Update Linter and Fix Vulnerable Dependency (#121)

It looks like `esbuild` 0.23.0 was flagged as containing vulnerabilities
when scanning with Grype. This PR updates the linting process to use a
different linter with additional security checks. It also pins esbuild
to a later version, fixing the flagged vulnerability.

.github/workflows/codeql-analysis.yml

@@ -10,17 +10,17 @@ on:
   schedule:
     - cron: '31 7 * * 3'
 
+permissions:
+  actions: read
+  checks: write
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
 
-    permissions:
-      actions: read
-      checks: write
-      contents: read
-      security-events: write
-
     strategy:
       fail-fast: false
       matrix:

.github/workflows/continuous-integration.yml

@@ -5,17 +5,17 @@ on:
     branches:
       - main
 
+permissions:
+  actions: read
+  checks: write
+  contents: read
+  statuses: write
+
 jobs:
   continuous-integration:
     name: Continuous Integration
     runs-on: ubuntu-latest
 
-    permissions:
-      actions: read
-      checks: write
-      contents: read
-      statuses: write
-
     steps:
       - name: Checkout
         id: checkout

.github/workflows/linter.yml

@@ -5,16 +5,18 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  issues: write
+  packages: read
+  pull-requests: write
+  statuses: write
+
 jobs:
   lint:
     name: Lint Codebase
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-      packages: read
-      statuses: write
-
     steps:
       - name: Checkout
         id: checkout
@@ -34,15 +36,8 @@ jobs:
         run: npm ci
 
       - name: Lint Codebase
-        id: super-linter
-        uses: super-linter/super-linter/slim@v7
+        id: lint-codebase
         env:
-          DEFAULT_BRANCH: main
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          JAVASCRIPT_DEFAULT_STYLE: prettier
-          LINTER_RULES_PATH: .
-          TYPESCRIPT_DEFAULT_STYLE: prettier
-          VALIDATE_ALL_CODEBASE: false
-          VALIDATE_JAVASCRIPT_STANDARD: false
-          VALIDATE_JSCPD: false
-          VALIDATE_TYPESCRIPT_STANDARD: false
+          DEFAULT_WORKSPACE: ${{ github.workspace }}
+          GITHUB_TOKEN: ${{ github.token }}
+        uses: oxsecurity/megalinter/flavors/cupcake@v8

.gitignore

@@ -1,6 +1,7 @@
 .env
 .DS_Store
 coverage
+megalinter-reports
 node_modules
 npm-debug.log*
 reports

