Forum - Cannot publish new version of ‘Copy User Role’ app
Tagged: release audit
- This topic has 2 replies, 2 voices, and was last updated 9 months, 1 week ago by Systemlibarian University St.Gallen.
- June 10, 2022 at 1:41 pm #73212Systemlibarian University St.GallenParticipant
I released a new version of the ‘Copy User Roles’ CloudApp (https://github.com/HSG-Library/alma-copy-user-roles), but it gets rejected with the following message:
> Your Cloud App submission from hsg-library/alma-copy-user-roles failed our security audit. ‘npm audit’ reported 2 critical vulnerabilities. Please resolve these vulnerabilities and resubmit your Cloud App. Thank you.
Since this app has no dependencies other than the ones generated at ‘eca init’, I’m not sure how I should resolve the vulnerabilities (see https://github.com/HSG-Library/alma-copy-user-roles/blob/main/package.json).
‘eca update’ tells me ‘Nothing to update’, im using v1.4.3.
Thank you for helping me with this.
JonasJune 10, 2022 at 1:44 pm #73302Mark GobatKeymaster
You can run an “npm audit” in your Cloud App development directory to see which critical vulnerabilities are preventing your Cloud App from being published.
We understand that updating our own dependencies in the Ex Libris Cloud App SDK is the best solution for these critical vulnerabilities, and we are investigating ways to improve our process for implementing such updates.June 15, 2022 at 6:55 pm #73337Systemlibarian University St.GallenParticipant
Hi Mark, thank you for the help.
Just in case some one else encounters a similar issue. The reason why the critical issues did not show up on my machine was, that I was using node v16 with npm v8. When I switched to node v13 with npm v6, the mentioned 2 critical vulnerabilities showed up.
To prevent such issues in the future I added a Github Action which checks for critical vulnerabilities and performs an ‘eca build’ on push to Github (https://github.com/HSG-Library/alma-copy-user-roles/blob/develop/.github/workflows/check_and_build.yml)
- You must be logged in to reply to this topic.