feat: update nodejs and other packages (#1340)

* feat: migrate node

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* feat: update octokit

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: add defensive checks

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: use promise-based mkdirp directly without promisify due to changes in the latest mkdip version

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: remove old express-init

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: encode deflated data as base64 for Redis compatibility

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: update ajv

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix(routes): update route definitions for express v5 compatibility

- Added support for the /splash endpoint
- Updated optional route parameters to Express v5 syntax ({/:param})
- Adjusted root path and wildcards for routes like /definitions and /harvest

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: update express

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: update yaml

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: update gitbeaker

- Removed defaultHeaders due to incompatibility with new version.
  See: jdalrymple/gitbeaker#3634

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* chore: improve winston config

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix(harvest): instantiate with caching again

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: update minimatch

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* chore: improve error handling

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* chore: push package updates

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix(tests): update octokit calls, fix deep equalities, initialize logger

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* refactor(logging): replace winston-azure-application-insights with native AppInsights SDK

- Adds support for a new env variable  to control
  console logging output.
- The third-party  transport has been removed
in favor of a direct integration using the  SDK.

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: linting issues

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix(redis): add type annotation to bypass TLS configuration type issue

- The Redis client accepts  as a valid runtime configuration, but the
  TypeScript definitions expect a different structure. Added @ts-ignore directive
  to bypass the type check.

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: add back comment

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: update node version

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: eslint errors

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* chore: try and fix codeQL issues with ajv schema validation

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix(harvest): return structured JSON error responses for validation and input size

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* test(harvest): fix tests

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* test: add extra check suggested by copilot

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* chore: log strict mode issues

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: escape regex and limit pattern length to prevent ReDoS

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* refactor(logging): improve error reporting and sanitize internal error responses

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: validate and limit patch inputs to prevent deep object traversal

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: add security limits to the ajv instance

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: escape HTML to prevent XSS and improve response format with res.json()

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* feat: add input prevalidation middleware to guard against large or deeply nested JSON bodies

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: escape user input in RegExp to prevent ReDoS and ensure safe coordinate queries

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: prettier

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: make allErrors dependent on config

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: update test script to enable REST_DEBUG during test runs

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: update to node 24

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix(redis): make tls optional and ensure socket options match RedisSocketOptions type

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix(logging): replace placeholders with structured logging for better Winston compatibility and performance

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix(redis): default redis port from config or fallback to 6379

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: format

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: log error

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: improve error logging

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: improve mapLevel with Map and update JSDoc types

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: remove node 18 backwards compatibility and downgrade mongodb

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: remove node 18 backwards compatibility and downgrade mongodb

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: replace deprecated LoggerInstance with Logger in factory declaration

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix(startup): add app.init hook and execute before listening

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: decrease request body size limit

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* feat: remove deprecated useNewUrlParser and add startup log message

* feat: use appVersion from config

* fix: remove duplicated line

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: prevent double appInsights.start and simplify echo flag

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix(originGitHub): update GitHub calls and add structured logging

- Replace deprecated gitdata.getTags and gitdata.getTag with the new rest.repos.listTags and the rest.git.getTag
- Replace console with structured logging
- Handle annotated and lightweight tags

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* test(originGitHub): add unit tests for GitHub origin routes

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: remove inputPreValidation

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* refactor(abstractFileStore): simplify query filtering with optional chaining

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* test(abstractFileStore): expand test coverage for find method

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: add back only necessary changes to curation route

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: add back only necessary changes to definitions route

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* text(mongoDB): add logger.info to tests

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* test(definitions): add extra params to tests

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: return all error messages with send instead of json

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* test(harvestRoute): remove json parsing

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: remove isTooDeepOrLarge function

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* feat(cache): add backward compatibility for legacy Redis cache data

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix(tests): add appVersion back to the environment variable to prevent config from getting loaded during tests

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* feat: make ajv allErrors control variable more explicit

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix(logging): change event listener from info to data on Winston logger to correctly pipe logs to appInsights

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: simplify cache item retrieval by removing fallback mechanism

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix(webhook): handle body parsing for body-parser 2.x compatibility

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

* fix: remove test case for unused cache fallback strategy

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>

---------

Signed-off-by: ElaineDeMattosSilvaB <elaine.de-mattos-silva-bezerra@deutschebahn.com>
Co-authored-by: Qing Tomlinson <qing.tomlinson@sap.com>
Co-authored-by: Jeff Mendoza <jlm@jlm.name>

