Update to Node v18.x + security updates

.github/renovate.json

@@ -7,7 +7,7 @@
   "platformAutomerge": true,
   "branchPrefix": "fix/deps/",
   "addLabels": [
-    "deps",
+    "dependencies",
     "security"
   ],
   "assignees": [

.github/workflows/code-review.yml

@@ -11,7 +11,7 @@ jobs:
 
     steps:
       - name: Harden GitHub Actions Runner
-        uses: step-security/harden-runner@cdea734fa57747b9831aa9d6fcb274c5f9669557
+        uses: step-security/harden-runner@8f144f8401c4e3693085dff03603f617f566ec6b
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -23,7 +23,7 @@ jobs:
             snyk.io:443
 
       - name: Checkout
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
       - name: Run ESLint
         uses: reviewdog/action-eslint@d3395027ea2cfc5cf8f460b1ea939b6c86fea656 # tag=v1.17.0
@@ -37,7 +37,7 @@ jobs:
 
     steps:
       - name: Harden GitHub Actions Runner
-        uses: step-security/harden-runner@cdea734fa57747b9831aa9d6fcb274c5f9669557
+        uses: step-security/harden-runner@8f144f8401c4e3693085dff03603f617f566ec6b
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -47,9 +47,9 @@ jobs:
             raw.githubusercontent.com:443
 
       - name: Checkout
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
       - name: Run hadolint
-        uses: reviewdog/action-hadolint@55be5d2c4b0b80d439247b128a9ded3747f92a29 # tag=v1.33.0
+        uses: reviewdog/action-hadolint@141ffd8d2f0b75e6fc7c87341331985448b62aa4 # v1.34.1
         env:
           REVIEWDOG_GITHUB_API_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/codeql-analysis.yml

@@ -32,27 +32,28 @@ jobs:
 
     steps:
       - name: Harden GitHub Actions Runner
-        uses: step-security/harden-runner@cdea734fa57747b9831aa9d6fcb274c5f9669557
+        uses: step-security/harden-runner@8f144f8401c4e3693085dff03603f617f566ec6b
         with:
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
             github.com:443
+            objects.githubusercontent.com:443
 
       - name: Checkout repository
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@27ea8f8fe5977c00f5b37e076ab846c5bd783b96 # tag=v2.1.12
+        uses: github/codeql-action/init@a34ca99b4610d924e04c68db79e503e1f79f9f02 # v2.1.39
         # Override language selection by uncommenting this and choosing your languages
         # with:
         #   languages: go, javascript, csharp, python, cpp, java
 
       # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below).
       - name: Autobuild
-        uses: github/codeql-action/autobuild@27ea8f8fe5977c00f5b37e076ab846c5bd783b96 # tag=v2.1.12
+        uses: github/codeql-action/autobuild@a34ca99b4610d924e04c68db79e503e1f79f9f02 # v2.1.39
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -66,4 +67,4 @@ jobs:
       #     make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@27ea8f8fe5977c00f5b37e076ab846c5bd783b96 # tag=v2.1.12
+        uses: github/codeql-action/analyze@a34ca99b4610d924e04c68db79e503e1f79f9f02 # v2.1.39

.github/workflows/nodejs.yml

@@ -11,12 +11,12 @@ jobs:
 
     strategy:
       matrix:
-        node: ['16']
+        node: ['18']
         mongodb: ['5.0']
 
     steps:
       - name: Harden GitHub Actions Runner
-        uses: step-security/harden-runner@cdea734fa57747b9831aa9d6fcb274c5f9669557
+        uses: step-security/harden-runner@8f144f8401c4e3693085dff03603f617f566ec6b
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -29,12 +29,15 @@ jobs:
             registry-1.docker.io:443
             registry.npmjs.org:443
             snyk.io:443
+            docker.io:443
+            auth.docker.io:443
+            production.cloudflare.docker.com:443
 
