chore(deps): upgrade PM2

[jamesgorrie]

What does this change?

Runs yarn add --force pm2 to reinstall [email protected] with their dependency vulnerabilities fixed.

pm2 don't bump their package but rather fix in place.

The snyk reports were generated locally by running snyk monitor dotcom-rendering hence they're in the guardian-people project.

Why?

To have no high vulnerabilities.

Screenshots

Before	After
Snyk report	Snyk report

[github-actions]

Size Change: 0 B 🆕

Total Size: 0 B

_{compressed-size-action}

[arelra]

Actually I think the pm2 version we use on our live instances is installed to /usr/local/node/pm2 as part of the AMI. Would that always be the latest (i.e fixed) version?

[jamesgorrie]

Actually I think the pm2 version we use on our live instances is installed to /usr/local/node/pm2 as part of the AMI. Would that always be the latest (i.e fixed) version?

@arelra I think it definitely is, so technically we don't actually have this vulnerability on the live instances.

Saying that, I do think we should remove that from those boxes as it's a very opaque dependency and could cause any number of hard-to-debug issues through being implicitly used there.

I think we would need to ensure we can the installed pm2 on those boxes before doing that though.

I am going to merge this as it remove our reported, if not real, vulnerabilities in Snyk.

[arelra]

@arelra I think it definitely is, so technically we don't actually have this vulnerability on the live instances.

Great thanks for confirming.

Saying that, I do think we should remove that from those boxes as it's a very opaque dependency and could cause any number of hard-to-debug issues through being implicitly used there.

Agreed we should be using the version that is in our dependencies.

I am going to merge this as it remove our reported, if not real, vulnerabilities in Snyk.

Thanks for sorting this!

[JamieB-gu]

@jamesgorrie I'm not sure I follow this change 🤔. It looks like the net effect would be to downgrade the version of semver to 6.3.0, which was originally upgraded away from in #8715?

[arelra]

Good catch @JamieB-gu yes @pm2/io@~5.0.0 is still using [email protected]. In which case we need to keep the resolution.

[arelra]

Interestingly [email protected]'s dependency @pm2/io@~5.0.0 has been updated to address the semver vulnerability and is now at @pm2/[email protected]:

keymetrics/pm2-io-apm@c5996e3

As pm2 accepts a patch this should mean we can specifically install/upgrade pm2/io@~5.0.2 to pick up this update?

[jamesgorrie]

I think there has been a few issues where yarn was following semver so not updating it's lockfile as it was technically backwards compatible.

So basically the same thing you're talking about @arelra.

I removed pm2 and re-added it which seems to have given us a more expected lockfile, but annoyingly we do still have high vulnerabilities, which I think are related to licensing.

[jamesgorrie]

As part of this we discovered we still have a .snyk file we should sort out #8924