fix: jobs vulnerability

packages/cli/package.json

@@ -31,6 +31,7 @@
         "ajv-errors": "^3.0.0",
         "axios": "^1.2.0",
         "byots": "^5.0.0-dev.20221103.1.34",
+        "chalk": "^5.3.0",
         "chokidar": "^3.5.3",
         "commander": "^10.0.1",
         "conf": "12.0.0",

packages/jobs/lib/runner/render.api.ts

@@ -0,0 +1,37 @@
+import axios, { AxiosInstance, AxiosResponse } from 'axios';
+
+export class RenderAPI {
+    httpClient: AxiosInstance;
+    constructor(apiKey: string) {
+        this.httpClient = axios.create({
+            baseURL: 'https://api.render.com/v1',
+            headers: {
+                Authorization: `Bearer ${apiKey}`,
+                Accept: 'application/json'
+            }
+        });
+    }
+
+    async getServices(params: { name: string; type: string; limit: string }): Promise<AxiosResponse> {
+        return await this.httpClient.get('/services', { params });
+    }
+
+    async createService(data: {
+        type: string;
+        name: string;
+        ownerId: string;
+        image: { ownerId: string; imagePath: string };
+        serviceDetails: { env: string };
+        envVars: { key: string; value: string }[];
+    }): Promise<AxiosResponse> {
+        return await this.httpClient.post('/services', data);
+    }
+
+    async suspendService(params: { serviceId: string }): Promise<AxiosResponse> {
+        return await this.httpClient.post(`/services/${params.serviceId}/suspend`, {});
+    }
+
+    async resumeService(params: { serviceId: string }): Promise<AxiosResponse> {
+        return await this.httpClient.post(`/services/${params.serviceId}/resume`, {});
+    }
+}

packages/jobs/lib/runner/render.runner.ts

@@ -1,15 +1,14 @@
 import type { Runner } from './runner.js';
 import { RunnerType } from './runner.js';
 import { ProxyAppRouter, getRunnerClient } from '@nangohq/nango-runner';
-import { getEnv, getPersistAPIUrl } from '@nangohq/shared';
-import api from 'api';
+import { NodeEnv, getEnv, getPersistAPIUrl } from '@nangohq/shared';
+import { RenderAPI } from './render.api.js';
 import tracer from 'dd-trace';
 
-const render = api('@render-api/v1.0#aiie8wizhlp1is9bu');
-render.auth(process.env['RENDER_API_KEY']);
-
 const jobsServiceUrl = process.env['JOBS_SERVICE_URL'] || 'http://localhost:3005';
 
+const render: RenderAPI = new RenderAPI(process.env['RENDER_API_KEY'] || '');
+
 export class RenderRunner implements Runner {
     public client: ProxyAppRouter;
     public runnerType: RunnerType = RunnerType.Render;
@@ -68,17 +67,17 @@ export class RenderRunner implements Runner {
                     image: { ownerId: ownerId, imagePath: `nangohq/nango-runner:${imageTag}` },
                     serviceDetails: { env: 'image' },
                     envVars: [
-                        { key: 'NODE_ENV', value: process.env['NODE_ENV'] },
-                        { key: 'NANGO_CLOUD', value: process.env['NANGO_CLOUD'] },
+                        { key: 'NODE_ENV', value: process.env['NODE_ENV'] || NodeEnv.Dev },
+                        { key: 'NANGO_CLOUD', value: process.env['NANGO_CLOUD'] || 'true' },
                         { key: 'NODE_OPTIONS', value: '--max-old-space-size=384' },
                         { key: 'RUNNER_ID', value: runnerId },
                         { key: 'NOTIFY_IDLE_ENDPOINT', value: `${jobsServiceUrl}/idle` },
                         { key: 'IDLE_MAX_DURATION_MS', value: `${25 * 60 * 60 * 1000}` }, // 25 hours
                         { key: 'PERSIST_SERVICE_URL', value: getPersistAPIUrl() },
-                        { key: 'NANGO_TELEMETRY_SDK', value: process.env['NANGO_TELEMETRY_SDK'] },
-                        { key: 'DD_ENV', value: process.env['DD_ENV'] },
-                        { key: 'DD_SITE', value: process.env['DD_SITE'] },
-                        { key: 'DD_TRACE_AGENT_URL', value: process.env['DD_TRACE_AGENT_URL'] }
+                        { key: 'NANGO_TELEMETRY_SDK', value: process.env['NANGO_TELEMETRY_SDK'] || 'false' },
+                        { key: 'DD_ENV', value: process.env['DD_ENV'] || '' },
+                        { key: 'DD_SITE', value: process.env['DD_SITE'] || '' },
+                        { key: 'DD_TRACE_AGENT_URL', value: process.env['DD_TRACE_AGENT_URL'] || '' }
                     ]
                 });
                 svc = res.data.service;

