build: upgrade dependencies (#913)

masontikhonov · web-flow · commit 260f11d5b1ab · 2026-05-06T18:10:46.000+04:00
## What This upgrades dependencies with security fixes. Relevant tickets: https://codefresh-io.atlassian.net/browse/CR-38262 https://codefresh-io.atlassian.net/browse/CR-39160 https://codefresh-io.atlassian.net/browse/CR-39186 https://codefresh-io.atlassian.net/browse/CR-39196 https://codefresh-io.atlassian.net/browse/CR-39198 https://codefresh-io.atlassian.net/browse/CR-39206 https://codefresh-io.atlassian.net/browse/CR-39209 https://codefresh-io.atlassian.net/browse/CR-39212 https://codefresh-io.atlassian.net/browse/CR-39424 https://codefresh-io.atlassian.net/browse/CR-39543 https://codefresh-io.atlassian.net/browse/CR-39664 https://codefresh-io.atlassian.net/browse/CR-39871  ## Security Report > [!NOTE] > Compared security scans: > > **Current image**: [quay.io/codefresh/cli:cr-39206@sha256:88e56764d203964c161809909dbb3da70790b7c84a44cf35bb7fc17aee44caa0](https://app.prismacloud.io/compute?computeState=/monitor/vulnerabilities/images/ci?search%3Dsha256%253A88e56764d203964c161809909dbb3da70790b7c84a44cf35bb7fc17aee44caa0) > > **Baseline**: [quay.io/codefresh/cli:master@sha256:466e9fe022b15f8cf9ef70facf79dd52d8c88e79cdc5ef1bfb14fd00249d2291](https://app.prismacloud.io/compute?computeState=/monitor/vulnerabilities/images/ci?search%3Dsha256%253A466e9fe022b15f8cf9ef70facf79dd52d8c88e79cdc5ef1bfb14fd00249d2291) > [!IMPORTANT] > Current summary is in beta mode. > Please analyze [the full scan report](https://app.prismacloud.io/compute?computeState=/monitor/vulnerabilities/images/ci?search%3Dsha256%253A88e56764d203964c161809909dbb3da70790b7c84a44cf35bb7fc17aee44caa0) for comprehensive details. ### Fixed CVEs: 22 #### 🟣 Critical: 1 - CVE-2026-31789 in `openssl@3.5.5-r0` at `unknown path` #### 🔴 High: 11 - CVE-2026-28387 in `openssl@3.5.5-r0` at `unknown path` - CVE-2026-31790 in `openssl@3.5.5-r0` at `unknown path` - CVE-2026-29181 in `go.opentelemetry.io/otel@v1.36.0` at `/usr/local/bin/kubectl` - CVE-2026-28390 in `openssl@3.5.5-r0` at `unknown path` - CVE-2026-28389 in `openssl@3.5.5-r0` at `unknown path` - CVE-2026-28388 in `openssl@3.5.5-r0` at `unknown path` - CVE-2026-27137 in `crypto/x509@1.26.0` at `/usr/local/bin/yq` - CVE-2026-2673 in `openssl@3.5.5-r0` at `unknown path` - CVE-2026-25679 in `net/url@1.25.7` at `/usr/local/bin/kubectl` - CVE-2026-25679 in `net/url@1.26.0` at `/usr/local/bin/yq` - CVE-2026-35469 in `github.com/moby/spdystream@v0.5.0` at `/usr/local/bin/kubectl` #### 🟠 Medium: 5 - CVE-2026-41650 in `fast-xml-parser@5.5.8` at `/cf-cli/node_modules/fast-xml-parser` - CVE-2026-27138 in `crypto/x509@1.26.0` at `/usr/local/bin/yq` - CVE-2026-32288 in `archive/tar@1.25.7` at `/usr/local/bin/kubectl` - CVE-2026-27171 in `zlib@1.3.1-r2` at `unknown path` - CVE-2026-42338 in `ip-address@9.0.5` at `/cf-cli/node_modules/ip-address` #### 🟡 Low: 5 - CVE-2026-27139 in `os@1.25.7` at `/usr/local/bin/kubectl` - CVE-2026-27139 in `os@1.26.0` at `/usr/local/bin/yq` - CVE-2026-6042 in `musl@1.2.5-r21` at `unknown path` - CVE-2026-40200 in `musl@1.2.5-r21` at `unknown path` - CVE-2026-27135 in `nghttp2@1.68.0-r0` at `unknown path` [🔗 View all related Jira tickets](https://codefresh-io.atlassian.net/jira/software/c/projects/CR/issues?jql=project%20%3D%20CR%20AND%20%22security%20image%5Bshort%20text%5D%22%20~%20%22cli%22%20AND%20(%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-31789%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-28387%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-31790%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-29181%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-28390%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-28389%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-28388%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-27137%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-2673%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-25679%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-25679%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-35469%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-41650%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-27138%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-32288%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-27171%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-42338%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-27139%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-27139%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-6042%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-40200%22%20OR%20%22security%20cve%5Bshort%20text%5D%22%20~%20%22CVE-2026-27135%22)%20ORDER%20BY%20created%20ASC)
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:24.13.0-alpine3.23
+FROM node:24.15.0-alpine3.23
 ARG TARGETPLATFORM
 RUN apk --update add --no-cache \
     bash \
@@ -7,17 +7,17 @@ RUN apk --update add --no-cache \
     git \
     jq
 RUN npm upgrade -g npm
-COPY --from=mikefarah/yq:4.52.4 /usr/bin/yq /usr/local/bin/yq
-ADD --chmod=775 https://dl.k8s.io/release/v1.35.3/bin/${TARGETPLATFORM}/kubectl /usr/local/bin/kubectl
+COPY --from=mikefarah/yq:4.53.2 /usr/bin/yq /usr/local/bin/yq
+ADD --chmod=775 https://dl.k8s.io/release/v1.36.0/bin/${TARGETPLATFORM}/kubectl /usr/local/bin/kubectl
 WORKDIR /cf-cli
 COPY package.json yarn.lock check-version.js run-check-version.js /cf-cli/
 RUN yarn install --prod --frozen-lockfile && \
     yarn cache clean
 COPY . /cf-cli
 RUN yarn generate-completion
 
