EXUI-1108: Update to yarn v4.5.0 (#1782)

* Update to yarn v4.5.0

* add yarn 4.5.0.cjs

* Manually remove line from known issues to check that script exits when difference is detected

* update yarn audit, add pretty print to sh comparison file

* Update version number

* Update audit csript

* remove unused file

* update yarn audit

* Update to release version number

.github/workflows/npmpublish.yml

@@ -23,6 +23,7 @@ jobs:
           node-version: 18
       - run: corepack enable && yarn --version
       - run: yarn install
+      - run: yarn test:audit
       - run: yarn lint
       - run: yarn build
       - run: yarn test

.yarnrc.yml

@@ -2,6 +2,8 @@ compressionLevel: mixed
 
 enableGlobalCache: false
 
+enableStrictSsl: false
+
 nodeLinker: node-modules
 
-yarnPath: .yarn/releases/yarn-3.6.4.cjs
+yarnPath: .yarn/releases/yarn-4.5.0.cjs

RELEASE-NOTES.md

@@ -1,5 +1,8 @@
 ## RELEASE NOTES 
 
+### Version 7.0.73
+**EXUI-1108** Fix yarn npm audit in ccd-case-ui-toolkit
+
 ### Version 7.0.71
 **EXUI-EXUI-2227** error-handling-specific-access-request
 

bin/run-yarn-audit.sh

@@ -1,38 +1,28 @@
-#!/usr/bin/env bash
-set +e
-yarn audit
-result=$?
-set -e
+#!/bin/bash
 
-if [[ "$result" != 0 ]]; then
-  if [[ -f yarn-audit-known-issues ]]; then
-    set +e
-    yarn audit --json | grep auditAdvisory > yarn-audit-issues
-    set -e
-    new_vulnerabilities=false
-    while read -r line; do
-        url=$(node -pe 'JSON.parse(process.argv[1]).data.advisory.url' "$line")
-        if ! grep -q "$url" yarn-audit-known-issues; then
-          echo "unknown vulnerability:$url"
-          new_vulnerabilities=true
-        fi
-    done < yarn-audit-issues
+upToDateVulnerabilities=$(mktemp)
+vulnerabilitiesInRepo="./yarn-audit-known-issues"
 
-    if [[ "$new_vulnerabilities" = true ]] ; then
-      echo
-      echo Security vulnerabilities were found that were not ignored
-      echo
-      echo Check to see if these vulnerabilities apply to production
-      echo and/or if they have fixes available. If they do not have
-      echo fixes and they do not apply to production, you may ignore them
-      echo
-      echo To ignore these vulnerabilities, please add advisories urls
-      echo "to yarn-audit-known-issues (eg: https://npmjs.com/advisories/755)"
-      echo
-      echo and commit the yarn-audit-known-issues file.
+yarn npm audit --recursive --environment production --json > "$upToDateVulnerabilities"
 
-      exit "$result"
-    fi
+# Ensure both files exist
+if [[ ! -f "$upToDateVulnerabilities" || ! -f "$vulnerabilitiesInRepo" ]]; then
+  echo "Error: One or both required files do not exist."
+  rm -f "$upToDateVulnerabilities" 
+  exit 1
+fi
 
-    fi
+# Compare the files and act based on the result
+if diff_output=$(diff "$upToDateVulnerabilities" "$vulnerabilitiesInRepo"); then
+  echo "No differences found in vulnerabilities."
+else
+  echo
+  echo "Security vulnerability differences were found"
+  echo
+  echo "To ignore these vulnerabilities, run:"
+  echo 'yarn npm audit --recursive --environment production --json > yarn-audit-known-issues'
+  echo
+  exit 1
 fi
+
+rm -f "$upToDateVulnerabilities"

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hmcts/ccd-case-ui-toolkit",
-  "version": "7.0.71",
+  "version": "7.0.73",
   "engines": {
     "node": ">=18.19.0"
   },
@@ -237,5 +237,5 @@
     "sourceMap": false,
     "instrument": false
   },
-  "packageManager": "yarn@3.6.4"
+  "packageManager": "yarn@4.5.0"
 }

projects/ccd-case-ui-toolkit/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hmcts/ccd-case-ui-toolkit",
-  "version": "7.0.71",
+  "version": "7.0.73",
   "engines": {
     "node": ">=18.19.0"
   },