fix: known vulnerabilities (reported in #29)

[shinsenter]

This pull request fixes a total of 7 vulnerabilities in current dependencies, including 3 critical and 4 high-severity CVEs found in the latest Docker image (1.5.0).
https://codeberg.org/devthefuture/dockerfile-x/issues/29

It’s a messy set of 2,981 changed files (mostly Go and NodeJS dependencies), but this action is needed to mitigate these security risks.

Additionally, this pull request cleans up the Dockerfile and Makefile used to build Docker images. It also adds a GitHub Action to run tests when a pull request is updated or code is pushed to the master branch.

[shinsenter]

I built the Docker image, scanned it with Scout, and the vulnerabilities are gone.

---

The GitHub Action also ran successfully as expected.
Run tests / test (pull_request)

[devthejo]

We don't want to ignore vendor (go dependencies, this protect us against some reference disappear in repo of lib that we rely on, this is an idiomatic practice in go), neither yarn cache (we use the zero install pattern with yarn berry). Also not having in the cache doesn't means they won't be downloaded exactly the same way. To upgrade yarn dependencies, you can force using the resolutions field in package.json, then run yarn to upgrade the yarn.lock, or upgrade yarn.lock directly using an adapted cli, this is that approach that is used by dependabot.

[devthejo]

I think you're scan miss something, in the latest stage of image (the only one that is used when deployed), there is only binaries, so he can't detect it, but it's actually embedding the same yarn packages, just not as plain files in intermediate layer

[shinsenter]

@devthejo
My bad for not confirming. I’ve put back vendor, .yarn/cache, and .gitignore.
Files in vendor and .yarn/cache have all been updated.

[shinsenter]

I think you're scan miss something

It’s hard to explain why Scout could scan it, but it even listed the exact package versions, so I don’t think it scanned incorrectly.

[devthejo]

It’s hard to explain why Scout could scan it, but it even listed the exact package versions, so I don’t think it scanned incorrectly.
My point is that in the case you thought that was fixed, it just didn't detect it anymore.

We should not modify the cache package without modifying the yarn.lock.
One other option is to put the minimal version that you want in the package.json "my-dep": "^1.2.3", then rerun yarn.

[shinsenter]

My point is that in the case you thought that was fixed, it just didn't detect it anymore.

You are right. I don’t have enough evidence to confirm the issues are fully fixed. They just no longer show up in the scan.

We should not modify the cache package without modifying the yarn.lock

I’ve fully updated package.json, yarn.lock, and the packages in .yarn/cache before commit.

[devthejo]

LGTM :-)
Thanks :-)

[shinsenter]

@devthejo
It seems a bit strange, as my commits have been gone from the master branch.

↓↓↓↓↓

devthejo pushed 38e820d to master