       - name: Checkout
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
       - name: Setup Node.js ${{ matrix.node }}
-        uses: actions/setup-node@eeb10cff27034e7acf239c5d29f62154018672fd # tag=v3.3.0
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: ${{ matrix.node }}
           check-latest: true
@@ -52,7 +55,7 @@ jobs:
         run: npm run test:coverage
 
       - name: Save Code Coverage
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: code-coverage
           path: coverage
@@ -65,20 +68,21 @@ jobs:
 
     steps:
       - name: Harden GitHub Actions Runner
-        uses: step-security/harden-runner@cdea734fa57747b9831aa9d6fcb274c5f9669557
+        uses: step-security/harden-runner@8f144f8401c4e3693085dff03603f617f566ec6b
         with:
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
             github.com:443
             pipelines.actions.githubusercontent.com:443
             sonarcloud.io:443
+            scanner.sonarcloud.io:443
 
       - name: Checkout
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
       - name: Download Code Coverage
-        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v3.0.0
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: code-coverage
           path: coverage
@@ -102,19 +106,25 @@ jobs:
 
     steps:
       - name: Harden GitHub Actions Runner
-        uses: step-security/harden-runner@cdea734fa57747b9831aa9d6fcb274c5f9669557
+        uses: step-security/harden-runner@8f144f8401c4e3693085dff03603f617f566ec6b
         with:
           egress-policy: block
           allowed-endpoints: >
             github.com:443
             api.github.com:443
             pipelines.actions.githubusercontent.com:443
             registry.npmjs.org:443
+            registry-1.docker.io:443
+            osv-vulnerabilities.storage.googleapis.com:443
+            nvd.nist.gov:443
             pypi.org:443
-
+            location.services.mozilla.com:443
+            docker.io:443
+            auth.docker.io:443
+            production.cloudflare.docker.com:443
 
       - name: Checkout
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
       - name: Perform Scan
         uses: ShiftLeftSecurity/scan-action@master
@@ -124,7 +134,7 @@ jobs:
           SCAN_ANNOTATE_PR: true
 
       - name: Save the SCAN reports
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: sast-reports
           path: reports
@@ -139,21 +149,24 @@ jobs:
 
     strategy:
       matrix:
-        node: ['16']
+        node: ['18']
         mongodb: ['5.0']
 
     steps:
       - name: Harden GitHub Actions Runner
-        uses: step-security/harden-runner@dd5681a7d0c66fb362664d618ef4a90d656f6516
+        uses: step-security/harden-runner@8f144f8401c4e3693085dff03603f617f566ec6b
         with:
           egress-policy: block
           allowed-endpoints: >
             api.github.com:443
             auth.docker.io:443
             bit.ly:443
+            cfu.zaproxy.org:443
             content-signature-2.cdn.mozilla.net:443
+            docker.io:443
             firefox.settings.services.mozilla.com:443
             github.com:443
+            location.services.mozilla.com:443
             news.zaproxy.org:443
             objects.githubusercontent.com:443
             pipelines.actions.githubusercontent.com:443
@@ -167,10 +180,10 @@ jobs:
             tracking-protection.cdn.mozilla.net:443
 
       - name: Checkout
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
       - name: Setup Node.js ${{ matrix.node }}
-        uses: actions/setup-node@17f8bd926464a1afa4c6a11669539e9c1ba77048 # tag=v3.2.0
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: ${{ matrix.node }}
           check-latest: true
@@ -187,10 +200,11 @@ jobs:
       - name: Start the app
         run: npm start > /dev/null &
 
-      - name: Run ZAP Scan
-        uses: zaproxy/action-full-scan@v0.4.0
+      - name: Run ZAP API Scan
+        uses: zaproxy/action-api-scan@6c29b04d78969bf586f2d4ea15c613d2dfb49d07 # tag=v0.2.0
         with:
-          target: http://localhost:3000
+          target: http://localhost:3000/swagger/json
+          format: openapi
 
