From 3d44bec665d2a731ba0186cbfb8b3e5eea85e3c3 Mon Sep 17 00:00:00 2001 From: zondervancalvez Date: Mon, 20 Nov 2023 15:09:42 +0800 Subject: [PATCH] tools(cmd-api-server): address CVE: CVE-2022-25881 Primary Changes: Updated the https-cache-semantics to latest version inside the cmd-api-server package Fixes: hyperledger#2862 Signed-off-by: zondervancalvez --- packages/cactus-cmd-api-server/Dockerfile | 18 ++++++++---------- packages/cactus-cmd-api-server/package.json | 2 ++ yarn.lock | 9 +++++++++ 3 files changed, 19 insertions(+), 10 deletions(-) diff --git a/packages/cactus-cmd-api-server/Dockerfile b/packages/cactus-cmd-api-server/Dockerfile index e84eade18b1..569c1084842 100644 --- a/packages/cactus-cmd-api-server/Dockerfile +++ b/packages/cactus-cmd-api-server/Dockerfile @@ -50,17 +50,15 @@ ENV NODE_VERSION 20.9.0 ENV NODE_PATH $NVM_DIR/v$NODE_VERSION/lib/node_modules ENV PATH $NVM_DIR/versions/node/v$NODE_VERSION/bin:$PATH -# Install nvm with node and npm +# Install nvm with node and yarn RUN mkdir -p ${NVM_DIR} -RUN curl https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash \ - && source $NVM_DIR/nvm.sh \ - && nvm install $NODE_VERSION \ - && nvm alias default $NODE_VERSION \ - && nvm use default \ - && npm install -g npm@10.2.4 - -ARG NPM_PKG_VERSION=latest -RUN npm install @hyperledger/cactus-cmd-api-server@${NPM_PKG_VERSION} +RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash +RUN source ~/.bashrc && \ + nvm install 20.11.1 && \ + npm install --location=global yarn && \ + yarn config set nodeLinker node-modules && \ + yarn set version 4.1.0 && \ + yarn add @hyperledger/cactus-example-carbon-accounting-backend@2.0.0-alpha.2 COPY ./packages/cactus-cmd-api-server/docker-entrypoint.sh /usr/local/bin/ HEALTHCHECK --interval=5s --timeout=5s --start-period=1s --retries=30 CMD /healthcheck.sh diff --git a/packages/cactus-cmd-api-server/package.json b/packages/cactus-cmd-api-server/package.json index 7b7c9b6305f..45f6cc4008d 100644 --- a/packages/cactus-cmd-api-server/package.json +++ b/packages/cactus-cmd-api-server/package.json @@ -114,6 +114,7 @@ "@types/express": "4.17.21", "@types/express-http-proxy": "1.6.2", "@types/google-protobuf": "3.15.5", + "@types/http-cache-semantics": "4.0.4", "@types/json-stable-stringify": "1.0.34", "@types/jsonwebtoken": "8.5.4", "@types/multer": "1.4.7", @@ -129,6 +130,7 @@ "google-protobuf": "3.18.0-rc.2", "grpc-tools": "1.12.4", "grpc_tools_node_protoc_ts": "5.3.3", + "http-cache-semantics": "4.1.1", "http-status-codes": "2.1.4", "protobufjs": "7.2.5", "tsx": "4.7.0" diff --git a/yarn.lock b/yarn.lock index 3c96fadfce6..99cbf93c0bb 100644 --- a/yarn.lock +++ b/yarn.lock @@ -7641,6 +7641,7 @@ __metadata: "@types/express": "npm:4.17.21" "@types/express-http-proxy": "npm:1.6.2" "@types/google-protobuf": "npm:3.15.5" + "@types/http-cache-semantics": "npm:4.0.4" "@types/json-stable-stringify": "npm:1.0.34" "@types/jsonwebtoken": "npm:8.5.4" "@types/multer": "npm:1.4.7" @@ -7671,6 +7672,7 @@ __metadata: google-protobuf: "npm:3.18.0-rc.2" grpc-tools: "npm:1.12.4" grpc_tools_node_protoc_ts: "npm:5.3.3" + http-cache-semantics: "npm:4.1.1" http-status-codes: "npm:2.1.4" jose: "npm:4.15.5" json-stable-stringify: "npm:1.0.2" @@ -14907,6 +14909,13 @@ __metadata: languageName: node linkType: hard +"@types/http-cache-semantics@npm:4.0.4": + version: 4.0.4 + resolution: "@types/http-cache-semantics@npm:4.0.4" + checksum: 10/a59566cff646025a5de396d6b3f44a39ab6a74f2ed8150692e0f31cc52f3661a68b04afe3166ebe0d566bd3259cb18522f46e949576d5204781cd6452b7fe0c5 + languageName: node + linkType: hard + "@types/http-cache-semantics@npm:^4.0.1": version: 4.0.1 resolution: "@types/http-cache-semantics@npm:4.0.1"