che
che copied to clipboard
eclipse-che
update dashboard dependencies to remove npm libs with security issues
Is your task related to a problem? Please describe
As reported in https://issues.redhat.com/browse/CRW-2385 and https://bugzilla.redhat.com/show_bug.cgi?id=2007557, we have a dependency on a nodejs library which is potentially risky.
The dashboard image (as built in CRW 2.13) contains the following 4 versions of ansi-regex:
$➔ podman run -it --rm --entrypoint /bin/bash quay.io/crw/dashboard-rhel8:2.13 -c "for p in \$(find /usr -name ansi-regex -type d 2>/dev/null); do cat \$p/package.json | grep _resolved; done" | sort -uV
"_resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz",
"_resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
"_resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz",
"_resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz",
For Che 7.40.0, we have 3 versions included:
$➔ podman run -it --rm --entrypoint /bin/sh quay.io/eclipse/che-dashboard:7.40.0 -c "for p in \$(find /usr -name ansi-regex -type d 2>/dev/null); do cat \$p/package.json | grep _resolved; done" | sort -uV
"_resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-2.1.1.tgz",
"_resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz",
"_resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz",
Describe the solution you'd like
Can we update to only depend on 5.0.1 or 6.0.1 or newer?
Describe alternatives you've considered
No response
Additional context
No response
Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.
Mark the issue as fresh with /remove-lifecycle stale in a new comment.
If this issue is safe to close now please do so.
Moderators: Add lifecycle/frozen label to avoid stale mode.
Situation has improved, but looks liek we need to purge some older deps that rely on 2.1.1 and 3.0.0 and 5.0.0.
$➔ podman run -it --rm --entrypoint /bin/sh quay.io/eclipse/che-dashboard:7.50.0 -c "for p in \$(find /usr -name ansi-regex -type d 2>/dev/null); do echo; echo \$p/package.json:; cat \$p/package.json | grep version; done"
/usr/local/lib/node_modules/npm/node_modules/cli-columns/node_modules/ansi-regex/package.json:
"version": "5.0.1",
/usr/local/lib/node_modules/npm/node_modules/ansi-regex/package.json:
"version": "2.1.1",
/usr/local/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json:
"version": "3.0.0",
/usr/local/lib/node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex/package.json:
"version": "5.0.0",
/usr/local/lib/node_modules/npm/node_modules/gauge/node_modules/ansi-regex/package.json:
"version": "5.0.1",
and
$➔ podman run -it --rm --entrypoint /bin/bash quay.io/devspaces/dashboard-rhel8:3.1 -c "for p in \$(find /usr -name ansi-regex -type d 2>/dev/null); do echo; echo \$p/package.json:; cat \$p/package.json | grep version; done"
/usr/lib/node_modules/nodemon/node_modules/ansi-regex/package.json:
"version": "5.0.1",
/usr/lib/node_modules/npm/node_modules/cli-columns/node_modules/ansi-regex/package.json:
"version": "5.0.1",
/usr/lib/node_modules/npm/node_modules/ansi-regex/package.json:
"version": "2.1.1",
/usr/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json:
"version": "3.0.0",
/usr/lib/node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex/package.json:
"version": "5.0.0",
/usr/lib/node_modules/npm/node_modules/gauge/node_modules/ansi-regex/package.json:
"version": "5.0.1",
Not better than last update: still depend on 2.11 and 3.0.0 and 5.0.0 in favour of 5.0.1:
$ podman run -it --rm --entrypoint /bin/sh quay.io/eclipse/che-dashboard:7.55.0 -c "for p in \$(find /usr -name ansi-regex -type d 2>/dev/null); do echo; echo \$p/package.json:; cat \$p/package.json | grep version; done"
/usr/local/lib/node_modules/npm/node_modules/ansi-regex/package.json:
"version": "2.1.1",
/usr/local/lib/node_modules/npm/node_modules/cli-columns/node_modules/ansi-regex/package.json:
"version": "5.0.1",
/usr/local/lib/node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex/package.json:
"version": "5.0.0",
/usr/local/lib/node_modules/npm/node_modules/gauge/node_modules/ansi-regex/package.json:
"version": "5.0.1",
/usr/local/lib/node_modules/npm/node_modules/string-width/node_modules/ansi-regex/package.json:
"version": "3.0.0",
But downstream we're much better as of 3.2 (https://issues.redhat.com/browse/CRW-2384 resolved!):
$➔ podman run -it --rm --entrypoint /bin/bash quay.io/devspaces/dashboard-rhel8:3.2 -c "for p in \$(find /usr -name ansi-regex -type d 2>/dev/null); do echo; echo \$p/package.json:; cat \$p/package.json | grep version; done"
/usr/lib/node_modules/npm/node_modules/ansi-regex/package.json:
"version": "5.0.1",
Solution is to update to a newer base image upstream:
docker.io/node:16.14.0-alpine3.15upstreamregistry.access.redhat.com/ubi8/nodejs-16:1-58.1665590963== node.js v16.16.0
PR: https://github.com/eclipse-che/che-dashboard/pull/656 (use docker.io/node:16.16.0-alpine3.15 )
Closing
As of 7.57:
podman run -it --rm --entrypoint /bin/sh quay.io/eclipse/che-dashboard:7.57.0 -c "for p in \$(find /usr -name ansi-regex -type d 2>/dev/null); do echo; echo \$p/package.json:; cat \$p/package.json | grep version; done"
/usr/local/lib/node_modules/npm/node_modules/ansi-regex/package.json:
"version": "5.0.1",