Conversation
Bumps node from 20-alpine to 26-alpine. --- updated-dependencies: - dependency-name: node dependency-version: 26-alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v3...v4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6.19.2 to 7.3.0. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@10e90e3...53b7df9) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.35.0 to 0.36.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](aquasecurity/trivy-action@57a97c7...ed142fd) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Dependabot proposed node 20-alpine -> 26-alpine for the dashboard build stage. node 20 is EOL (2026-04-30) so the bump is warranted, but 26 is the Current line (LTS only from ~2026-10). Retarget to node 24, the active LTS, for a stabler build base. Build-stage only; runtime images stay distroless. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…alpine chore(deps): bump node from 20-alpine to 24-alpine (LTS) in /server
…/build-push-action-7 chore(deps): bump docker/build-push-action from 6.19.2 to 7.3.0
…curity/trivy-action-0.36.0 chore(deps): bump aquasecurity/trivy-action from 0.35.0 to 0.36.0
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v7) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…/codeql-action-4 chore(deps): bump github/codeql-action from 3 to 4
…s/checkout-7 chore(deps): bump actions/checkout from 4 to 7
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.12.0 to 4.2.0. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@8d2750c...bb05f3f) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps the go group with 1 update in the /server directory: [github.com/andybalholm/brotli](https://github.com/andybalholm/brotli). Updates `github.com/andybalholm/brotli` from 1.2.1 to 1.2.2 - [Commits](andybalholm/brotli@v1.2.1...v1.2.2) --- updated-dependencies: - dependency-name: github.com/andybalholm/brotli dependency-version: 1.2.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: go ... Signed-off-by: dependabot[bot] <support@github.com>
…elop/go-645632081e chore(deps): bump github.com/andybalholm/brotli from 1.2.1 to 1.2.2 in /server in the go group across 1 directory
Clears the open dashboard npm advisories. All are dev-server / build-time only — the shipped dashboard is pre-built static assets served by Go, so none are reachable in production — but the upgrade removes the dev-time exposure and modernises the toolchain: - vite 5.4.14 -> 8.1.3: fixes GHSA-fx2h-pf6j-xcff (server.fs.deny bypass, Windows), GHSA-v6wh-96g9-6wx3 (launch-editor NTLM disclosure, Windows), GHSA-4w7w-66w2-5vf9 (optimized-deps .map path traversal). Vite 8 uses rolldown, which drops the standalone esbuild dependency entirely, so GHSA-67mh-4wv8-2f99 (esbuild dev-server SSRF) is resolved at the root. - @vitejs/plugin-react 4.3.4 -> 6.0.3 (vite 8 compat; still supports React 18). - js-yaml pinned >=4.2.0 via overrides to patch GHSA-h67p-54hq-rp68 (quadratic-complexity DoS) inside openapi-typescript's redocly dependency. Deliberately scoped to the security-relevant bumps: React 18, Tailwind 3, react-router 6 and TypeScript 5 are unchanged (those majors are separate migrations, deferred by the dependabot ignore rule). Validated locally: `npm run gen:api`, `tsc -b`, and `vite build` are green; `npm audit` reports 0 vulnerabilities. Supersedes the Dependabot security PRs #122 and #123. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
chore(deps): upgrade dashboard to vite 8 + plugin-react 6 (security)
…p/docker/setup-buildx-action-4.2.0 chore(deps): bump docker/setup-buildx-action from 3.12.0 to 4.2.0
Bumps the npm group with 15 updates in the /server/dashboard directory: | Package | From | To | | --- | --- | --- | | [@radix-ui/react-dialog](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/dialog) | `1.1.15` | `1.1.18` | | [@radix-ui/react-dropdown-menu](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/dropdown-menu) | `2.1.16` | `2.1.19` | | [@radix-ui/react-label](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/label) | `2.1.8` | `2.1.11` | | [@radix-ui/react-radio-group](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/radio-group) | `1.3.8` | `1.4.2` | | [@radix-ui/react-scroll-area](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/scroll-area) | `1.2.10` | `1.2.13` | | [@radix-ui/react-select](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/select) | `2.2.6` | `2.3.2` | | [@radix-ui/react-slider](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/slider) | `1.3.6` | `1.4.2` | | [@radix-ui/react-switch](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/switch) | `1.2.6` | `1.3.2` | | [@radix-ui/react-tabs](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/tabs) | `1.1.13` | `1.1.16` | | [@radix-ui/react-tooltip](https://github.com/radix-ui/primitives/tree/HEAD/packages/react/tooltip) | `1.2.8` | `1.2.11` | | [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.100.8` | `5.101.2` | | [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) | `0.475.0` | `0.577.0` | | [tailwind-merge](https://github.com/dcastil/tailwind-merge) | `3.5.0` | `3.6.0` | | [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `22.19.17` | `22.20.0` | | [autoprefixer](https://github.com/postcss/autoprefixer) | `10.5.0` | `10.5.2` | Updates `@radix-ui/react-dialog` from 1.1.15 to 1.1.18 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/dialog/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/dialog) Updates `@radix-ui/react-dropdown-menu` from 2.1.16 to 2.1.19 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/dropdown-menu/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/dropdown-menu) Updates `@radix-ui/react-label` from 2.1.8 to 2.1.11 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/label/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/label) Updates `@radix-ui/react-radio-group` from 1.3.8 to 1.4.2 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/radio-group/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/radio-group) Updates `@radix-ui/react-scroll-area` from 1.2.10 to 1.2.13 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/scroll-area/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/scroll-area) Updates `@radix-ui/react-select` from 2.2.6 to 2.3.2 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/select/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/select) Updates `@radix-ui/react-slider` from 1.3.6 to 1.4.2 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/slider/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/slider) Updates `@radix-ui/react-slot` from 1.2.4 to 1.3.0 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/slot/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/slot) Updates `@radix-ui/react-switch` from 1.2.6 to 1.3.2 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/switch/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/switch) Updates `@radix-ui/react-tabs` from 1.1.13 to 1.1.16 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/tabs/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/tabs) Updates `@radix-ui/react-tooltip` from 1.2.8 to 1.2.11 - [Changelog](https://github.com/radix-ui/primitives/blob/main/packages/react/tooltip/CHANGELOG.md) - [Commits](https://github.com/radix-ui/primitives/commits/HEAD/packages/react/tooltip) Updates `@tanstack/react-query` from 5.100.8 to 5.101.2 - [Release notes](https://github.com/TanStack/query/releases) - [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md) - [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.101.2/packages/react-query) Updates `lucide-react` from 0.475.0 to 0.577.0 - [Release notes](https://github.com/lucide-icons/lucide/releases) - [Commits](https://github.com/lucide-icons/lucide/commits/0.577.0/packages/lucide-react) Updates `tailwind-merge` from 3.5.0 to 3.6.0 - [Release notes](https://github.com/dcastil/tailwind-merge/releases) - [Commits](dcastil/tailwind-merge@v3.5.0...v3.6.0) Updates `@types/node` from 22.19.17 to 22.20.0 - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) Updates `autoprefixer` from 10.5.0 to 10.5.2 - [Release notes](https://github.com/postcss/autoprefixer/releases) - [Changelog](https://github.com/postcss/autoprefixer/blob/main/CHANGELOG.md) - [Commits](postcss/autoprefixer@10.5.0...10.5.2) --- updated-dependencies: - dependency-name: "@radix-ui/react-dialog" dependency-version: 1.1.18 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: "@radix-ui/react-dropdown-menu" dependency-version: 2.1.19 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: "@radix-ui/react-label" dependency-version: 2.1.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: "@radix-ui/react-radio-group" dependency-version: 1.4.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@radix-ui/react-scroll-area" dependency-version: 1.2.13 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: "@radix-ui/react-select" dependency-version: 2.3.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@radix-ui/react-slider" dependency-version: 1.4.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@radix-ui/react-slot" dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@radix-ui/react-switch" dependency-version: 1.3.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@radix-ui/react-tabs" dependency-version: 1.1.16 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: "@radix-ui/react-tooltip" dependency-version: 1.2.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: npm - dependency-name: "@tanstack/react-query" dependency-version: 5.101.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: lucide-react dependency-version: 0.577.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: tailwind-merge dependency-version: 3.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: npm - dependency-name: "@types/node" dependency-version: 22.20.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: npm - dependency-name: autoprefixer dependency-version: 10.5.2 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: npm ... Signed-off-by: dependabot[bot] <support@github.com>
…ashboard/develop/npm-ab8b99c157 chore(deps): bump the npm group across 1 directory with 16 updates
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Promotes this session's dependency & security work to
main. Pure deps/CI/config — no feature or source code changes. Merging clears all 6 open Dependabot alerts (5 by shipping the fixes, #21/x-net by triggering ago.modrescan — it's already patched onmain).Security fixes (close Dependabot alerts)
server.fs.denybypass · fix(cli): config legacy key migration + watcher branch switch detection #19 vite launch-editor NTLM · Bump actions/setup-go from 5 to 6 #10 vite.mappath traversal (all fixed ≥ vite 6.4.3)overrides: js-yaml ^4.2.0npm ci && gen:api && tsc -b && vite build→npm audit0 vulns.Supply-chain hardening
# vX.Y.Zcomments (clears CodeQLactions/unpinned-tag, 11→0).ignorerules for deliberately-pinned images (llama.cpp, nvidia/cuda) + node/npm dashboard majors; npm group scoped to minor/patch.Dependency bumps (all CI-green / build-validated)
node 20→24 (LTS), docker/build-push-action 6→7.3.0, docker/setup-buildx-action 3→4.2.0, aquasecurity/trivy-action 0.35→0.36, github/codeql-action 3→4, actions/checkout 4→7, andybalholm/brotli 1.2.1→1.2.2, dashboard npm minor/patch group (Radix, TanStack Query, lucide, tailwind-merge).
Deferred (deliberate, ignored in Dependabot)
Frontend majors — React 19, Tailwind 4, react-router 7, TS 6 — as separate migrations.
Notes
No deploy is triggered by merging to
main(release images are cut byserver/v*tags). Tag a release afterwards if you want the Docker images rebuilt.🤖 Generated with Claude Code