Skip to content

release: develop → main (dependency & security hardening)#135

Merged
dvcdsys merged 22 commits into
mainfrom
develop
Jul 2, 2026
Merged

release: develop → main (dependency & security hardening)#135
dvcdsys merged 22 commits into
mainfrom
develop

Conversation

@dvcdsys

@dvcdsys dvcdsys commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Promotes this session's dependency & security work to main. Pure deps/CI/config — no feature or source code changes. Merging clears all 6 open Dependabot alerts (5 by shipping the fixes, #21/x-net by triggering a go.mod rescan — it's already patched on main).

Security fixes (close Dependabot alerts)

Supply-chain hardening

  • All third-party GitHub Actions SHA-pinned with # vX.Y.Z comments (clears CodeQL actions/unpinned-tag, 11→0).
  • Dependabot ignore rules for deliberately-pinned images (llama.cpp, nvidia/cuda) + node/npm dashboard majors; npm group scoped to minor/patch.

Dependency bumps (all CI-green / build-validated)

node 20→24 (LTS), docker/build-push-action 6→7.3.0, docker/setup-buildx-action 3→4.2.0, aquasecurity/trivy-action 0.35→0.36, github/codeql-action 3→4, actions/checkout 4→7, andybalholm/brotli 1.2.1→1.2.2, dashboard npm minor/patch group (Radix, TanStack Query, lucide, tailwind-merge).

Deferred (deliberate, ignored in Dependabot)

Frontend majors — React 19, Tailwind 4, react-router 7, TS 6 — as separate migrations.

Notes

No deploy is triggered by merging to main (release images are cut by server/v* tags). Tag a release afterwards if you want the Docker images rebuilt.

🤖 Generated with Claude Code

dependabot Bot and others added 22 commits June 22, 2026 21:45
Bumps node from 20-alpine to 26-alpine.

---
updated-dependencies:
- dependency-name: node
  dependency-version: 26-alpine
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v3...v4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.19.2 to 7.3.0.
- [Release notes](https://github.com/docker/build-push-action/releases)
- [Commits](docker/build-push-action@10e90e3...53b7df9)

---
updated-dependencies:
- dependency-name: docker/build-push-action
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.35.0 to 0.36.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](aquasecurity/trivy-action@57a97c7...ed142fd)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Dependabot proposed node 20-alpine -> 26-alpine for the dashboard build
stage. node 20 is EOL (2026-04-30) so the bump is warranted, but 26 is the
Current line (LTS only from ~2026-10). Retarget to node 24, the active LTS,
for a stabler build base. Build-stage only; runtime images stay distroless.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…alpine

chore(deps): bump node from 20-alpine to 24-alpine (LTS) in /server
…/build-push-action-7

chore(deps): bump docker/build-push-action from 6.19.2 to 7.3.0
…curity/trivy-action-0.36.0

chore(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v4...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
…/codeql-action-4

chore(deps): bump github/codeql-action from 3 to 4
…s/checkout-7

chore(deps): bump actions/checkout from 4 to 7
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.12.0 to 4.2.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@8d2750c...bb05f3f)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: 4.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Bumps the go group with 1 update in the /server directory: [github.com/andybalholm/brotli](https://github.com/andybalholm/brotli).


Updates `github.com/andybalholm/brotli` from 1.2.1 to 1.2.2
- [Commits](andybalholm/brotli@v1.2.1...v1.2.2)

---
updated-dependencies:
- dependency-name: github.com/andybalholm/brotli
  dependency-version: 1.2.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
...

Signed-off-by: dependabot[bot] <support@github.com>
…elop/go-645632081e

chore(deps): bump github.com/andybalholm/brotli from 1.2.1 to 1.2.2 in /server in the go group across 1 directory
Clears the open dashboard npm advisories. All are dev-server / build-time
only — the shipped dashboard is pre-built static assets served by Go, so none
are reachable in production — but the upgrade removes the dev-time exposure and
modernises the toolchain:

- vite 5.4.14 -> 8.1.3: fixes GHSA-fx2h-pf6j-xcff (server.fs.deny bypass,
  Windows), GHSA-v6wh-96g9-6wx3 (launch-editor NTLM disclosure, Windows),
  GHSA-4w7w-66w2-5vf9 (optimized-deps .map path traversal). Vite 8 uses
  rolldown, which drops the standalone esbuild dependency entirely, so
  GHSA-67mh-4wv8-2f99 (esbuild dev-server SSRF) is resolved at the root.
- @vitejs/plugin-react 4.3.4 -> 6.0.3 (vite 8 compat; still supports React 18).
- js-yaml pinned >=4.2.0 via overrides to patch GHSA-h67p-54hq-rp68
  (quadratic-complexity DoS) inside openapi-typescript's redocly dependency.

Deliberately scoped to the security-relevant bumps: React 18, Tailwind 3,
react-router 6 and TypeScript 5 are unchanged (those majors are separate
migrations, deferred by the dependabot ignore rule). Validated locally:
`npm run gen:api`, `tsc -b`, and `vite build` are green; `npm audit` reports
0 vulnerabilities.

