Merge pull request #488 from snyk/fix/IM-132-vuln-fixes

fix: vulnerable packages, Node version, packaging
snyk · Jun 26, 2024 · 32a27c1 · 32a27c1
2 parents de985c1 + bcff763
commit 32a27c1
Show file tree

Hide file tree

Showing 18 changed files with 261 additions and 268 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -15,7 +15,7 @@ main_only: &main_only
 defaults: &defaults
   resource_class: small
   docker:
-    - image: circleci/node:12
+    - image: cimg/node:20.11.1
 
 jobs:
   security-scans:
@@ -27,7 +27,6 @@ jobs:
           mode: auto
           release-branch: master # TODO: remove when master branch is renamed
           iac-scan: disabled
-          open-source-scan: critical # TODO: remove this once Axios vulns are fixed
           open-source-additional-arguments: --exclude=test
 
   build-test-monitor:
@@ -44,8 +43,7 @@ jobs:
       - checkout
       - run: npm install
       - run: npm test
-      - run: npx tsc
-      - run: npm run pkg-binaries-linux
+      - run: npm run pkg-binaries:linux
       - run: ./snyk-api-import-linux help
 
   build-test-from-fork:
@@ -54,7 +52,6 @@ jobs:
       - checkout
       - run: npm install
       - run: npm test
-      - run: npx tsc
 
 workflows:
   version: 2

diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-12
+20
diff --git a/.releaserc b/.releaserc
@@ -9,22 +9,22 @@
     {
       "//": "build the macos",
       "path": "@semantic-release/exec",
-      "cmd": "npx [email protected] dist/index.js  -r './dist/**/*.js' -t mac-x64-12.18.2 -o snyk-api-import-macos"
+      "cmd": "npm run pkg-binaries:macos"
     },
     {
       "//": "build the linux",
       "path": "@semantic-release/exec",
-      "cmd": "npx [email protected] dist/index.js  -r './dist/**/*.js' -t linux-x64-12.16.2 -o snyk-api-import-linux"
+      "cmd": "npm run pkg-binaries:linux"
     },
     {
       "//": "build the alpine",
       "path": "@semantic-release/exec",
-      "cmd": "npx [email protected] dist/index.js  -r './dist/**/*.js' -t alpine-x64-12.9.1 -o snyk-api-import-alpine"
+      "cmd": "npm run pkg-binaries:alpine"
     },
     {
       "//": "build the windows binaries",
       "path": "@semantic-release/exec",
-      "cmd": "npx [email protected] dist/index.js  -r './dist/**/*.js' -t windows-x64-12.18.2 -o snyk-api-import-win.exe"
+      "cmd": "npm run pkg-binaries:windows"
     },
     {
       "//": "shasum all binaries",