.grype.yml

@@ -0,0 +1,151 @@
+# enable/disable checking for application updates on startup
+# same as GRYPE_CHECK_FOR_APP_UPDATE env var
+# check-for-app-update: true
+
+# allows users to specify which image source should be used to generate the sbom
+# valid values are: registry, docker, podman
+# same as GRYPE_DEFAULT_IMAGE_PULL_SOURCE env var
+# default-image-pull-source: ""
+
+# same as --name; set the name of the target being analyzed
+# name: ""
+
+# upon scanning, if a severity is found at or above the given severity then the return code will be 1
+# default is unset which will skip this validation (options: negligible, low, medium, high, critical)
+# same as --fail-on ; GRYPE_FAIL_ON_SEVERITY env var
+fail-on-severity: 'high'
+
+# the output format of the vulnerability report (options: table, json, cyclonedx)
+# same as -o ; GRYPE_OUTPUT env var
+# output: "table"
+
+# suppress all output (except for the vulnerability list)
+# same as -q ; GRYPE_QUIET env var
+quiet: true
+
+# write output report to a file (default is to write to stdout)
+# same as --file; GRYPE_FILE env var
+# file: ""
+
+# a list of globs to exclude from scanning, for example:
+exclude:
+  - '**/__fixtures__'
+  - '**/.git'
+  - '**/megalinter-reports'
+# same as --exclude ; GRYPE_EXCLUDE env var
+# exclude: []
+
+# os and/or architecture to use when referencing container images (e.g. "windows/armv6" or "arm64")
+# same as --platform; GRYPE_PLATFORM env var
+# platform: ""
+
+# If using SBOM input, automatically generate CPEs when packages have none
+# add-cpes-if-none: false
+
+# Explicitly specify a linux distribution to use as <distro>:<version> like alpine:3.10
+# distro:
+
+# external-sources:
+#   enable: false
+#   maven:
+#     search-upstream-by-sha1: true
+#     base-url: https://search.maven.org/solrsearch/select
+
+# db:
+# check for database updates on execution
+# same as GRYPE_DB_AUTO_UPDATE env var
+# auto-update: true
+
+# location to write the vulnerability database cache
+# same as GRYPE_DB_CACHE_DIR env var
+# cache-dir: "$XDG_CACHE_HOME/grype/db"
+
+# URL of the vulnerability database
+# same as GRYPE_DB_UPDATE_URL env var
+# update-url: "https://toolbox-data.anchore.io/grype/databases/listing.json"
+
+# it ensures db build is no older than the max-allowed-built-age
+# set to false to disable check
+# validate-age: true
+
+# Max allowed age for vulnerability database,
+# age being the time since it was built
+# Default max age is 120h (or five days)
+# max-allowed-built-age: "120h"
+
+# search:
+# the search space to look for packages (options: all-layers, squashed)
+# same as -s ; GRYPE_SEARCH_SCOPE env var
+# scope: "squashed"
+
+# search within archives that do contain a file index to search against (zip)
+# note: for now this only applies to the java package cataloger
+# same as GRYPE_PACKAGE_SEARCH_INDEXED_ARCHIVES env var
+# indexed-archives: true
+
+# search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
+# note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
+# note: for now this only applies to the java package cataloger
+# same as GRYPE_PACKAGE_SEARCH_UNINDEXED_ARCHIVES env var
+# unindexed-archives: false
+
+# options when pulling directly from a registry via the "registry:" scheme
+# registry:
+# skip TLS verification when communicating with the registry
+# same as GRYPE_REGISTRY_INSECURE_SKIP_TLS_VERIFY env var
+# insecure-skip-tls-verify: false
+# use http instead of https when connecting to the registry
+# same as GRYPE_REGISTRY_INSECURE_USE_HTTP env var
+# insecure-use-http: false
+
+# credentials for specific registries
+# auth:
+# - # the URL to the registry (e.g. "docker.io", "localhost:5000", etc.)
+# same as GRYPE_REGISTRY_AUTH_AUTHORITY env var
+# authority: ""
+# same as GRYPE_REGISTRY_AUTH_USERNAME env var
+# username: ""
+# same as GRYPE_REGISTRY_AUTH_PASSWORD env var
+# password: ""
+# note: token and username/password are mutually exclusive
+# same as GRYPE_REGISTRY_AUTH_TOKEN env var
+# token: ""
+# - ... # note, more credentials can be provided via config file only
+
+# log:
+# use structured logging
+# same as GRYPE_LOG_STRUCTURED env var
+# structured: false
+
+# the log level; note: detailed logging suppress the ETUI
+# same as GRYPE_LOG_LEVEL env var
+# Uses logrus logging levels: https://github.com/sirupsen/logrus#level-logging
+# level: "error"
+
+# location to write the log file (default is not to have a log file)
+# same as GRYPE_LOG_FILE env var
+# file: ""
+
+# match:
+# sets the matchers below to use cpes when trying to find
+# vulnerability matches. The stock matcher is the default
+# when no primary matcher can be identified
+# java:
+#   using-cpes: true
+# python:
+#   using-cpes: true
+# javascript:
+#   using-cpes: true
+# ruby:
+#   using-cpes: true
+# dotnet:
+#   using-cpes: true
+# golang:
+#   using-cpes: true
+# stock:
+#   using-cpes: true
+
+# ignore:
+#   # Ignored by default; disputed and unwarranted CVE that causes Megalinter to fail
+#   # @link https://nvd.nist.gov/vuln/detail/CVE-2018-20225
+#   - vulnerability: CVE-2018-20225