Update vulnerable libraries and add build test for yarn audit

.dockerignore

@@ -9,3 +9,5 @@
 !tsconfig.json
 !vite.config.ts
 !yarn.lock
+!.yarnrc.yml
+!.yarn

.github/workflows/build-test.yml

@@ -14,3 +14,10 @@ jobs:
         uses: actions/checkout@v3
       - name: Build Docker Image
         run: make build
+  yarn-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Run yarn audit
+        run: yarn npm audit --severity high

.yarnrc.yml

@@ -0,0 +1,3 @@
+nodeLinker: node-modules
+
+yarnPath: .yarn/releases/yarn-4.1.1.cjs

Dockerfile

@@ -1,4 +1,6 @@
-FROM node:18-alpine3.17 as base
+ARG NODE_IMAGE_NAME=20-alpine3.18
+
+FROM node:${NODE_IMAGE_NAME} as base
 
 COPY . ./code
 WORKDIR /code
@@ -10,23 +12,25 @@ RUN yarn build
 # Set up database
 RUN yarn prisma generate
 
-FROM node:18-alpine3.17 as module-installation
+FROM node:${NODE_IMAGE_NAME} as module-installation
 
 COPY package.json ./code/package.json
 COPY yarn.lock ./code/yarn.lock
+COPY .yarnrc.yml ./code/.yarnrc.yml
+COPY .yarn ./code/.yarn
 WORKDIR /code
 
 # Install production dependencies
-RUN apk add --no-cache jq
+RUN apk add --no-cache jq 
 RUN jq 'del(.devDependencies)' package.json > package.json.temp && mv package.json.temp package.json
-RUN yarn install --production --no-optional
+RUN yarn install
 
 # Copy database client data
 COPY --from=base ./code/node_modules/@prisma ./node_modules/@prisma
 COPY --from=base ./code/node_modules/.prisma ./node_modules/.prisma
 COPY --from=base ./code/node_modules/prisma ./node_modules/prisma
 
-FROM node:18-alpine3.17 as final 
+FROM node:${NODE_IMAGE_NAME} as final 
 
 RUN apk add curl
 

Makefile

@@ -1,5 +1,5 @@
 fetch-dev-db:
-	docker pull postgres && docker tag postgres dev-db:latest
+	docker pull postgres:15 && docker tag postgres:15 dev-db:latest
 start-dev-db:
 	docker run --name dev-db -e POSTGRES_PASSWORD=password --hostname docker --network qwik-network -d  -v $(shell pwd)/database:/var/lib/postgresql/data dev-db
 remove-dev-db:

README.md

@@ -1,75 +1,35 @@
-# Qwik City App ⚡️
+# Qwik Webapp
 
-- [Qwik Docs](https://qwik.builder.io/)
-- [Discord](https://qwik.builder.io/chat)
-- [Qwik GitHub](https://github.com/BuilderIO/qwik)
-- [@QwikDev](https://twitter.com/QwikDev)
-- [Vite](https://vitejs.dev/)
+This webapp is designed as a web interface for a separate bot that connects to the twitch API as a chatbot.
 
----
+## Installation
 
-## Project Structure
+1. Ensure postgres, node 20+, and yarn are installed
+2. Create a `.env` file with the following data
 
-This project is using Qwik with [QwikCity](https://qwik.builder.io/qwikcity/overview/). QwikCity is just a extra set of tools on top of Qwik to make it easier to build a full site, including directory-based routing, layouts, and more.
+```env
+JWT_SECRET= <Random values for jwt encryption>
 
-Inside your project, you'll see the following directory structure:
+SENDGRID_API_KEY= <Sendgrid API Key (Only needed in production)>
 
-```
-├── public/
-│   └── ...
-└── src/
-    ├── components/
-    │   └── ...
-    └── routes/
-        └── ...
-```
-
-- `src/routes`: Provides the directory based routing, which can include a hierarchy of `layout.tsx` layout files, and an `index.tsx` file as the page. Additionally, `index.ts` files are endpoints. Please see the [routing docs](https://qwik.builder.io/qwikcity/routing/overview/) for more info.
-
-- `src/components`: Recommended directory for components.
-
-- `public`: Any static assets, like images, can be placed in the public directory. Please see the [Vite public directory](https://vitejs.dev/guide/assets.html#the-public-directory) for more info.
+SENDGRID_FROM_ADDRESS= <From email address>
 
-## Add Integrations and deployment
+DATABASE_URL= postgresql://<databasename>:[email protected]:PORT
 