   # -- PRE-RELEASE ------------------------------------------------------------
   pre-release:
@@ -204,15 +218,15 @@ jobs:
 
     steps:
       - name: Harden GitHub Actions Runner
-        uses: step-security/harden-runner@cdea734fa57747b9831aa9d6fcb274c5f9669557
+        uses: step-security/harden-runner@8f144f8401c4e3693085dff03603f617f566ec6b
         with:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
       - name: Semantic Release
-        uses: cycjimmy/semantic-release-action@v3
+        uses: cycjimmy/semantic-release-action@8f6ceb9d5aae5578b1dcda6af00008235204e7fa # v3.2.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -225,16 +239,16 @@ jobs:
 
     steps:
       - name: Harden GitHub Actions Runner
-        uses: step-security/harden-runner@cdea734fa57747b9831aa9d6fcb274c5f9669557
+        uses: step-security/harden-runner@8f144f8401c4e3693085dff03603f617f566ec6b
         with:
           egress-policy: audit
 
       - name: Checkout
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # tag=v4.0.1
+        uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
         with:
           images: ${{ github.repository }}
           tags: |
@@ -248,19 +262,19 @@ jobs:
             type=raw,value=latest
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@8b122486cedac8393e77aa9734c3528886e4a1a8 # tag=v2.0.0
+        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # tag=v2.1.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # tag=v2.0.0
+        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # tag=v2.2.1
 
       - name: Login to DockerHub
-        uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # tag=v2.0.0
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # tag=v2.1.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Build and push
-        uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # tag=v3.0.0
+        uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
         with:
           context: .
           push: true