Supersedes the Dependabot security PRs #122 and #123.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
chore(deps): upgrade dashboard to vite 8 + plugin-react 6 (security)
…p/docker/setup-buildx-action-4.2.0

chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.2.0
Bumps the npm group with 15 updates in the /server/dashboard directory:

| Package | From | To |
| --- | --- | --- |
| [@radix-ui/react-dialog](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/dialog) | `1.1.15` | `1.1.18` |
| [@radix-ui/react-dropdown-menu](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/dropdown-menu) | `2.1.16` | `2.1.19` |
| [@radix-ui/react-label](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/label) | `2.1.8` | `2.1.11` |
| [@radix-ui/react-radio-group](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/radio-group) | `1.3.8` | `1.4.2` |
| [@radix-ui/react-scroll-area](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/scroll-area) | `1.2.10` | `1.2.13` |
| [@radix-ui/react-select](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/select) | `2.2.6` | `2.3.2` |
| [@radix-ui/react-slider](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/slider) | `1.3.6` | `1.4.2` |
| [@radix-ui/react-switch](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/switch) | `1.2.6` | `1.3.2` |
| [@radix-ui/react-tabs](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/tabs) | `1.1.13` | `1.1.16` |
| [@radix-ui/react-tooltip](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/tooltip) | `1.2.8` | `1.2.11` |
| [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.100.8` | `5.101.2` |
| [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `0.475.0` | `0.577.0` |
| [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.5.0` | `3.6.0` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `22.19.17` | `22.20.0` |
| [autoprefixer](https://github.com/postcss/autoprefixer) | `10.5.0` | `10.5.2` |



Updates `@radix-ui/react-dialog` from 1.1.15 to 1.1.18
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/dialog/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/dialog)

Updates `@radix-ui/react-dropdown-menu` from 2.1.16 to 2.1.19
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/dropdown-menu/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/dropdown-menu)

Updates `@radix-ui/react-label` from 2.1.8 to 2.1.11
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/label/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/label)

Updates `@radix-ui/react-radio-group` from 1.3.8 to 1.4.2
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/radio-group/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/radio-group)

Updates `@radix-ui/react-scroll-area` from 1.2.10 to 1.2.13
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/scroll-area/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/scroll-area)

Updates `@radix-ui/react-select` from 2.2.6 to 2.3.2
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/select/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/select)

Updates `@radix-ui/react-slider` from 1.3.6 to 1.4.2
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/slider/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/slider)

Updates `@radix-ui/react-slot` from 1.2.4 to 1.3.0
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/slot/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/slot)

Updates `@radix-ui/react-switch` from 1.2.6 to 1.3.2
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/switch/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/switch)

Updates `@radix-ui/react-tabs` from 1.1.13 to 1.1.16
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/tabs/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/tabs)

Updates `@radix-ui/react-tooltip` from 1.2.8 to 1.2.11
- [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/tooltip/CHANGELOG.md)
- [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/tooltip)

Updates `@tanstack/react-query` from 5.100.8 to 5.101.2
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.101.2/packages/react-query)

Updates `lucide-react` from 0.475.0 to 0.577.0
- [Release notes](https://github.com/lucide-icons/lucide/releases)
- [Commits](https://github.com/lucide-icons/lucide/commits/0.577.0/packages/lucide-react)

Updates `tailwind-merge` from 3.5.0 to 3.6.0
- [Release notes](https://github.com/dcastil/tailwind-merge/releases)
- [Commits](dcastil/tailwind-merge@v3.5.0...v3.6.0)

Updates `@types/node` from 22.19.17 to 22.20.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `autoprefixer` from 10.5.0 to 10.5.2
- [Release notes](https://github.com/postcss/autoprefixer/releases)
- [Changelog](https://github.com/postcss/autoprefixer/blob/main/CHANGELOG.md)
- [Commits](postcss/autoprefixer@10.5.0...10.5.2)

---
updated-dependencies:
- dependency-name: "@radix-ui/react-dialog"
  dependency-version: 1.1.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: "@radix-ui/react-dropdown-menu"
  dependency-version: 2.1.19
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: "@radix-ui/react-label"
  dependency-version: 2.1.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: "@radix-ui/react-radio-group"
  dependency-version: 1.4.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm
- dependency-name: "@radix-ui/react-scroll-area"
  dependency-version: 1.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: "@radix-ui/react-select"
  dependency-version: 2.3.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm
- dependency-name: "@radix-ui/react-slider"
  dependency-version: 1.4.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm
- dependency-name: "@radix-ui/react-slot"
  dependency-version: 1.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm
- dependency-name: "@radix-ui/react-switch"
  dependency-version: 1.3.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm
- dependency-name: "@radix-ui/react-tabs"
  dependency-version: 1.1.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: "@radix-ui/react-tooltip"
  dependency-version: 1.2.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: npm
- dependency-name: "@tanstack/react-query"
  dependency-version: 5.101.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm
- dependency-name: lucide-react
  dependency-version: 0.577.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm
- dependency-name: tailwind-merge
  dependency-version: 3.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: npm
- dependency-name: "@types/node"
  dependency-version: 22.20.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: npm
- dependency-name: autoprefixer
  dependency-version: 10.5.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: npm
...

Signed-off-by: dependabot[bot] <support@github.com>
…ashboard/develop/npm-ab8b99c157

chore(deps): bump the npm group across 1 directory with 16 updates
@dvcdsys dvcdsys merged commit bc4c9c2 into main Jul 2, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant