Update dependencies (#87)

The version of `swagger-typescript-api` has been fixed to `13.0.16`
because newer versions have issues, and the fixes haven't been released
yet

Also added a Github Action that will build and scan the docker image to
ensure we don't ship vulnerable images ([commit
link](4352bc5))

Author: m-Bilal

.dockerignore

@@ -0,0 +1,7 @@
+./node_modules/**
+./dist/**
+
+# test files
+**/test-data/**
+./tests/**
+**/*.test.ts

.github/workflows/build.yaml

@@ -0,0 +1,106 @@
+name: Build and Scan Docker Image
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'Dockerfile'
+      - '.dockerignore'
+      - 'package.json'
+      - 'package-lock.json'
+      - 'tsconfig.json'
+      - '.github/workflows/build.yaml'
+
+jobs:
+  build-docker-image:
+    runs-on: ubuntu-24.04
+    outputs:
+      image_tag: ${{ steps.vars.outputs.commit_hash }}
+      tar_file: ${{ steps.vars.outputs.tar_file }}
+      image_name: ${{ steps.vars.outputs.image_name }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+    
+      - name: Get Commit Hash
+        id: vars
+        run: |
+          commit_hash=$(git rev-parse --short HEAD)
+          tar_file="ndc-openapi-${commit_hash}.tar"
+          image_name="ndc-openapi:${commit_hash}"
+
+          echo "commit_hash: $commit_hash"
+          echo "tar_file: $tar_file"
+          echo "image_name: $image_name"
+
+          echo "commit_hash=$commit_hash" >> $GITHUB_ENV
+          echo "tar_file=$tar_file" >> $GITHUB_ENV
+          echo "image_name=$image_name" >> $GITHUB_ENV
+          echo "::set-output name=commit_hash::$commit_hash"
+          echo "::set-output name=tar_file::$tar_file"
+          echo "::set-output name=image_name::$image_name"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image
+        run: |
+          docker build -t $image_name .
+
+      - name: Save Docker image as artifact
+        run: |
+          docker save -o $tar_file $image_name
+
+      - name: Upload Docker image artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.tar_file }}
+          path: ${{ env.tar_file }}
+          retention-days: 1
+
+  scan-docker-image-with-gokakashi:
+    needs: build-docker-image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download Docker image artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.build-docker-image.outputs.tar_file }}
+
+      - name: Load Docker image
+        run: |
+          docker load -i ${{ needs.build-docker-image.outputs.tar_file }}
+
+      - name: Scan docker image with gokakashi
+        uses: shinobistack/[email protected]
+        with:
+          image: '${{ needs.build-docker-image.outputs.image_name }}'
+          labels: agentKey=${{ github.run_id }}
+          policy: ci-platform
+          server: https://gokakashi-server.hasura-app.io
+          token: ${{ secrets.GOKAKASHI_API_TOKEN }}
+          cf_client_id: ${{ secrets.CF_ACCESS_CLIENT_ID }}
+          cf_client_secret: ${{ secrets.CF_ACCESS_CLIENT_SECRET }}
+          interval: 10
+          retries: 8
+
+  scan-docker-image-with-trivy:
+    needs: build-docker-image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download Docker image artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.build-docker-image.outputs.tar_file }}
+
+      - name: Load Docker image
+        run: |
+          docker load -i ${{ needs.build-docker-image.outputs.tar_file }}
+      - name: Run Trivy vulnerability scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: '${{ needs.build-docker-image.outputs.image_name }}'
+          format: 'table'
+          exit-code: 1
+          severity: 'CRITICAL,HIGH'

Dockerfile

@@ -1,10 +1,17 @@
-FROM node:20
+FROM node:20-alpine
+
+# we need to update npm to update cross-spawn to a version higher than or equal to 7.0.6 to avoid a critical vulnerability
+RUN npm update -g npm
 
 COPY ./ /app/
 WORKDIR /app/
 
 RUN npm install
-RUN npm run install-bin
+
+# we use unsafe install because we have ignored all the test files to keep the image size small
+# the test files are not needed in the production image
+# therefore, please ensure that the tests are green before building the image
+RUN npm run install-bin-unsafe
 
 RUN mkdir /etc/connector/
 WORKDIR /etc/connector/

changelog.md

@@ -2,6 +2,8 @@
 
 ## Unreleased
 
+- Update dependencies. Also update ndc-nodejs-lambda to `v1.12.0` ([#87](https://github.com/hasura/ndc-open-api-lambda/pull/87))
+
 ## [[1.5.1](https://github.com/hasura/ndc-open-api-lambda/releases/tag/v1.5.1)] 2025-03-10
 
 - Set `allowrelaxedtypes` annotation for every function (API) ([#85](https://github.com/hasura/ndc-open-api-lambda/pull/85)) 

connector-definition/.hasura-connector/Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/hasura/ndc-nodejs-lambda:v1.11.0
+FROM ghcr.io/hasura/ndc-nodejs-lambda:v1.12.0
 
 COPY package-lock.json package.json api.ts /functions/