-#purpose of security
-RUN npm -g uninstall npm
+# Purpose of security:
+RUN npm uninstall -g --logs-max=0 corepack npm
 
 RUN ln -s $(pwd)/lib/interface/cli/codefresh /usr/local/bin/codefresh
 RUN codefresh components update --location components
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "codefresh",
-  "version": "1.1.3",
+  "version": "1.1.4",
   "description": "Codefresh command line utility",
   "main": "index.js",
   "preferGlobal": true,
@@ -41,14 +41,13 @@
   "resolutions": {
     "json-schema": "^0.4.0",
     "ansi-regex": "^5.0.1",
-    "kubernetes-client/@kubernetes/client-node": ">=0.22.2",
+    "kubernetes-client/@kubernetes/client-node": "^0.22.2",
     "tough-cookie": "^4.1.3",
     "openid-client": "^4.9.0",
     "**/request/form-data": "^2.5.5",
-    "**/request/qs": "6.14.2"
+    "**/request/qs": "^6.14.2"
   },
   "dependencies": {
-    "@codefresh-io/docker-reference": "^0.0.5",
     "adm-zip": "^0.5.5",
     "ajv": "^6.14.0",
     "bluebird": "^3.5.1",
@@ -73,21 +72,17 @@
     "kefir": "^3.8.1",
     "kubernetes-client": "^9.0.0",
     "lodash": "^4.17.23",
-    "mkdirp": "^0.5.1",
     "moment": "^2.29.4",
     "mongodb": "^4.17.2",
     "node-forge": "^1.3.0",
     "ora": "^5.4.1",
-    "prettyjson": "^1.2.5",
-    "promise-retry": "^2.0.1",
     "recursive-readdir": "^2.2.3",
     "request": "^2.88.0",
     "request-promise": "^4.2.6",
     "requestretry": "^7.0.2",
     "rimraf": "^2.6.2",
     "semver": "^7.5.4",
     "tar-stream": "^2.2.0",
-    "uuid": "^3.1.0",
     "yaml": "^1.10.0",
     "yargs": "^15.4.1",
     "yargs-parser": "^13.0.0",
diff --git a/yarn.lock b/yarn.lock
