migrate tokens, npm audit fix (#9)

* migrate tokens, npm audit fix

* update cve exceptions

.drone-1.0.yml

@@ -6,41 +6,41 @@ steps:
   - name: install
     image: node:16
     environment:
-      NPM_AUTH_USERNAME:
-        from_secret: npm_auth_username
-      NPM_AUTH_TOKEN:
-        from_secret: npm_auth_token
+      ART_AUTH_TOKEN:
+        from_secret: art_auth_token
+      GITHUB_AUTH_TOKEN:
+        from_secret: github_token
     commands:
       - npm ci
   - name: test
     image: node:16
     environment:
-      NPM_AUTH_USERNAME:
-        from_secret: npm_auth_username
-      NPM_AUTH_TOKEN:
-        from_secret: npm_auth_token
+      ART_AUTH_TOKEN:
+        from_secret: art_auth_token
+      GITHUB_AUTH_TOKEN:
+        from_secret: github_token
     commands:
       - npm test
   - name: audit
     image: node:16
     environment:
-      NPM_AUTH_USERNAME:
-        from_secret: npm_auth_username
-      NPM_AUTH_TOKEN:
-        from_secret: npm_auth_token
+      ART_AUTH_TOKEN:
+        from_secret: art_auth_token
+      GITHUB_AUTH_TOKEN:
+        from_secret: github_token
     commands:
       - npm run test:audit
   - name: docker build
     image: docker:dind
     environment:
       DOCKER_HOST: tcp://docker:2375
       DOCKER_BUILDKIT: 1
-      NPM_AUTH_USERNAME:
-        from_secret: npm_auth_username
-      NPM_AUTH_TOKEN:
-        from_secret: npm_auth_token
+      ART_AUTH_TOKEN:
+        from_secret: art_auth_token
+      GITHUB_AUTH_TOKEN:
+        from_secret: github_token
     commands:
-      - docker build --secret id=username,env=NPM_AUTH_USERNAME --secret id=token,env=NPM_AUTH_TOKEN -t asl-attachments .
+      - docker build --secret id=github_token,env=GITHUB_AUTH_TOKEN --secret id=token,env=ART_AUTH_TOKEN -t asl-attachments .
   - name: scan-image
     image: 340268328991.dkr.ecr.eu-west-2.amazonaws.com/acp/anchore-submission:latest
     pull: always
@@ -52,10 +52,10 @@ steps:
     image: docker:dind
     environment:
       DOCKER_HOST: tcp://docker:2375
-      NPM_AUTH_USERNAME:
-        from_secret: npm_auth_username
-      NPM_AUTH_TOKEN:
-        from_secret: npm_auth_token
+      ART_AUTH_TOKEN:
+        from_secret: art_auth_token
+      GITHUB_AUTH_TOKEN:
+        from_secret: github_token
       DOCKER_PASSWORD:
         from_secret: docker_password
     commands:

.npmrc

@@ -1,4 +1,6 @@
-@asl:registry = https://artifactory.digital.homeoffice.gov.uk/artifactory/api/npm/npm-virtual/
+@ukhomeoffice:registry=https://npm.pkg.github.com
+//npm.pkg.github.com/:_authToken=${GITHUB_AUTH_TOKEN}
 
-//artifactory.digital.homeoffice.gov.uk/artifactory/api/npm/npm-virtual/:username=${NPM_AUTH_USERNAME}
-//artifactory.digital.homeoffice.gov.uk/artifactory/api/npm/npm-virtual/:_password=${NPM_AUTH_TOKEN}
+@asl:registry = https://artifactory.digital.homeoffice.gov.uk/artifactory/api/npm/npm-virtual/
+//artifactory.digital.homeoffice.gov.uk/artifactory/api/npm/npm-virtual/:_authToken=${ART_AUTH_TOKEN}
+//artifactory.digital.homeoffice.gov.uk/artifactory/api/npm/npm-virtual/:always-auth=true

Dockerfile

@@ -11,9 +11,9 @@ COPY package.json /app/package.json
 COPY package-lock.json /app/package-lock.json
 
 RUN --mount=type=secret,id=token,uid=999 \
-    --mount=type=secret,id=username,uid=999 \
-    NPM_AUTH_USERNAME=`cat /run/secrets/username` \
-    NPM_AUTH_TOKEN=`cat /run/secrets/token` \
+    --mount=type=secret,id=github_token,uid=999 \
+    GITHUB_AUTH_TOKEN=`cat /run/secrets/github_token` \
+    ART_AUTH_TOKEN=`cat /run/secrets/token` \
     npm ci --production --no-optional
 
 COPY . /app

cve-exceptions.txt

@@ -27,3 +27,5 @@ CVE-2021-27482
 CVE-2021-27498
 CVE-2022-0323
 GHSA-4jv9-3563-23j3
+GHSA-rc47-6667-2j5j
+CVE-2018-25076