Remove vulnerable packages in net8.0 webassembly image#1291
Conversation
This matches what we do upstream in emsdk in net9.0+
ghost
added
| && cd ${EMSDK_PATH} \ | ||
| && git checkout ${EMSCRIPTEN_VERSION} \ | ||
| # patch node version in emsdk_manifest.json | ||
| && sed -i 's/14\.18\.2/15\.14\.0/g' emsdk_manifest.json \ |
There was a problem hiding this comment.
Can this be generalized so it doesn't need to maintained as versions get updated?
There was a problem hiding this comment.
you mean in a variable? we can't just pick any node version since it needs to be one that emsdk shipped.
There was a problem hiding this comment.
I mean use a regex to match on the existing version (not a hardcoded version but one that has a simple version pattern) defined in the JSON file and replace it with the new value, referencing an ENV value that could be defined.
There was a problem hiding this comment.
I'm not sure why that'd be necessary given that emsdk 3.1.34 will always ship with node 14.18.2 and as mentioned in #1281 we can't upgrade the emsdk version.
There was a problem hiding this comment.
or do you mean the replacement version?
There was a problem hiding this comment.
I'm referring to both versions so that neither have to be hardcoded on this line.
emsdk 3.1.34 will always ship with node 14.18.2
So when the emsdk version is updated, that requires knowing what the node version is and having to update this line with that value. My aim here is to reduce the amount of work needed to rev the versions.
There was a problem hiding this comment.
So when the emsdk version is updated, that requires knowing what the node version is and having to update this line with that value.
No, what I'm saying is the emsdk version is frozen for net8, we can't update it. And this logic is gone in net9+
4 participants
This matches what we do upstream in emsdk in net9.0+