packages/jobs/package.json

@@ -17,17 +17,14 @@
     "dependencies": {
         "@nangohq/nango-runner": "^1.0.0",
         "@nangohq/shared": "^0.38.5",
-        "@octokit/plugin-retry": "^6.0.0",
-        "@octokit/plugin-throttling": "^7.0.0",
-        "@octokit/rest": "^20.0.1",
         "@temporalio/activity": "^1.9.1",
         "@temporalio/client": "^1.9.1",
         "@temporalio/worker": "^1.9.1",
         "@temporalio/workflow": "^1.9.1",
         "@trpc/client": "^10.44.1",
         "@trpc/server": "^10.44.1",
         "@types/fs-extra": "^11.0.1",
-        "api": "^6.1.1",
+        "axios": "^1.3.4",
         "dd-trace": "5.2.0",
         "dotenv": "^16.0.3",
         "fs-extra": "^11.1.1",
@@ -47,4 +44,4 @@
         "nodemon": "^3.0.1",
         "typescript": "^5.3.3"
     }
-}
+}

packages/runner/package.json

@@ -21,17 +21,16 @@
         "@nangohq/shared": "^0.38.5",
         "@trpc/client": "^10.44.0",
         "@trpc/server": "^10.44.0",
-        "api": "^6.1.1",
         "connect-timeout": "^1.9.0",
         "dd-trace": "5.2.0",
         "express": "^4.18.2",
         "superjson": "^2.2.1",
-        "undici": "^6.6.1",
+        "undici": "6.6.2",
         "zod": "^3.22.4"
     },
     "devDependencies": {
         "@types/connect-timeout": "^0.0.39",
         "@types/node": "^18.7.6",
         "typescript": "^5.3.3"
     }
-}
+}

packages/server/package.json

@@ -23,7 +23,6 @@
     "dependencies": {
         "@hapi/boom": "^10.0.1",
         "@nangohq/shared": "^0.38.5",
-        "@sentry/node": "^7.37.2",
         "axios": "^1.3.4",
         "connect-session-knex": "^3.0.1",
         "cookie-parser": "^1.4.6",
@@ -34,7 +33,6 @@
         "express": "^4.18.2",
         "express-session": "^1.17.3",
         "form-data": "^4.0.0",
-        "ip": "^1.1.9",
         "js-yaml": "^4.1.0",
         "jsonwebtoken": "^9.0.2",
         "knex": "^2.3.0",
@@ -77,4 +75,4 @@
         "nodemon": "^3.0.1",
         "typescript": "^5.3.3"
     }
-}
+}

packages/shared/package.json

@@ -21,20 +21,21 @@
         "@datadog/datadog-api-client": "^1.16.0",
         "@hapi/boom": "^10.0.1",
         "@nangohq/node": "^0.38.5",
-        "@sentry/node": "^7.37.2",
+        "@sentry/node": "^7.105.0",
         "@temporalio/client": "^1.9.1",
         "amqplib": "^0.10.3",
         "archiver": "^6.0.1",
         "axios": "^1.3.4",
         "braintree": "^3.15.0",
+        "chalk": "^5.3.0",
         "cors": "^2.8.5",
         "dayjs": "^1.11.7",
         "dd-trace": "5.2.0",
         "ejs": "^3.1.5",
         "exponential-backoff": "^3.1.1",
         "fs-extra": "^11.1.1",
         "human-to-cron": "^0.3.1",
-        "ip": "^1.1.9",
+        "ip": "^2.0.1",
         "js-yaml": "^4.1.0",
         "jsonwebtoken": "^9.0.2",
         "knex": "^2.3.0",
@@ -72,4 +73,4 @@
         "@types/uuid": "^9.0.0",
         "typescript": "^5.3.3"
     }
-}
+}