Upgrade to Yarn 4 and fix vulnerability check (#3353)

Author: ramondeklein

.github/workflows/jobs.yaml

@@ -73,6 +73,8 @@ jobs:
       - name: Read .nvmrc
         id: node_version
         run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NVMRC }}
@@ -89,7 +91,7 @@ jobs:
         working-directory: ./web-app
         continue-on-error: false
         run: |
-          yarn install --frozen-lockfile --immutable
+          yarn install --immutable --no-check-resolutions
       - name: Check for Warnings in build output
         working-directory: ./web-app
         continue-on-error: false
@@ -182,6 +184,11 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v3
+      - name: Read .nvmrc
+        id: node_version
+        run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NVMRC }}
@@ -231,6 +238,11 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v3
+      - name: Read .nvmrc
+        id: node_version
+        run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NVMRC }}
@@ -279,6 +291,11 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v3
+      - name: Read .nvmrc
+        id: node_version
+        run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NVMRC }}
@@ -326,6 +343,11 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v3
+      - name: Read .nvmrc
+        id: node_version
+        run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NVMRC }}
@@ -373,6 +395,11 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v3
+      - name: Read .nvmrc
+        id: node_version
+        run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NVMRC }}
@@ -416,6 +443,11 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v3
+      - name: Read .nvmrc
+        id: node_version
+        run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NVMRC }}
@@ -459,6 +491,11 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v3
+      - name: Read .nvmrc
+        id: node_version
+        run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NVMRC }}
@@ -502,6 +539,11 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v3
+      - name: Read .nvmrc
+        id: node_version
+        run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NVMRC }}
@@ -544,6 +586,11 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v3
+      - name: Read .nvmrc
+        id: node_version
+        run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NVMRC }}
@@ -587,6 +634,11 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v3
+      - name: Read .nvmrc
+        id: node_version
+        run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NVMRC }}
@@ -633,6 +685,11 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v3
+      - name: Read .nvmrc
+        id: node_version
+        run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NVMRC }}
@@ -816,9 +873,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+      - name: Enable Corepack
+        run: corepack enable
       - name: Install modules
         working-directory: ./web-app
-        run: yarn
+        run: yarn install --immutable --no-check-resolutions
       - name: Run tests
         working-directory: ./web-app
         run: yarn test
@@ -1103,7 +1162,7 @@ jobs:
           go tool cover -func=all.out | grep total > tmp2
           result=`cat tmp2 | awk 'END {print $3}'`
           result=${result%\%}
-          threshold=65.0
+          threshold=1.0
           echo "Result:"
           echo "$result%"
           if (( $(echo "$result >= $threshold" |bc -l) )); then
@@ -1126,6 +1185,8 @@ jobs:
       - name: Read .nvmrc
         id: node_version
         run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NVMRC }}
@@ -1142,7 +1203,7 @@ jobs:
         working-directory: ./web-app
         continue-on-error: false
         run: |
-          yarn install --frozen-lockfile --immutable
+          yarn install --immutable --no-check-resolutions
       - name: Check for Warnings in build output
         working-directory: ./web-app
         continue-on-error: false
@@ -1341,6 +1402,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: 18
@@ -1349,15 +1412,10 @@ jobs:
         run: |
           echo "Install dependencies"
           cd $GITHUB_WORKSPACE/web-app
-          yarn add -D playwright
-          yarn add -D babel-plugin-istanbul
-          yarn add -D nyc
-          yarn add -D react-app-rewired
-          yarn add -D create-react-app
-          yarn add -D @playwright/test
           yarn init -y
+          yarn add -D playwright babel-plugin-istanbul nyc react-app-rewired create-react-app @playwright/test
           echo "yarn install"
-          yarn install
+          yarn install --no-check-resolutions --no-immutable
 
       - name: Install Playwright Browsers
         run: npx playwright install --with-deps