Author: 3 people

.github/workflows/test.yml

@@ -23,7 +23,7 @@ jobs:
 
       - uses: actions/setup-node@v6
         with:
-          node-version: 18
+          node-version: 24
           cache: 'npm'
           registry-url: 'https://npm.pkg.github.com'
           scope: '@clearlydefined'

DevDockerfile

@@ -1,7 +1,7 @@
 # Copyright (c) Microsoft Corporation and others. Licensed under the MIT license.
 # SPDX-License-Identifier: MIT
 
-FROM docker.io/library/node:18
+FROM docker.io/library/node:24-bullseye
 ENV APPDIR=/opt/service
 
 ## get SSH server running

Dockerfile

@@ -1,7 +1,7 @@
 # Copyright (c) Microsoft Corporation and others. Licensed under the MIT license.
 # SPDX-License-Identifier: MIT
 
-FROM docker.io/library/node:18
+FROM docker.io/library/node:24-bullseye
 ENV APPDIR=/opt/service
 
 ## get SSH server running

app.js

@@ -28,13 +28,8 @@ function createApp(config) {
 
   const summaryService = require('./business/summarizer')(config.summary)
 
-  const cachingService = config.caching.service()
-  initializers.push(async () => cachingService.initialize())
-
   const harvestStore = config.harvest.store()
   initializers.push(async () => harvestStore.initialize())
-  const harvestService = config.harvest.service({ cachingService })
-  const harvestRoute = require('./routes/harvest')(harvestService, harvestStore, summaryService)
 
   const aggregatorService = require('./business/aggregator')(config.aggregator)
 
@@ -50,6 +45,12 @@ function createApp(config) {
   const searchService = config.search.service()
   initializers.push(async () => searchService.initialize())
 
+  const cachingService = config.caching.service()
+  initializers.push(async () => cachingService.initialize())
+
+  const harvestService = config.harvest.service({ cachingService })
+  const harvestRoute = require('./routes/harvest')(harvestService, harvestStore, summaryService)
+
   const curationService = config.curation.service(null, curationStore, config.endpoints, cachingService, harvestStore)
 
   const curationQueue = config.curation.queue()
@@ -109,9 +110,11 @@ function createApp(config) {
 
   const app = express()
   app.use(cors())
-  app.options('*', cors())
+  // new express v5 matching syntax: https://expressjs.com/en/guide/migrating-5.html#path-syntax
+  app.options('*splat', cors())
+  app.use(express.json({ limit: '100kb' }))
   app.use(cookieParser())
-  app.use(helmet())
+  app.use(helmet.default())
   app.use(requestId())
   app.use('/schemas', express.static('./schemas'))
 
@@ -199,7 +202,6 @@ function createApp(config) {
       url: req.url
     })
     const err = new Error('Not Found')
-    // @ts-ignore - Express error convention
     err.status = 404
     next(err)
   }
@@ -229,6 +231,8 @@ function createApp(config) {
     )
   }
 
+  app.init = requestHandler.init
+
   // error handler
   app.use((error, request, response, next) => {
     if (response.headersSent) return next(error)
@@ -250,7 +254,7 @@ function createApp(config) {
         error: {
           code: status.toString(),
           message: 'An error has occurred',
-          innererror: serializeError(response.locals.error)
+          innererror: serializeError.serializeError(response.locals.error)
         }
       })
   })

bin/config.js

@@ -32,7 +32,7 @@ function loadOne(spec, namespace) {
     if (!target) target = require(requirePath)
     return objectPath ? get(target, objectPath) : target
   } catch (e) {
-    throw new Error(`could not load provider for ${requirePath}`)
+    throw new Error(`could not load provider for ${requirePath}. Error ${e.message}`)
   }
 }
 

bin/www

@@ -6,7 +6,6 @@ const config = require('./config')
 const app = require('../app')(config)
 const debug = require('debug')('service:server')
 const http = require('http')
-const init = require('express-init')
 
 /**
  * Get port from environment and store in Express.
@@ -19,19 +18,30 @@ app.set('port', port)
  */
 const server = http.createServer(app)
 