-Use the `yarn qwik add` command to add additional integrations. Some examples of integrations include: Cloudflare, Netlify or Express server, and the [Static Site Generator (SSG)](https://qwik.builder.io/qwikcity/static-site-generation/static-site-config/).
+ADMIN_EMAIL= <your-email>
 
-```shell
-yarn qwik add # or `yarn qwik add`
-```
-
-## Development
-
-Development mode uses [Vite's development server](https://vitejs.dev/). During development, the `dev` command will server-side render (SSR) the output.
+ADMIN_PASSWORD= <your-password>
 
-```shell
-npm start # or `yarn start`
+ADMIN_NAME= <your-name>
 ```
 
-> Note: during dev mode, Vite may request a significant number of `.js` files. This does not represent a Qwik production build.
+3. Run `yarn install`
+4. Run `yarn prisma migrate dev` to populate your database with empty tables from the migration
+5. Run `node add-global-admin.js` to seed the data provided as admin env vars as a global admin in the db
+6. Run `yarn dev`
 
-## Preview
+## Helpful commands
 
-The preview command will create a production build of the client modules, a production build of `src/entry.preview.tsx`, and run a local server. The preview server is only for convenience to locally preview a production build, and it should not be used as a production server.
-
-```shell
-yarn preview # or `yarn preview`
-```
-
-## Production
-
-The production build will generate client and server modules by running both client and server build commands. Additionally, the build command will use Typescript to run a type check on the source code.
-
-```shell
-yarn build # or `yarn build`
-```
-
-## Express Server
-
-This app has a minimal [Express server](https://expressjs.com/) implementation. After running a full build, you can preview the build using the command:
-
-```
-yarn serve
-```
+The makefile contains a number of helpful commands for running in docker. Builds to this repo build the docker image and run an audit on npm package security vulnerabilities before being able to merge. To test this will pass locally you can run `npm run build` to build the app baremetal, or `make build` to build the docker image locally. Once built locally you can run either `yarn serve` to run baremetal, or `make run` to run in docker.
 
-Then visit [http://localhost:8080/](http://localhost:8080/)
+To inspect the database locally you can run `yarn prisma studio` to open an in browser edit tool

package.json

@@ -2,7 +2,7 @@
   "name": "webapp",
   "description": "Web interface for twitch chatbot",
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=20.0.0"
   },
   "private": true,
   "scripts": {
@@ -23,34 +23,35 @@
     "qwik": "qwik"
   },
   "devDependencies": {
-    "@builder.io/qwik": "^1.1.4",
-    "@builder.io/qwik-city": "^1.1.4",
+    "@builder.io/qwik": "^1.5.2",
+    "@builder.io/qwik-city": "^1.5.2",
     "@types/compression": "^1.7.2",
     "@types/eslint": "8.4.10",
     "@types/express": "4.17.17",
     "@types/node": "^18.11.16",
     "@types/node-fetch": "latest",
-    "@typescript-eslint/eslint-plugin": "5.46.1",
-    "@typescript-eslint/parser": "5.46.1",
+    "@typescript-eslint/eslint-plugin": "6.21.0",
+    "@typescript-eslint/parser": "6.21.0",
     "compression": "^1.7.4",
     "eslint": "8.30.0",
     "eslint-plugin-qwik": "0.16.1",
     "prettier": "2.8.1",
     "preview-email": "^3.0.7",
     "prisma": "^4.15.0",
-    "typescript": "4.9.4",
+    "typescript": "5.4.5",
     "util": "^0.12.5",
-    "vite": "4.0.1",
-    "vite-tsconfig-paths": "3.5.0"
+    "vite": "5.2.10",
+    "vite-tsconfig-paths": "4.3.2"
   },
   "dependencies": {
     "@prisma/client": "^4.15.0",
     "@sendgrid/mail": "^7.7.0",
     "@vanilla-extract/css": "^1.9.2",
     "@vanilla-extract/vite-plugin": "^3.7.0",
-    "crypto-js": "^4.1.1",
+    "crypto-js": "^4.2.0",
+    "express": "4.18.2",
     "jose": "^4.11.1",
-    "undici": "5.14.0",
-    "express": "4.18.2"
-  }
+    "undici": "5.19.1"
+  },
+  "packageManager": "[email protected]"
 }

tsconfig.json

@@ -14,6 +14,7 @@
     "skipLibCheck": true,
     "incremental": true,
     "isolatedModules": true,
+    "allowImportingTsExtensions": true,
     "outDir": "tmp",
     "noEmit": true,
     "types": ["node", "vite/client"],