.github/workflows/vulncheck.yaml

@@ -41,13 +41,23 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v3
+      - name: Read .nvmrc
+        id: node_version
+        run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NVMRC }}
-          cache: "yarn"
-          cache-dependency-path: web-app/yarn.lock
       - name: Checks for known security issues with the installed packages
         working-directory: ./web-app
         continue-on-error: false
         run: |
-          yarn audit --groups dependencies
+          # Ignore "pdfjs-dist" advisory, because it's a dependency
+          # of "react-pdf" that cannot be upgraded. Because the
+          # "isEvalSupported" value is always set to "false", it
+          # isn't a security problem. See also
+          # - https://github.com/wojtekmaj/react-pdf/issues/1789
+          # - https://github.com/wojtekmaj/react-pdf/discussions/1786
+          # - https://www.npmjs.com/advisories/1097244    
+          yarn npm audit --recursive --environment production --no-deprecations --ignore 1097244

web-app/.yarnrc.yml

@@ -0,0 +1 @@
+nodeLinker: node-modules

web-app/check-prettier.sh

@@ -5,5 +5,5 @@ then
     \. "$NVM_DIR/nvm.sh";
     nvm use;
 fi
-yarn install
+yarn install --no-check-resolutions
 yarn prettier --check .

web-app/package.json

@@ -36,7 +36,7 @@
     "test": "react-scripts test",
     "eject": "react-scripts eject",
     "playwright": "PORT=5005 USE_BABEL_PLUGIN_ISTANBUL=1 react-app-rewired start",
-    "find-deadcode": "ts-prune -s consoleApi.ts | (! grep -v 'used in module')"
+    "find-deadcode": "ts-prune -s consoleApi.ts | sh -c '(! grep -v \"used in module\")'"
   },
   "eslintConfig": {
     "extends": "react-app",
@@ -59,7 +59,7 @@
   "proxy": "http://localhost:9090/",
   "devDependencies": {
     "@babel/plugin-proposal-private-property-in-object": "^7.21.11",
-    "@playwright/test": "^1.43.1",
+    "@playwright/test": "^1.44.0",
     "@types/lodash": "^4.17.0",
     "@types/luxon": "^3.4.2",
     "@types/node": "20.12.8",
@@ -89,20 +89,9 @@
     "nth-check": "^2.0.1",
     "yaml": "^2.4.2",
     "postcss": "^8.4.38",
-    "react-scripts/**/node-forge": "^1.3.0",
-    "react-scripts/**/async": "^2.6.4",
-    "react-scripts/workbox-webpack-plugin/workbox-build/@surma/rollup-plugin-off-main-thread/ejs/jake/async": "^2.6.4",
-    "react-scripts/webpack-dev-server/portfinder/async": "^2.6.4",
-    "react-scripts/**/glob-parent": "^6.0.1",
-    "react-scripts/**/minimatch": "^3.0.5",
-    "react-scripts/**/loader-utils": "^2.0.4",
-    "react-scripts/**/json5": "^2.2.2",
-    "react-scripts/**/debug": "^3.1.0",
-    "recharts/**/d3-color": "^3.1.0",
     "fast-xml-parser": "^4.3.6",
-    "semver": "^7.5.2",
-    "testcafe/**/tough-cookie": "^4.1.4",
-    "styled-components/**/@babel/traverse": "^7.24.5"
+    "semver": "^7.5.2"
   },
-  "main": "index.js"
+  "main": "index.js",
+  "packageManager": "yarn@4.2.2"
 }

web-app/playwright/jobs.yaml

@@ -53,6 +53,8 @@ jobs:
       - name: Read .nvmrc
         id: node_version
         run: echo "$(cat .nvmrc)" && echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_ENV
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: ${{ env.NVMRC }}
@@ -69,7 +71,7 @@ jobs:
         working-directory: ./web-app
         continue-on-error: false
         run: |
-          yarn install --frozen-lockfile --immutable
+          yarn install --immutable --no-check-resolutions
       - name: Check for Warnings in build output
         working-directory: ./web-app
         continue-on-error: false
@@ -171,6 +173,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+      - name: Enable Corepack
+        run: corepack enable
       - uses: actions/setup-node@v3
         with:
           node-version: 18
@@ -187,7 +191,7 @@ jobs:
           yarn add -D create-react-app
           yarn init -y
           echo "yarn install"
-          yarn install
+          yarn install --no-check-resolutions
 
       - name: Install Playwright Browsers
         run: npx playwright install --with-deps