search

toptal / haste-server

open source pastebin written in node.js
https://www.toptal.com/developers/hastebin/about
2.92k stars 796 forks source link

Resolve a bunch of snyk vulnerabilities #427

Closed markjm closed 1 year ago

markjm commented 1 year ago

Update the base image and some of the add-on dependencies to resolve a bunch of CVEs identified by Snyk. I have tested AWS and file storage types with node16, and dont see anything that would prohibit using node 16 for the other storage types (though did not test myself)

markjm commented 1 year ago

Hi @alexmcode - to answer your questions:

  1. Was it necessary to update to node:16? Yes, but in a round-about way. Essentially, there were a bunch of deb vulnerabilities in the underlying alpine image. Since node@14 is out of support, the base images are not updated to pull in those patched underlying changes. Since 16 is LTS and is being built more regularly, the underlying alpine vulnerabilities are getting patched out in the base image. If, for example, we could just update the underlying alpine image backing node@14, that would work too, but requires much more to do.
  2. My place of employment had a bunch of monitoring and whatnot with partners like Snyk - unfortunately no valuable knowledge or tools I can share out here :/. Just figured id do my part to lift up the ecosystem tools we use instead of just patching internally :)
alexmcode commented 1 year ago

Hi @alexmcode - to answer your questions:

  1. Was it necessary to update to node:16? Yes, but in a round-about way. Essentially, there were a bunch of deb vulnerabilities in the underlying alpine image. Since node@14 is out of support, the base images are not updated to pull in those patched underlying changes. Since 16 is LTS and is being built more regularly, the underlying alpine vulnerabilities are getting patched out in the base image. If, for example, we could just update the underlying alpine image backing node@14, that would work too, but requires much more to do.
  2. My place of employment had a bunch of monitoring and whatnot with partners like Snyk - unfortunately no valuable knowledge or tools I can share out here :/. Just figured id do my part to lift up the ecosystem tools we use instead of just patching internally :)

Thanks for the clarifications and thanks again for taking the time to contribute!

alexmcode commented 1 year ago

Also, @markjm although the code looks good we are checking/testing other file storage to make sure everything is working. If all is good we can merge this