#2052: update vulnerable npm dependencies (npm audit fix)

[kcaran]

Hi. In this branch I updated all the node packages to the very latest versions that I could. Now the trivy scans pass and github actions no longer warn about using node 16.

The biggest issue I had was stylelint, which checks the default Sass files. It changed significantly, but older versions rely on postcss, and that had a vulnerability in the older versions.

I didn't touch Docker but I think everything else is working fine.

[nodiscc]

Thanks!

How did you manage? I was stuck with npm audit fix errors in #2052

Your patch seems to break Docker builds though https://github.com/shaarli/Shaarli/actions/runs/9180779024/job/25245995113?pr=2087

#25 [node 3/3] RUN cd shaarli     && yarnpkg install     && yarnpkg run build     && rm -rf node_modules
#25 0.222 yarn install v1.22.18
#25 0.319 [1/4] Resolving packages...
#25 0.538 warning Resolution field "string-width@4.2.3" is incompatible with requested version "string-width@^5.1.2"
#25 0.541 warning Resolution field "string-width@4.2.3" is incompatible with requested version "string-width@^5.0.1"
#25 0.651 [2/4] Fetching packages...
#25 7.997 error babel-loader@9.1.3: The engine "node" is incompatible with this module. Expected version ">= 14.15.0". Got "12.22.12"
#25 8.004 error Found incompatible module.
#25 8.004 info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
#25 ERROR: process "/bin/sh -c cd shaarli     && yarnpkg install     && yarnpkg run build     && rm -rf node_modules" did not complete successfully: exit code: 1
------
 > [node 3/3] RUN cd shaarli     && yarnpkg install     && yarnpkg run build     && rm -rf node_modules:
0.222 yarn install v1.22.18
0.319 [1/4] Resolving packages...
0.538 warning Resolution field "string-width@4.2.3" is incompatible with requested version "string-width@^5.1.2"
0.541 warning Resolution field "string-width@4.2.3" is incompatible with requested version "string-width@^5.0.1"
0.651 [2/4] Fetching packages...
7.997 error babel-loader@9.1.3: The engine "node" is incompatible with this module. Expected version ">= 14.15.0". Got "12.22.12"
8.004 error Found incompatible module.
8.004 info Visit https://yarnpkg.com/en/docs/cli/install for documentation about this command.
------
WARNING: No output specified with docker-container driver. Build result will only remain in the build cache. To push result image into registry use --push or to load image into docker use --load
Dockerfile:21
--------------------
  20 |     COPY --from=composer /app/shaarli shaarli
  21 | >>> RUN cd shaarli \
  22 | >>>     && yarnpkg install \
  23 | >>>     && yarnpkg run build \
  24 | >>>     && rm -rf node_modules
  25 |     
--------------------
ERROR: failed to solve: process "/bin/sh -c cd shaarli     && yarnpkg install     && yarnpkg run build     && rm -rf node_modules" did not complete successfully: exit code: 1

[kcaran]

Hi. I think I fixed the docker builds by upgrading node (and alpine which I saw you did in another branch).

For the dependencies, I upgraded everything manually. First I edited package.json with all asterisks to get the latest versions of everything. Then I downgraded anything that was broken (and I couldn't fix). Then I put the versions that worked back into package.json.

I used Node 18 because that is what I'm using on my servers, but I'm pretty sure everything would work with Node 20.

[nodiscc]

👍

I think your last changes broke the PR, there are now 35 commits in this PR, some from 2020... https://github.com/shaarli/Shaarli/pull/2087/commits. Can you please check and/or rebase on master?

[kcaran]

Sorry about that. I did a rebase and I think it looks ok now.

something wrong with fonts

[nodiscc]

I just tried building and running the Docker image, it seems there is something wrong with icon fonts, they are missing from the image:

~/GIT/Shaarli (npm-audit-fix =)$ docker build -t shaarli:npm-audit-fix .
...
Successfully tagged localhost/shaarli:npm-audit-fix
~/GIT/Shaarli (npm-audit-fix =)$ docker run --name shaarli --publish 8000:80 localhost/shaarli:npm-audit-fix

• Access http://localhost:8000 in a browser
• Fill in the setup page
• All font-based icons/glyphs are missing

~/GIT/Shaarli (npm-audit-fix =)$ docker exec -it shaarli sh
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
/var/www # ls shaarli/tpl/default/css/
markdown.min.css  shaarli.min.css

Edit: can confirm that icons are properly displayed when building from master

[nodiscc]

^ see comment above

[kcaran]

I updated webpack.config.js, which I think broke with version 5. I was able to run the default and vintage themes both locally and through docker. I'll try to run a docker instance next time: it helps ensure that the environment is completely clean.

[nodiscc]

successfully tested (installed from scratch, tested, imported data from another shaarli instance, tested most features)

[nodiscc]

There are two unrelated commits in this PR

@kcaran Is it ok to rebase this branch and drop them?

[kcaran]

Of course, it's your show. Those changes are from an early pull request:

#2086