[fix] fix all cve warnings #138
Conversation
allansson
requested review from
going-confetti,
2Steaks and
w1kman
and removed request for
a team and
going-confetti
There was a problem hiding this comment.
CR: I'm a bit sceptical against installing "D".
FYI: Since we are pushing a docker image on build (which is scanned by Grafana using trivy). I ran trivy image har-to-k6:local, which resulted in Total: 57 (UNKNOWN: 0, LOW: 50, MEDIUM: 5, HIGH: 1, CRITICAL: 1)
Not asking you to fix the image vulnerabilities, just pointing out that they are subjected to show up when grafana scans the docker image.
package.json
Outdated
| @@ -29,6 +29,7 @@ | |||
| "bundle-collapser": "^1.3.0", | |||
| "caporal": "1.0.0", | |||
| "chalk": "^2.4.2", | |||
| "D": "^1.0.0", | |||
There was a problem hiding this comment.
Why?
This package has been deprecated
There was a problem hiding this comment.
A guess: npm install D 😅
There was a problem hiding this comment.
I've updated the Dockerfile to use node:20-alpine to minimize the CVEs to 2 medium ones. It also shrinks the image by 60 MB.
D has been removed.
I also noticed a warning that babel-eslint was no longer updated, so I switched to @babel/eslint-parser to make any future updates easier.
This PR fixes all the CVE warnings when running ´trivy
andnpm audit` on the repo.The critical CVE was easy to fix. We just needed to upgrade babel to the latest version and it went away.
The other warnings were caused by an old version of ava, and that proved to be trickier to fix. The old version had support for mixing ESM and CJS, but that was dropped in favor of native esm support in node. But that has some problems:
typeproperty in package.json: iftypeis"module"CJS modules need to have the extension.cjsand vice versa.In the end, the simplest solution was to just convert all the
importstatements in the test suite torequirestatements.How to test
trivy fs . --include-dev-depsin the repositorynpm auditin the reposityExpected result
There should be no CVEs.