lock all packages versions, make docker_bun non root, add bunconfig.toml

metrico / qryn

⭐️ All-in-One Polyglot Observability with OLAP Storage for Logs, Metrics, Traces & Profiles. Drop-in Grafana Cloud replacement compatible with Loki, Prometheus, Tempo, Pyroscope, Opentelemetry, Datadog and beyond :rocket:

https://qryn.dev

GNU Affero General Public License v3.0

1.19k stars 67 forks source link

lock all packages versions, make docker_bun non root, add bunconfig.toml #432

Closed deathalt closed 8 months ago

deathalt commented 8 months ago

protobufjs = 7.2.6 have broken backward compatibility

also make bun non root for extra security

avoid https://github.com/advisories/GHSA-h755-8qp9-cq85 CVE-2022-35177 for bun as well as for node

CLAassistant commented 8 months ago

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

Андрей Лалаев seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

socket-security[bot] commented 8 months ago

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
node-fetch	2.6.9...2.6.7	None	`+0/-0`	152 kB	endless
glob	7.2.0...7.1.2	filesystem	`+0/-0`	55.5 kB	isaacs
ws	8.4.0...8.0.0	None	`+0/-0`	125 kB	lpinca
fast-querystring	1.1.2...1.1.0	None	`+0/-0`	780 kB	anonrig
@opentelemetry/api	1.2.0...1.0.2	None	`+0/-0`	369 kB	dyladan
@elastic/elasticsearch	8.6.0...8.5.0	None	`+4/-4`	3.88 MB	sethmlarson

lmangani commented 8 months ago

Tests failing, needs a deeper review

lmangani commented 8 months ago

Closing as discussed on matrix, locking protobufjs to 7.2.5