packages updated

[rv0lt]

Read this before submitting the PR

1. Always create a Draft PR first
2. Go through sections 1-5 below, fill them in and check all the boxes
3. Make sure that the branch is updated; if there's an "Update branch" button at the bottom of the PR, rebase or update branch.
4. When all boxes are checked, information is filled in, and the branch is updated: mark as Ready For Review and tag reviewers (top right)
5. Once there is a submitted review, implement the suggestions (if reasonable, otherwise discuss) and request an new review.

If there is a field which you are unsure about, enter the edit mode of this description or go to the PR template; There are invisible comments providing descriptions which may be of help.

1. Description / Summary

Updating vulnerable node packages

---

The vulnerabilities identified by Trivy are:

• minimatch: 3.04 → 3.0.5
• request: 2.88.2 → No fixed version
• semver: 7.0.0 → 7.5.2
• tough-cookie: 2.5.0 → 4.1.3

To solve the dependencies, running

npm audit --fix

Gives the packages that are needed to update to solve the vulnerabilities:

• minimatch is fixed by updating serve
  • 13.0.4 → 14.2.1
• semver is fixed by updating nodemon
  • 2.0.22 → 3.0.1
• tough cookie is fixed by updating node-sass
  • 7.0.3 → 9.0.0

Perfrom update:

npm install [email protected] [email protected] [email protected] --save-dev

Check for breaking changes:

1. Re-build the image and execute the suite of tests to check no breaking tests.

2. Read the changelogs

• Serve
  • Release notes
  • The breaking change is rewritting the module in TypeScript, serve is used to serve the web. Test manually web functions
• nodemon
  • Release notes
  • The breaking change is dropping support for node 8 (we use 18 currently)
• node-sass
  • Release notes
  • Breaking changes are dropping support for node 17 or previous.

3. Run Trivy scanner again to check that node vuln are fixed

2. Jira task / GitHub issue

https://scilifelab.atlassian.net/jira/software/projects/DDS/boards/13?selectedIssue=DDS-1837

3. Type of change

What type of change(s) does the PR contain?

Check the relevant boxes below. For an explanation of the different sections, enter edit mode of this PR description template.

• New feature
  • Breaking: Why / How? Add info here.
  • Non-breaking
• Database change: Remember the to include a new migration version, or explain here why it's not needed.
• Bug fix
• Security Alert fix
  • Package update
    • Major version update
• Documentation
• Workflow
• Tests only

4. Additional information

• Sprintlog
• Blocking PRs
  • Merged
• PR to master branch: _If checked, read the release instructions
  • I have followed steps 1-8.

5. Actions / Scans

Check the boxes when the specified checks have passed.

For information on what the different checks do and how to fix it if they're failing, enter edit mode of this description or go to the PR template.

• Black

• Prettier

• Yamllint

• Tests

• CodeQL

• Trivy

• Snyk

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (9d337f6) 91.48% compared to head (be6d35f) 91.48%.

Additional details and impacted files

@@           Coverage Diff           @@
##              dev    #1492   +/-   ##
=======================================
  Coverage   91.48%   91.48%           
=======================================
  Files          29       29           
  Lines        4617     4617           
=======================================
  Hits         4224     4224           
  Misses        393      393           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[i-oden]

I'm a little confused. Why can't we update the packages that are pop up in the vulnerabilities?
minimatch: 3.04 → 3.0.5
semver: 7.0.0 → 7.5.2
tough-cookie: 2.5.0 → 4.1.3

These package versions aren't changed, only the ones that they depend on? Feels like it should be both in that case? Updating minimatch etc and also serve etc?

[rv0lt]

I'm a little confused. Why can't we update the packages that are pop up in the vulnerabilities? minimatch: 3.04 → 3.0.5 semver: 7.0.0 → 7.5.2 tough-cookie: 2.5.0 → 4.1.3

These package versions aren't changed, only the ones that they depend on? Feels like it should be both in that case? Updating minimatch etc and also serve etc?

Because we don't use them directly. They are, instead, used by the other libraries we need.

Packages.json defines the libraries we need for the application to work. Node automatically updates packages-dev which the dependencies for that libraries.

Is the same issue with the pyhton packages and the dependency tree, but in this case node automatically resolves the conflict and tells you what you need to update.
https://umarfarooquekhan.medium.com/difference-between-package-json-and-package-lock-json-6225f83f247c

Example of the output of audit for minimatch

[i-oden]

I'm a little confused. Why can't we update the packages that are pop up in the vulnerabilities? minimatch: 3.04 → 3.0.5 semver: 7.0.0 → 7.5.2 tough-cookie: 2.5.0 → 4.1.3
These package versions aren't changed, only the ones that they depend on? Feels like it should be both in that case? Updating minimatch etc and also serve etc?

Because we don't use them directly. They are, instead, used by the other libraries we need.

Packages.json defines the libraries we need for the application to work. Node automatically updates packages-dev which the dependencies for that libraries.

Is the same issue with the pyhton packages and the dependency tree, but in this case node automatically resolves the conflict and tells you what you need to update. https://umarfarooquekhan.medium.com/difference-between-package-json-and-package-lock-json-6225f83f247c

Example of the output of audit for minimatch

Ah ok!

[i-oden]

I've tested manually and from what I can tell there should be no issues.