+startServer()
+
 /**
  * Initialize the apps (if they have async init functions) and start listening
  */
-init(app, error => {
-  if (error) {
-    console.log('Error initializing the Express app: ' + error)
-    throw new Error(error)
+async function startServer() {
+  try {
+    if (typeof app.init === 'function') {
+      await new Promise((resolve, reject) => {
+        app.init(app, err => {
+          if (err) reject(err)
+          else resolve()
+        })
+      })
+    }
+    server.listen(port)
+    server.on('error', onError)
+    server.on('listening', onListening)
+    console.log(`Service listening on port: ${port}`)
+  } catch (error) {
+    console.error('Error initializing the Express app:', error)
+    process.exit(1)
   }
-  server.listen(port)
-  server.on('error', onError)
-  server.on('listening', onListening)
-  console.log(`Service listening on port: ${port}`)
-})
+}
 
 /**
  * Normalize a port into a number, string, or false.
@@ -56,11 +66,9 @@ function onError(error) {
     case 'EACCES':
       console.error(bind + ' requires elevated privileges')
       process.exit(1)
-      break
     case 'EADDRINUSE':
       console.error(bind + ' is already in use')
       process.exit(1)
-      break
     default:
       throw error
   }

business/definitionService.js

@@ -26,7 +26,7 @@ const {
   simplifyAttributions,
   updateSourceLocation
 } = require('../lib/utils')
-const minimatch = require('minimatch')
+const { minimatch } = require('minimatch')
 const extend = require('extend')
 const logger = require('../providers/logging/logger')
 const validator = require('../schemas/validator')
@@ -74,6 +74,7 @@ class DefinitionService {
       const curation = this.curationService.get(coordinates, pr)
       return this.compute(coordinates, curation)
     }
+
     const existing = await this._cacheExistingAside(coordinates, force)
     let result = await this.upgradeHandler.validate(existing)
     if (result) {
@@ -186,6 +187,9 @@ class DefinitionService {
         try {
           return await this.list(coordinates)
         } catch (error) {
+          this.logger.error('failed to list definitions', {
+            error: error.message
+          })
           return null
         }
       })
@@ -309,9 +313,10 @@ class DefinitionService {
       })
     }
   }
-
   async _store(definition) {
+    this.logger.debug('storing definition', { coordinates: definition.coordinates.toString() })
     await this.definitionStore.store(definition)
+    this.logger.debug('definition stored successfully', { coordinates: definition.coordinates.toString() })
     await this._setDefinitionInCache(this._getCacheKey(definition.coordinates), definition)
     await this.harvestService.done(definition.coordinates)
   }
@@ -458,12 +463,14 @@ class DefinitionService {
     if (!declared || !discovered) return 0
     return discovered.every(expression => SPDX.satisfies(expression, declared)) ? weights.consistency : 0
   }
-
   _computeSPDXScore(definition) {
     try {
       parse(get(definition, 'licensed.declared')) // use strict spdx-expression-parse
       return weights.spdx
     } catch (e) {
+      this.logger.debug('Could not parse declared license expression.', {
+        errorMessage: e.message
+      })
       return 0
     }
   }

full.env.json

@@ -51,5 +51,9 @@
 
   "========== Heapstats Logging settings (OPTIONAL) ==========": "",
   "LOG_NODE_HEAPSTATS": "<true|false>",
-  "LOG_NODE_HEAPSTATS_INTERVAL_MS": "<time_in_milliseconds (e.g. '30000')>"
+  "LOG_NODE_HEAPSTATS_INTERVAL_MS": "<time_in_milliseconds (e.g. '30000')>",
+
+  "========== Logging settings ==========": "",
+  "ENABLE_REST_VALIDATION_ERRORS": "<true|false>",
+  "LOGGER_LOG_TO_CONSOLE": "<true|false>"
 }

lib/curation.js

@@ -28,7 +28,7 @@ class Curation {
 
   load(content) {
     try {
-      return yaml.safeLoad(content)
+      return yaml.load(content)
     } catch (error) {
       this.errors.push({ message: 'Invalid yaml', error })
     }

lib/github.d.ts

@@ -5,7 +5,7 @@
  * GitHub API client instance from @octokit/rest package. This represents the authenticated GitHub client with all
  * available API methods.
  */
-export type GitHubClient = import('@octokit/rest')
+export type GitHubClient = import('@octokit/rest').Octokit
 
 /** Options for configuring GitHub client authentication. */
 export interface GitHubClientOptions {