.nvmrc

@@ -1 +1 @@
-16
+18

CHANGELOG.md

@@ -1,3 +1,64 @@
+## [1.2.1](https://github.com/timoa/nodejs-encryption-api-example/compare/v1.2.0...v1.2.1) (2022-06-19)
+
+
+### Bug Fixes
+
+* **cicd:** add different names for the SAST and ZAP reports ([49be62f](https://github.com/timoa/nodejs-encryption-api-example/commit/49be62fc3e86167439eb1c0f6bbabd24456ae1c7))
+* **cicd:** add wait for the app to start ([d1613bb](https://github.com/timoa/nodejs-encryption-api-example/commit/d1613bb1c4430c6af3e1c9675bd0667349af0aaf))
+* **cicd:** run the app in the background ([345aa34](https://github.com/timoa/nodejs-encryption-api-example/commit/345aa34f95bfdfe78d0c53730a6dfbe517c6aa3f))
+* **cicd:** unblocked domains from Harden GitHub Actions ([8152e3d](https://github.com/timoa/nodejs-encryption-api-example/commit/8152e3d44194591ecd26e83e33e7544e92bb688e))
+* **deps:** update dependency @fastify/helmet to v8.0.1 ([3a397cd](https://github.com/timoa/nodejs-encryption-api-example/commit/3a397cd7cbe87e64c331086c40cd38855c5db9ef))
+* **deps:** update dependency @fastify/helmet to v8.1.0 ([074bcb7](https://github.com/timoa/nodejs-encryption-api-example/commit/074bcb7609548c653d2fcdcc6057eba4ded0c7d0))
+* **deps:** update dependency @snyk/protect to v1.915.0 ([013fc04](https://github.com/timoa/nodejs-encryption-api-example/commit/013fc04ab7c6ffd34fc9467159fb40a172910b19))
+* **deps:** update dependency @snyk/protect to v1.917.0 ([556d9db](https://github.com/timoa/nodejs-encryption-api-example/commit/556d9db3c869a1e025eaefc8d15bccf4b06a0b81))
+* **deps:** update dependency @snyk/protect to v1.918.0 ([653ad31](https://github.com/timoa/nodejs-encryption-api-example/commit/653ad311a9312a40cda110cf4b5bead7761eaf27))
+* **deps:** update dependency @snyk/protect to v1.919.0 ([429764a](https://github.com/timoa/nodejs-encryption-api-example/commit/429764a849994e7fce4336b7284c7984fb14f7da))
+* **deps:** update dependency @snyk/protect to v1.921.0 ([b98e794](https://github.com/timoa/nodejs-encryption-api-example/commit/b98e7942c82e08a4f46d566009a3c1e50aac5c6f))
+* **deps:** update dependency @snyk/protect to v1.922.0 ([10d64fc](https://github.com/timoa/nodejs-encryption-api-example/commit/10d64fc3e0cd82264d4071d5fc5cc02fd7d47f04))
+* **deps:** update dependency @snyk/protect to v1.924.0 ([343b91a](https://github.com/timoa/nodejs-encryption-api-example/commit/343b91a154396911074e8610abff1666d74f6a20))
+* **deps:** update dependency @snyk/protect to v1.925.0 ([43a35c3](https://github.com/timoa/nodejs-encryption-api-example/commit/43a35c364583d530b95a68c3a842b45ecef0e30e))
+* **deps:** update dependency @snyk/protect to v1.927.0 ([6c7c9af](https://github.com/timoa/nodejs-encryption-api-example/commit/6c7c9af3dad957b93849cf526d24f1b2737b0f03))
+* **deps:** update dependency @snyk/protect to v1.928.0 ([eed31d8](https://github.com/timoa/nodejs-encryption-api-example/commit/eed31d8136277b024f79d144430096cdfc0a2147))
+* **deps:** update dependency @snyk/protect to v1.929.0 ([4776543](https://github.com/timoa/nodejs-encryption-api-example/commit/4776543adcf17a42a3328072794e831cfa9d3448))
+* **deps:** update dependency @snyk/protect to v1.931.0 ([8a7e37d](https://github.com/timoa/nodejs-encryption-api-example/commit/8a7e37d1f13fd3262fda4caccee4dfc61d608778))
+* **deps:** update dependency @snyk/protect to v1.932.0 ([7879982](https://github.com/timoa/nodejs-encryption-api-example/commit/7879982e52c6ea81e20cde55783edb6a3a1c46cb))
+* **deps:** update dependency @snyk/protect to v1.933.0 ([3c4b86d](https://github.com/timoa/nodejs-encryption-api-example/commit/3c4b86d63e04ee040b266d2c1cfd185fe759c36a))
+* **deps:** update dependency @snyk/protect to v1.934.0 ([a4e81d0](https://github.com/timoa/nodejs-encryption-api-example/commit/a4e81d0a1dd674fc051311ba6de3c1581a7e1b35))
+* **deps:** update dependency @snyk/protect to v1.935.0 ([1de671a](https://github.com/timoa/nodejs-encryption-api-example/commit/1de671ae29b22de9768513a0fbf25d8ddc62971f))
+* **deps:** update dependency @snyk/protect to v1.936.0 ([4eb66c1](https://github.com/timoa/nodejs-encryption-api-example/commit/4eb66c1c40e3fd63a29a039d383f66d43add242c))
