Integrationtest_de.md

@@ -10,12 +10,13 @@ In diesem Abschnitt werden die benötigten Schritte beschrieben um die Integrati
 
 Damit alle Integrationstests auch einwandfrei funktionieren, müssen vorher einige Daten konfiguriert werden.
 
-**integrationTests/cypress.json** [[Link zur Datei](https://github.com/cloudogu/smeagol/blob/develop/integrationTests/cypress.json)]
+<!-- markdown-link-check-disable-next-line -->
+**integrationTests/cypress.config.json** [[Link zur Datei](../../integrationTests/cypress.config.js)]
 
 1) Es muss die base-URL auf das Hostsystem angepasst werden.
    Dafür muss das Feld `baseUrl` auf die Host-FQDN angepasst werden (`https://local.cloudogu.com`)
 2) Es müssen noch weitere Aspekte konfiguriert werden.
-   Diese werdeb als Umgebungsvariablen in der `cypress.json` gesetzt:
+   Diese werden als Umgebungsvariablen in der `cypress.config.json` gesetzt:
 - `DoguName` - Bestimmt den Namen des jetzigen Dogus und wir beim Routing benutzt.
 - `MaxLoginRetries` - Bestimmt die Anzahl der Loginversuche, bevor ein Test fehlschlägt.
 - `AdminUsername` - Der Benutzername des CES-Admins.

docs/development/Setup_Integrationtest_en.md

@@ -10,12 +10,13 @@ This section describes the steps required to properly run the integration tests.
 
 In order for all integration tests to work properly, some data must be configured beforehand.
 
-**integrationTests/cypress.json** [[Link to file](https://github.com/cloudogu/smeagol/blob/develop/integrationTests/cypress.json)]
+<!-- markdown-link-check-disable-next-line -->
+**integrationTests/cypress.config.json** [[Link to file](../../integrationTests/cypress.config.js)]
 
 1) The base URL must be adapted to the host system.
    For this the field `baseUrl` has to be adjusted to the host FQDN (`https://local.cloudogu.com`).
 2) Other aspects must be configured.
-   These are set as environment variables in the `cypress.json`:
+   These are set as environment variables in the `cypress.config.json`:
 - `DoguName` - Determines the name of the current dogu and will be used in routing.
 - `MaxLoginRetries` - Determines the number of login attempts before a test fails.
 - `AdminUsername` - The username of the CES admin.

package.json

@@ -3,15 +3,15 @@
   "version": "1.7.1-1",
   "private": true,
   "dependencies": {
-    "ces-theme": "https://github.com/cloudogu/ces-theme.git#39ad0799afc9e3f4a888192c6cd27b16f7161a84",
+    "ces-theme": "https://github.com/cloudogu/ces-theme.git#v0.7.2",
     "classnames": "^2.2.5",
     "highlight.js": "^10.4.1",
     "history": "^4.7.2",
     "i18next": "^10.3.0",
     "i18next-browser-languagedetector": "^2.1.0",
     "i18next-fetch-backend": "^0.1.0",
     "i18next-resource-store-loader": "^0.1.2",
-    "moment": "^2.20.1",
+    "dayjs": "^1.11.10",
     "object-assign": "4.1.1",
     "promise": "8.0.1",
     "query-string": "^5.0.1",

pom.xml

@@ -269,11 +269,11 @@
                 <version>2.5.0</version>
                 <configuration>
                     <node>
-                        <version>10.23.0</version>
+                        <version>18.7.0</version>
                     </node>
                     <pkgManager>
                         <type>YARN</type>
-                        <version>1.22.5</version>
+                        <version>1.22.19</version>
                     </pkgManager>
                     <pkg/>
                     <script/>

src/main/config/webpack.config.dev.js

@@ -239,12 +239,6 @@ module.exports = {
     // makes the discovery automatic so you don't have to restart.
     // See https://github.com/facebookincubator/create-react-app/issues/186
     new WatchMissingNodeModulesPlugin(paths.appNodeModules),
-    // Moment.js is an extremely popular library that bundles large locale files
-    // by default due to how Webpack interprets its code. This is a practical
-    // solution that requires the user to opt into importing specific locales.
-    // https://github.com/jmblog/how-to-optimize-momentjs-with-webpack
-    // You can remove this if you don't use Moment.js:
-    new webpack.IgnorePlugin(/^\.\/locale$/, /moment$/),
   ],
   // Some libraries import Node modules but don't use them in the browser.
   // Tell Webpack to provide empty mocks for them so importing them works.

src/main/config/webpack.config.prod.js

@@ -312,12 +312,6 @@ module.exports = {
       // Don't precache html files, because we have strange issues in production
       staticFileGlobsIgnorePatterns: [/\.map$/, /asset-manifest\.json$/, /\.html$/],
     }),
-    // Moment.js is an extremely popular library that bundles large locale files
-    // by default due to how Webpack interprets its code. This is a practical
-    // solution that requires the user to opt into importing specific locales.
-    // https://github.com/jmblog/how-to-optimize-momentjs-with-webpack
-    // You can remove this if you don't use Moment.js:
-    new webpack.IgnorePlugin(/^\.\/locale$/, /moment$/),
   ],
   // Some libraries import Node modules but don't use them in the browser.
   // Tell Webpack to provide empty mocks for them so importing them works.

src/main/js/DateFromNow.tsx

@@ -1,16 +1,19 @@
 import React from "react";
-import moment from "moment";
+import dayjs from "dayjs";
+import relativeTime from "dayjs/plugin/relativeTime";
 import { translate } from "react-i18next";
 
 type Props = {
   date?: string;
 };
 
+dayjs.extend(relativeTime);
+
 class DateFromNow extends React.Component<Props> {
   static format(locale: string, date?: string) {
     let fromNow = "";
     if (date) {
-      fromNow = moment(date).locale(locale).fromNow();
+      fromNow = dayjs(date).locale(locale).fromNow();
     }
     return fromNow;
   }

src/main/js/i18n.ts

@@ -2,7 +2,7 @@ import i18n from "i18next";
 import LanguageDetector from "i18next-browser-languagedetector";
 import { reactI18nextModule } from "react-i18next";
 
-import "moment/locale/de";
+import "dayjs/locale/de.js";
 
 // The import is essential for webpack to detect the translations and to pack them together with the bundle.js
 import resBundle from "i18next-resource-store-loader!./assets/locales/DoNotDelete";