Merge pull request #456 from DigitalSlideArchive/node-lts-girder-5

manthey · web-flow · commit b619248d7f8d · 2025-11-21T08:50:37.000-05:00
Switch to node lts for Girder 5
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -468,7 +468,7 @@ jobs:
             curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
       - run:
           name: Scan the local image with trivy; fail on high or critical vulnerabilities
-          command: trivy image --scanners vuln --input /tmp/workspace/dsa_common.tar --exit-code 1 --severity HIGH,CRITICAL --no-progress
+          command: trivy image --scanners vuln --input /tmp/workspace/dsa_common.tar --exit-code 1 --severity HIGH,CRITICAL --no-progress --format json
       - run:
           name: Scan the local image with trivy; report low and medium vulnerabilities, but don't fail
           command: trivy image --scanners vuln image --input /tmp/workspace/dsa_common.tar --exit-code 0 --severity LOW,MEDIUM,UNKNOWN --no-progress
diff --git a/.trivyignore b/.trivyignore
@@ -3,12 +3,13 @@
 # In bioformats_package.jar: this shouldn't be an issue because of how xml is
 # used and because we don't pass urls to bioformats
 
-# In ubuntu, these are probably not reachable based on how we deploy
+# In node-pkg, this is not reachable based on how we deploy
 
-New ignore file:
 # HIGH: jar - okhttp: information disclosure via improperly used cryptogra
 CVE-2021-0341
 # HIGH: jar - apache-commons-io: Possible denial of service attack on untr
 CVE-2024-47554
 # HIGH: jar - com.fasterxml.jackson.core/jackson-core: jackson-core Potent
 CVE-2025-52999
+# HIGH: node-pkg - glob CLI: Command injection via -c/--cmd executes matches wi
+CVE-2025-64756
diff --git a/dsa5.Dockerfile b/dsa5.Dockerfile
@@ -55,8 +55,8 @@ RUN python --version && \
     find / -xdev -name __pycache__ -type d -exec rm -rf {} \+
 
 RUN . ~/.bashrc && \
-    nvm install 22 && \
-    nvm alias default 22 && \
+    nvm install --lts && \
+    nvm alias default lts/* && \
     nvm use default && \
     rdfind -minsize 32768 -makehardlinks true -makeresultsfile false /root/.nvm && \
     nvm uninstall 14 && \
@@ -77,7 +77,7 @@ RUN cd /opt && \
     pip install --no-cache-dir -e .[mount] && \
     pip install --no-cache-dir -e clients/python && \
     cd girder/web && \
-    npm ci && \
+    npm ci || npm install && \
     npm run build && \
     find /opt -xdev -name node_modules -exec rm -rf {} \+ && \
     rm -rf /root/.cache /root/.npm /tmp/* && \
@@ -90,57 +90,59 @@ RUN cd /opt/girder/worker && \
     cd /opt/girder/plugins/worker && \
     pip install --no-cache-dir -e .[girder,worker] && \
     cd girder_plugin_worker/web_client && \
-    npm ci && \
+    npm ci || npm install && \
     npm run build && \
     find /opt -xdev -name node_modules -exec rm -rf {} \+ && \
     rm -rf /root/.cache /root/.npm /tmp/* && \
     find / -xdev -name __pycache__ -type d -exec rm -rf {} \+ && \
     true
 
-# Girder plugins
+# Girder plugins.  If we are installing from source, use npm install if npm ci
+# false, since npm ci can fail if the package-lock was generated with ai
+# different npm version.
 RUN true && \
     cd /opt/girder/plugins/hashsum_download && \
     pip install --no-cache-dir -e . && \
     cd girder_hashsum_download/web_client && \
-    npm ci && \
+    npm ci || npm install && \
     npm run build && \
     cd /opt/girder/plugins/homepage && \
     pip install --no-cache-dir -e . && \
     cd girder_homepage/web_client && \
-    npm ci && \
+    npm ci || npm install && \
     npm run build && \
     cd /opt/girder/plugins/jobs && \
     pip install --no-cache-dir -e . && \
     cd girder_jobs/web_client && \
-    npm ci && \
+    npm ci || npm install && \
     npm run build && \
     cd /opt/girder/plugins/ldap && \
     pip install --no-cache-dir -e . && \
     cd girder_ldap/web_client && \
-    npm ci && \
+    npm ci || npm install && \
     npm run build && \
     cd /opt/girder/plugins/oauth && \
     pip install --no-cache-dir -e . && \
     cd girder_oauth/web_client && \
-    npm ci && \
+    npm ci || npm install && \
     npm run build && \
     cd /opt/girder/plugins/user_quota && \
     pip install --no-cache-dir -e . && \
     cd girder_user_quota/web_client && \
-    npm ci && \
+    npm ci || npm install && \
     npm run build && \
     cd /opt/girder/plugins/import_tracker && \
     pip install --no-cache-dir -e . && \
     cd girder_import_tracker/web_client && \
-    npm ci && \
+    npm ci || npm install && \
     npm run build && \
     # virtual_folders has no web_client \
     cd /opt/girder/plugins/virtual_folders && \
     pip install --no-cache-dir -e . && \
     cd /opt/girder/plugins/slicer_cli_web && \
     pip install --no-cache-dir -e . && \
     cd slicer_cli_web/web_client && \
-    npm ci && \
+    npm ci || npm install && \
     npm run build && \
     find /opt -xdev -name node_modules -exec rm -rf {} \+ && \
     rm -rf /root/.cache /root/.npm /tmp/* && \
@@ -152,13 +154,13 @@ RUN cd /opt && \
     cd /opt/large_image && \
     pip install --no-cache-dir --find-links https://girder.github.io/large_image_wheels -e .[memcached] -rrequirements-dev.txt && \
     cd /opt/large_image/girder/girder_large_image/web_client && \
-    npm ci && \
+    npm ci || npm install && \
     npm run build && \
     cd /opt/large_image/girder_annotation/girder_large_image_annotation/web_client && \
-    npm ci && \
+    npm ci || npm install && \
     npm run build && \
     cd /opt/large_image/sources/dicom/large_image_source_dicom/web_client && \
-    npm ci && \
+    npm ci || npm install && \
     npm run build && \
     rdfind -minsize 32768 -makehardlinks true -makeresultsfile false /opt/venv && \
     find /opt -xdev -name node_modules -exec rm -rf {} \+ && \
@@ -174,7 +176,7 @@ RUN cd /opt && \
     sed -i 's/==1\.3.*'\''/'\''/g' setup.py && \
     pip install --no-cache-dir -e .[analysis] && \
     cd /opt/HistomicsUI/histomicsui/web_client && \
-    npm ci && \
+    npm ci || npm install && \
     # This builds both the app and the plugin \
     npm run build && \
     rdfind -minsize 32768 -makehardlinks true -makeresultsfile false /opt/venv && \
@@ -189,7 +191,7 @@ RUN cd /opt && \
     cd /opt/girder_assetstore && \
     pip install --no-cache-dir -e . && \
     cd /opt/girder_assetstore/girder_assetstore/web_client && \
-    npm ci && \
+    npm ci || npm install && \
     npm run build && \
     find /opt -xdev -name node_modules -exec rm -rf {} \+ && \
     rm -rf /root/.cache /root/.npm /tmp/* && \
