Merge branch 'main' into 1.37-releases

Author: lerouxb

.depalignrc.json

@@ -10,7 +10,8 @@
       "^5.4.1",
       "^5.1.0",
       "^5.7.1",
-      "^7.3.5"
+      "^7.3.5",
+      "^7.6.0"
     ],
     "eslint-config-mongodb-js": [
       "^5.0.3",

.depcheckrc

@@ -1,5 +1,6 @@
 ignores:
   - '@mongodb-js/bump-monorepo-packages'
+  - '@mongodb-js/sbom-tools'
   # TODO: We keep webpack-cli/serve and testing-library/dom at the root to work
   # around weird npm workspace hoising issues caused by outdated transient
   # dependencies. This can go away when we update webpack and leafygreen to the

.evergreen/buildvariants.in.yml

@@ -1,4 +1,10 @@
 buildvariants:
+  - name: generate-vulnerability-report
+    display_name: Vulnerability Report
+    run_on: ubuntu2004-large
+    tasks:
+      - name: generate-vulnerability-report
+
   - name: coverage
     display_name: E2E Coverage
     run_on: ubuntu2004-large

.evergreen/buildvariants.yml

@@ -1,4 +1,10 @@
 buildvariants:
+  - name: generate-vulnerability-report
+    display_name: Vulnerability Report
+    run_on: ubuntu2004-large
+    tasks:
+      - name: generate-vulnerability-report
+
   - name: coverage
     display_name: E2E Coverage
     run_on: ubuntu2004-large

.evergreen/functions.yml

@@ -31,7 +31,7 @@ variables:
     EVERGREEN_VERSION_ID: ${version_id}
     EVERGREEN_WORKDIR: ${workdir}
     NODE_JS_VERSION: '16.17.0'
-    NPM_VERSION: '8.15.1'
+    NPM_VERSION: '8.19.4'
     # secrets
     HADRON_METRICS_INTERCOM_APP_ID: ${metrics_intercom_app_id}
     HADRON_METRICS_SEGMENT_API_KEY: ${metrics_segment_api_key}
@@ -424,7 +424,7 @@ functions:
           eval $(.evergreen/print-compass-env.sh)
           rm -rf mongodb-crypt && mkdir -p mongodb-crypt
           (cd mongodb-crypt && \
-            curl -sSfL $(npx -y mongodb-download-url --enterprise --crypt_shared --version '>= 6.0.0') | \
+            curl -sSfL $(npx -y mongodb-download-url --enterprise --crypt_shared --version '>= 7.0.0-rc0') | \
             tar -xvz)
           export COMPASS_CRYPT_LIBRARY_PATH=$(echo $PWD/mongodb-crypt/lib/mongo_*_v1.*)
           npm run test-csfle --workspace mongodb-data-service
@@ -546,3 +546,47 @@ functions:
             npm run publish-packages-next
           fi
 
+  generate-vulnerability-report:
+    - command: shell.exec
+      params:
+        working_dir: src
+        shell: bash
+        env:
+          <<: *compass-env
+          DEBUG: ${debug}
+          SNYK_TOKEN: ${snyk_token}
+        script: |
+          set -e
+          # Load environment variables
+          eval $(.evergreen/print-compass-env.sh)
+
+          # Can only fail if is not a patch:
+          npm run generate-vulnerability-report || { [ "$EVERGREEN_IS_PATCH" == "true" ] && exit 0; } || exit 1
+    - command: s3.put
+      params:
+        <<: *save-artifact-params
+        local_file: src/.sbom/dependencies.json
+        remote_file: ${project}/${revision}_${revision_order_id}/dependencies.json
+        content_type: application/json
+        optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params
+        local_file: src/.sbom/snyk-test-result.json
+        remote_file: ${project}/${revision}_${revision_order_id}/snyk-test-result.json
+        content_type: application/json
+        optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params
+        local_file: src/.sbom/snyk-test-result.html
+        remote_file: ${project}/${revision}_${revision_order_id}/snyk-test-result.html
+        content_type: text/html
+        optional: true
+    - command: s3.put
+      params:
+        <<: *save-artifact-params
+        local_file: src/.sbom/vulnerability-report.md
+        remote_file: ${project}/${revision}_${revision_order_id}/vulnerability-report.md
+        content_type: text/markdown
+        optional: true

.evergreen/tasks.in.yml

@@ -55,6 +55,16 @@ tasks:
         vars:
           debug: 'compass-e2e-tests*,electron*,hadron*,mongo*'
 
+  - name: generate-vulnerability-report
+    tags: ['required-for-publish', 'run-on-pr']
+    commands:
+      - func: prepare
+      - func: install
+      - func: bootstrap
+      - func: generate-vulnerability-report
+        vars:
+          debug: 'compass*,electron*,hadron*,mongo*'
+
   # Publish happens in one go to make sure we are not creating multiple github
   # releases in parallel
   - name: publish
@@ -72,7 +82,7 @@ tasks:
           scope: mongodb-compass
       - func: get-all-artifacts
       - func: publish
-  
+
   - name: publish-packages-next
     tags: []
     depends_on:

.evergreen/tasks.yml

@@ -55,6 +55,16 @@ tasks:
         vars:
           debug: 'compass-e2e-tests*,electron*,hadron*,mongo*'
 
+  - name: generate-vulnerability-report
+    tags: ['required-for-publish', 'run-on-pr']
+    commands:
+      - func: prepare
+      - func: install
+      - func: bootstrap
+      - func: generate-vulnerability-report
+        vars:
+          debug: 'compass*,electron*,hadron*,mongo*'
+
   # Publish happens in one go to make sure we are not creating multiple github
   # releases in parallel
   - name: publish
@@ -72,7 +82,7 @@ tasks:
           scope: mongodb-compass
       - func: get-all-artifacts
       - func: publish
-  
+
   - name: publish-packages-next
     tags: []
     depends_on:

.github/workflows/bump-packages.yaml

@@ -29,9 +29,9 @@ jobs:
           node-version: ^16.17.0
           cache: 'npm'
 
-      - name: Install npm@8.15.1
+      - name: Install npm@8.19.4
         run: |
-          npm install -g npm@8.15.1
+          npm install -g npm@8.19.4
 
       - name: Install Dependencies
         run: |

.github/workflows/update-electron.yaml

@@ -30,9 +30,9 @@ jobs:
           node-version: ^16.17.0
           cache: 'npm'
 
-      - name: Install npm@8.15.1
+      - name: Install npm@8.19.4
         run: |
-          npm install -g npm@8.15.1
+          npm install -g npm@8.19.4
 
       - name: Install Dependencies
         run: |

.gitignore

@@ -32,3 +32,4 @@ mongodb-crypt
 # npm doesn't support nested npmrc in the monorepo
 packages/*/.npmrc
 config/*/.npmrc
+.sbom