Critical Description of problem:
Despite fixing CVEs and pinning deps to resolve old reqs on express 4.1z to 4.21, we still ahve 4.18 in the distgit/containers/rhdh-hub/dynamic-plugins-imports-peer-dependencies yarn lock, which is confusing to customers as we're shipping bad node_modules content.
Steps to Reproduce
- look in the latest 1.3 container for old node_modules folders, eg for express 4.18. They should be removed/replaced with 4.21.
- Related issues:
Definition of Done:
- fix sync-midstream.sh to use the root yarn lock as input to the peer deps caching folder; this should allow the pinned versions to be used instead of the default resolutions
- respin container
- script some sort of checker like https://gitlab.cee.redhat.com/rhidp/rhdh/-/blob/rhdh-1-rhel-9/build/scripts/listPluginVersions.sh to scrape a container and pull the versions of all the deps in package.json / yarn.lock
- enhance that script to support filtering/checking against a list of CVEs and fixed-in-version values so we can verify if we contain any bad packages
- apply same fix in 1.4 and 1.3 builds
- is duplicated by
-
RHIDP-4492 Spike: investigate how to have fewer yarn.lock dependencies cached / keep things up to date
-
- Closed
-