diff --git a/.snyk b/.snyk
@@ -7,14 +7,4 @@ ignore:
         reason: there is no fix available
         expires: 2023-12-30T17:38:57.751Z
         created: 2023-11-30T17:38:57.755Z
-  SNYK-JS-AXIOS-6032459O:
-    - '*':
-        reason: vuln fix broke binary packaging
-        expires: 2024-04-05T16:28:10.379Z
-        created: 2024-03-06T16:28:10.387Z
-  SNYK-JS-AXIOS-6144788O:
-    - '*':
-        reason: vuln fix broke binary packaging
-        expires: 2024-04-05T16:28:56.455Z
-        created: 2024-03-06T16:28:56.463Z
 patch: {}
diff --git a/.tool-versions b/.tool-versions
@@ -1 +1 @@
-nodejs 12.22.12
+nodejs 20.11.1
diff --git a/package.json b/package.json
@@ -19,8 +19,11 @@
     "build-watch": "tsc -w",
     "prepare": "npm run build",
     "snyk-test": "snyk test",
-    "pkg-binaries-linux": "npx [email protected] dist/index.js  -r './dist/**/*.js' -t linux-x64-12.16.2 -o snyk-api-import-linux",
-    "pkg-binaries": "npx [email protected] dist/index.js -r './dist/**/*.js' -t mac-x64-12.18.2 -o snyk-api-import-macos"
+    "pkg-binaries:macos": "npx @yao-pkg/pkg . -t node20-macos-x64 -o snyk-api-import-macos",
+    "pkg-binaries:macos-arm": "npx @yao-pkg/pkg . -t node20-macos-arm64 -o snyk-api-import-macos-arm",
+    "pkg-binaries:linux": "npx @yao-pkg/pkg . -t node20-linux-x64 -o snyk-api-import-linux",
+    "pkg-binaries:alpine": "npx @yao-pkg/pkg . -t node20-alpine-x64 -o snyk-api-import-alpine",
+    "pkg-binaries:windows": "npx @yao-pkg/pkg . -t node20-win-x64 -o snyk-api-import-win.exe"
   },
   "types": "./dist/index.d.ts",
   "repository": {
@@ -30,7 +33,7 @@
   "author": "Snyk Tech Services",
   "license": "Apache-2.0",
   "engines": {
-    "node": ">=12"
+    "node": ">=20"
   },
   "files": [
     "bin",
@@ -42,34 +45,34 @@
     "@gitbeaker/node": "35.7.0",
     "@octokit/plugin-retry": "4.0.3",
     "@octokit/rest": "19.0.5",
-    "@types/base-64": "^1.0.0",
     "base-64": "^1.0.0",
     "bottleneck": "2.19.5",
     "bunyan": "1.8.15",
     "debug": "4.3.4",
     "lodash": "4.17.21",
-    "micromatch": "4.0.5",
+    "micromatch": "4.0.6",
     "needle": "2.9.1",
     "p-map": "4.0.0",
     "parse-link-header": "2.0.0",
     "rimraf": "3.0.2",
     "simple-git": "3.16.0",
     "sleep-promise": "8.0.1",
-    "snyk-request-manager": "1.8.3",
+    "snyk-request-manager": "1.8.4",
     "source-map-support": "^0.5.16",
     "split": "1.0.1",
     "yargs": "16.2.0"
   },
   "devDependencies": {
     "@octokit/types": "6.14.2",
     "@semantic-release/exec": "5.0.0",
+    "@types/base-64": "^1.0.0",
     "@types/bunyan": "1.8.6",
     "@types/debug": "4.1.5",
-    "@types/jest": "^25.1.1",
+    "@types/jest": "^29.5.12",
     "@types/lodash": "^4.14.149",
-    "@types/micromatch": "4.0.2",
+    "@types/micromatch": "4.0.6",
     "@types/needle": "2.0.4",
-    "@types/node": "14.14.45",
+    "@types/node": "^20.11.1",
     "@types/parse-link-header": "1.0.0",
     "@types/rimraf": "3.0.2",
     "@types/split": "1.0.0",
@@ -78,18 +81,21 @@
     "eslint": "7.30.0",
     "eslint-config-prettier": "^6.10.0",
     "eslint-plugin-check-file": "1.2.3",
-    "jest": "27.0.6",
+    "jest": "^29.7.0",
     "nock": "^13.2.1",
     "prettier": "2.7.1",
     "semantic-release": "17.3.0",
-    "ts-jest": "27.0.3",
+    "ts-jest": "^29.1.5",
     "tsc-watch": "^4.1.0",
-    "typescript": "4.3.5",
+    "typescript": "4.5",
     "uuid": "9.0.0"
   },
   "pkg": {
     "scripts": [
       "dist/**/*.js"
+    ],
+    "assets": [
+      "./node_modules/axios/dist/node/axios.cjs"
     ]
   }
-}
+}
diff --git a/src/lib/delete-directory.ts b/src/lib/delete-directory.ts
@@ -3,7 +3,7 @@ import * as fs from 'fs';
 
 export async function deleteDirectory(dir: string): Promise<void> {
   try {
-    fs.rmdirSync(dir, { recursive: true, maxRetries: 3 });
+    fs.rmSync(dir, { recursive: true, force: true, maxRetries: 3 });
   } catch (e) {
     await new Promise<void>((resolve, reject) =>
       rmrf(dir, (err) => (err ? reject(err) : resolve())),

diff --git a/src/lib/source-handlers/github/get-repo-metadata.ts b/src/lib/source-handlers/github/get-repo-metadata.ts
@@ -5,7 +5,7 @@ import type { RepoMetaData, Target } from '../../types';
 import { getGithubToken } from './get-github-token';
 import { getGithubBaseUrl } from './github-base-url';
 
-const githubClient = Octokit.plugin(retry);
+const githubClient = Octokit.plugin(retry as any);
 const debug = debugLib('snyk:get-github-defaultBranch-script');
 
 export async function getGithubRepoMetaData(

diff --git a/src/lib/source-handlers/github/list-repos.ts b/src/lib/source-handlers/github/list-repos.ts
@@ -6,7 +6,7 @@ import { getGithubBaseUrl } from './github-base-url';
 import type { GithubRepoData } from './types';
 
 const debug = debugLib('snyk:list-repos-script');
-const githubClient = Octokit.plugin(retry);
+const githubClient = Octokit.plugin(retry as any);
 
 export async function fetchReposForPage(
   octokit: Octokit,

diff --git a/src/lib/source-handlers/github/organization-is-empty.ts b/src/lib/source-handlers/github/organization-is-empty.ts
@@ -7,7 +7,7 @@ import { fetchReposForPage } from './list-repos';
 import { getGithubToken } from './get-github-token';
 
 const debug = debugLib('snyk:github');
-const githubClient = Octokit.plugin(retry);
+const githubClient = Octokit.plugin(retry as any);
 
 export async function githubOrganizationIsEmpty(
   orgName: string,