Upgrade to Node 16 or 17, and Debian Bullseye to Resolve Security Issues

Question

Upgrade to Node 16 or 17, and Debian Bullseye to Resolve Security Issues

Closed this issue 3 years ago · 6 comments

Our vulnerability scanner found several issues in the latest cadence-web docker image. In order to resolve them, we should upgrade to a currently supported version of Node. The active LTS version is 16 (Gallium), and the current version is 17.

While we're at that, we should update the Debian base image too, because stretch is also out of support. I recommend updating to gallium-bullseye for the builder image, and gallium-bullseye-slim for the runtime image. However at this point (probably) because of the outdated required versions, the highest we can upgrade to is Node 14 (Fermium).

Trying to build on Gallium:

#11 1.647 npm WARN old lockfile
#11 1.648 npm WARN old lockfile The package-lock.json file was created with an old version of npm,
#11 1.649 npm WARN old lockfile so supplemental metadata must be fetched from the registry.
#11 1.649 npm WARN old lockfile
#11 1.650 npm WARN old lockfile This is a one-time fix-up, please be patient...
#11 1.650 npm WARN old lockfile
#11 10.16 npm WARN EBADENGINE Unsupported engine {
#11 10.16 npm WARN EBADENGINE   package: 'cadence-web@3.29.6',
#11 10.16 npm WARN EBADENGINE   required: { node: '10.22.1', npm: '6.14.4' },
#11 10.16 npm WARN EBADENGINE   current: { node: 'v16.14.0', npm: '8.3.1' }
#11 10.16 npm WARN EBADENGINE }
#11 34.19 npm notice
#11 34.19 npm notice New minor version of npm available! 8.3.1 -> 8.5.0
#11 34.19 npm notice Changelog: <https://github.com/npm/cli/releases/tag/v8.5.0>
#11 34.19 npm notice Run `npm install -g npm@8.5.0` to update!
#11 34.19 npm notice
#11 34.19 npm ERR! code E401
#11 34.20 npm ERR! Incorrect or missing password.
#11 34.20 npm ERR! If you were trying to login, change your password, create an
#11 34.20 npm ERR! authentication token or enable two-factor authentication then
#11 34.20 npm ERR! that means you likely typed your password in incorrectly.
#11 34.20 npm ERR! Please try again, or recover your password at:
#11 34.20 npm ERR!     https://www.npmjs.com/forgot
#11 34.20 npm ERR!
#11 34.20 npm ERR! If you were doing some other operation then your saved credentials are
#11 34.20 npm ERR! probably out of date. To correct this please try logging in again with:
#11 34.20 npm ERR!     npm login

Updating to Node 14 (Fermium) works, and is as simple as:

diff --git a/Dockerfile b/Dockerfile
index 699760b..3dba8eb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1 +1 @@
-FROM node:dubnium-stretch AS BUILD_IMAGE
+FROM node:fermium-bullseye AS BUILD_IMAGE
@@ -16 +16 @@ RUN npm run build-production
-FROM node:dubnium-slim
+FROM node:fermium-bullseye-slim

Answer 1 · 2022-02-14T20:18:15.000Z

Feel free to open a PR with the changes and we can take a look at the review. Thanks!

Answer 2 · 2022-02-15T00:18:40.000Z

@just-at-uber thanks! Unfortunately I'm running into some issues and I'm hitting the limits of my NPM knowledge.