+* **deps:** update dependency @snyk/protect to v1.939.0 ([caeeec9](https://github.com/timoa/nodejs-encryption-api-example/commit/caeeec9b3a10b99cf749443818551c976e02cfe4))
+* **deps:** update dependency @snyk/protect to v1.940.0 ([9eb9994](https://github.com/timoa/nodejs-encryption-api-example/commit/9eb9994df02f6d8abf685d2daecf52a186d30058))
+* **deps:** update dependency @snyk/protect to v1.942.0 ([4f756e2](https://github.com/timoa/nodejs-encryption-api-example/commit/4f756e2c538e4f00b8f7caf2ddc28018fec50b9a))
+* **deps:** update dependency @snyk/protect to v1.945.0 ([fa99afd](https://github.com/timoa/nodejs-encryption-api-example/commit/fa99afda165c145f124c762f5d1b850c280f0faa))
+* **deps:** update dependency @snyk/protect to v1.946.0 ([4374b6a](https://github.com/timoa/nodejs-encryption-api-example/commit/4374b6a0000871ba5518fcd4ac103aad068b8f5c))
+* **swagger:** fix package name for Fastify Swagger ([626aeaa](https://github.com/timoa/nodejs-encryption-api-example/commit/626aeaa94872e378a8faf2ef9f3ea2905868171e))
+
+# [1.2.0](https://github.com/timoa/nodejs-encryption-api-example/compare/v1.1.0...v1.2.0) (2022-05-14)
+
+
+### Bug Fixes
+
+* **cicd:** fix nodejs pipeline ([2f35f57](https://github.com/timoa/nodejs-encryption-api-example/commit/2f35f571b2031eb98ed8ef881aff2a931112f921))
+* **deps:** update dependency @snyk/protect to v1.902.0 ([6512d31](https://github.com/timoa/nodejs-encryption-api-example/commit/6512d3110dac34b19378771332bbd3f65a76ad21))
+* **deps:** update dependency @snyk/protect to v1.903.0 ([f733361](https://github.com/timoa/nodejs-encryption-api-example/commit/f733361e61a68bb3927ba227491f7a3fae456961))
+* **deps:** update dependency @snyk/protect to v1.904.0 ([9c7bca8](https://github.com/timoa/nodejs-encryption-api-example/commit/9c7bca8b1f728f63374d69b2419ae9b6e2dab01c))
+* **deps:** update dependency @snyk/protect to v1.905.0 ([bbe125c](https://github.com/timoa/nodejs-encryption-api-example/commit/bbe125c7fe07ed42525789462ad637a364eb83a3))
+* **deps:** update dependency @snyk/protect to v1.906.0 ([eca8c04](https://github.com/timoa/nodejs-encryption-api-example/commit/eca8c04ecb1cf30ddead94e5fa5999118820a44e))
+* **deps:** update dependency @snyk/protect to v1.907.0 ([7681384](https://github.com/timoa/nodejs-encryption-api-example/commit/7681384bd4708a9966d974ede5aa5b8d2f589b2e))
+* **deps:** update dependency @snyk/protect to v1.908.0 ([1c48afa](https://github.com/timoa/nodejs-encryption-api-example/commit/1c48afa2a587fbefa4075a0f9932eaf974d3dc81))
+* **deps:** update dependency @snyk/protect to v1.910.0 ([d3f91c3](https://github.com/timoa/nodejs-encryption-api-example/commit/d3f91c392416d4fe5ef2ba673181b102bbac1615))
+* **deps:** update dependency @snyk/protect to v1.912.0 ([5c796e1](https://github.com/timoa/nodejs-encryption-api-example/commit/5c796e177038bd5682269642435d98e1b21ca1b2))
+* **deps:** update dependency @snyk/protect to v1.913.0 ([884c1a5](https://github.com/timoa/nodejs-encryption-api-example/commit/884c1a599ce473f381076ab98fb8c9e78f2ca39a))
+* **deps:** update dependency @snyk/protect to v1.914.0 ([fed6f25](https://github.com/timoa/nodejs-encryption-api-example/commit/fed6f25defa85af2d9ae6a3271d610c40a12d9e6))
+* **deps:** update dependency fastify to v3.29.0 ([f2ad318](https://github.com/timoa/nodejs-encryption-api-example/commit/f2ad318a20248abdb0592e096f3e516ead3d6a0d))
+* **deps:** update dependency fastify-swagger to v5.2.0 ([9ea4b34](https://github.com/timoa/nodejs-encryption-api-example/commit/9ea4b34c0fe5ff05d850c3d4ab9868484d796156))
+* **docs:** fix duplicated lines badge link ([4df3cf5](https://github.com/timoa/nodejs-encryption-api-example/commit/4df3cf5ee7413d6e088e257a2237c4635b613aa3))
+
+
+### Features
+
+* **helmet:** add Helmet support to secure HTTP headers ([89a7c41](https://github.com/timoa/nodejs-encryption-api-example/commit/89a7c411c63599b353990b9c09b2afb5086357f6))
+
 # [1.1.0](https://github.com/timoa/nodejs-encryption-api-example/compare/v1.0.0...v1.1.0) (2022-04-15)