The following kinda works:

diff --git a/Dockerfile b/Dockerfile
index 699760b..d6ed93f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1 +1 @@
-FROM node:dubnium-stretch AS BUILD_IMAGE
+FROM node:gallium-bullseye AS BUILD_IMAGE
@@ -16 +16 @@ RUN npm run build-production
-FROM node:dubnium-slim
+FROM node:gallium-bullseye-slim
diff --git a/package.json b/package.json
index 5243165..42fafa2 100644
--- a/package.json
+++ b/package.json
@@ -31,2 +31,2 @@
-    "node": "10.22.1",
-    "npm": "6.14.4"
+    "node": "16.14.0",
+    "npm": "8.3.1"

There seem to be 2 issues:

Issue 1: `code E401`

If I leave package-lock.yaml in place, I get:

#11 31.95 npm ERR! code E401
#11 31.95 npm ERR! Incorrect or missing password.
#11 31.95 npm ERR! If you were trying to login, change your password, create an
#11 31.95 npm ERR! authentication token or enable two-factor authentication then
#11 31.95 npm ERR! that means you likely typed your password in incorrectly.
#11 31.96 npm ERR! Please try again, or recover your password at:
#11 31.96 npm ERR!     https://www.npmjs.com/forgot
#11 31.96 npm ERR!
#11 31.96 npm ERR! If you were doing some other operation then your saved credentials are
#11 31.96 npm ERR! probably out of date. To correct this please try logging in again with:
#11 31.96 npm ERR!     npm login

I'm not quite sure what's trying to login and what kind of credentials should be provided, but per this StackOverflow answer this is expected after a Node version upgrade, and should be resolved by deleting package-lock.yaml. However if I do that...

Issue 2: ESLint dependencies

... I get the following error:

#11 4.438 npm ERR! code ERESOLVE
#11 4.441 npm ERR! ERESOLVE unable to resolve dependency tree
#11 4.441 npm ERR!
#11 4.441 npm ERR! While resolving: cadence-web@3.29.6
#11 4.441 npm ERR! Found: eslint-plugin-react-hooks@2.5.1
#11 4.441 npm ERR! node_modules/eslint-plugin-react-hooks
#11 4.441 npm ERR!   dev eslint-plugin-react-hooks@"^2.3.0" from the root project
#11 4.441 npm ERR!
#11 4.441 npm ERR! Could not resolve dependency:
#11 4.441 npm ERR! peer eslint-plugin-react-hooks@"^4.1.0" from eslint-config-fusion@6.2.5
#11 4.441 npm ERR! node_modules/eslint-config-fusion
#11 4.441 npm ERR!   dev eslint-config-fusion@"^6.1.0" from the root project
#11 4.441 npm ERR!
#11 4.441 npm ERR! Fix the upstream dependency conflict, or retry
#11 4.441 npm ERR! this command with --force, or --legacy-peer-deps
#11 4.441 npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
#11 4.441 npm ERR!

It seems like there is an issue with the various ESLint dependencies, which gets surfaced when NPM tries to resolve the packages from scratch.

I can get around that and make the build work by removing all the ESLint dependencies, but I presume that's not the right way to solve this :D

Question 3

Once we manage to figure this out, the new package-lock.json seems to get created inside the container. How do we commit that back to the repo? Just copy it out of the image?

Answer 3 · 2022-02-15T00:37:00.000Z

deleting package-lock is fine, it will regenerate once you npm install again.
i'm not sure how you are running the project but i would advise to git clone the repository and then delete the package-lock and then make the changes you want for node versions etc.
then "npm install"
then commit the package-lock generated.
just make sure to try running "npm run dev" locally to make sure the cadence-web project builds and starts up locally.

Answer 4 · 2022-02-15T00:46:49.000Z

Actually I'm just building using Docker, i.e. doing docker build . (both to make sure that I have the right dependencies, and both not to mess up my local setup). But maybe I can just grab the file from the builder image after the build somehow.

Answer 5 · 2022-02-17T16:42:21.000Z

Hey @just-at-uber, I managed to get things working on my end, and created #452

Answer 6 · 2022-06-03T19:55:53.000Z

@just-at-uber - will there be a new Ubercadence-Web docker image soon with these changes? https://hub.docker.com/r/ubercadence/web hasn't been updated in over 6 months.

Issue 1: code E401

Issue 2: ESLint dependencies

Question 3

Issue 1: `code E401`