From d25c41ee891215edae36179d0482401b810ae10e Mon Sep 17 00:00:00 2001 From: Huang Xin Date: Tue, 19 May 2026 15:01:07 +0800 Subject: [PATCH] chore(security): address code scanning findings (#4224) --- .github/workflows/codeql.yml | 8 ++- .github/workflows/pull-request.yml | 49 +++++++------- .github/workflows/release.yml | 33 +++++----- .github/workflows/retry-workflow.yml | 20 ------ .github/workflows/scorecard.yml | 2 +- .github/workflows/upload-to-r2.yml | 18 ++--- .github/workflows/vercel-merge.yml | 11 ++-- Dockerfile | 28 ++++++-- pnpm-lock.yaml | 99 ++++++++-------------------- pnpm-workspace.yaml | 4 +- 10 files changed, 112 insertions(+), 160 deletions(-) delete mode 100644 .github/workflows/retry-workflow.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ed155a5f..894f4e0c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,6 +19,8 @@ on: schedule: - cron: '38 20 * * 4' +permissions: read-all + jobs: analyze: name: Analyze (${{ matrix.language }}) @@ -59,7 +61,7 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # Add any setup steps before running the `github/codeql-action/init` action. # This includes steps like installing compilers or runtimes (`actions/setup-node` @@ -69,7 +71,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -98,6 +100,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4 with: category: '/language:${{matrix.language}}' diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 610426e4..51cd6ba6 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -5,8 +5,7 @@ on: pull_request: branches: [main] permissions: - contents: write - pull-requests: write + contents: read jobs: rust_lint: runs-on: ubuntu-latest @@ -15,19 +14,19 @@ jobs: SCCACHE_GHA_ENABLED: 'true' RUSTC_WRAPPER: sccache steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: 'true' - name: setup sccache - uses: mozilla-actions/sccache-action@v0.0.10 + uses: mozilla-actions/sccache-action@9e7fa8a12102821edf02ca5dbea1acd0f89a2696 # v0.0.10 - name: Install minimal stable with clippy and rustfmt - uses: actions-rust-lang/setup-rust-toolchain@v1 + uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1 with: toolchain: stable override: true components: rustfmt, clippy - name: Cache apt packages - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: /var/cache/apt/archives key: apt-rust-lint-${{ runner.os }} @@ -45,15 +44,15 @@ jobs: build_web_app: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: 'true' - name: setup pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 - name: setup node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 cache: pnpm @@ -63,7 +62,7 @@ jobs: # entry — in practice the one `main` last saved, which is the only cache # sibling PRs can all see. - name: cache Turbopack build cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: apps/readest-app/.next/cache key: turbo-build-web-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }} @@ -94,7 +93,7 @@ jobs: - name: cache playwright browsers id: playwright-cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ~/.cache/ms-playwright key: playwright-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }} @@ -115,7 +114,7 @@ jobs: - name: upload e2e report if: ${{ failure() && steps.web_e2e.outcome == 'failure' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: playwright-report path: apps/readest-app/playwright-report/ @@ -124,15 +123,15 @@ jobs: test_web_app: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: 'true' - name: setup pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 - name: setup node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 cache: pnpm @@ -143,7 +142,7 @@ jobs: pnpm install && pnpm setup-vendors - name: cache apt packages - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: /var/cache/apt/archives key: apt-test-web-${{ runner.os }} @@ -163,7 +162,7 @@ jobs: - name: cache playwright browsers id: playwright-cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: ~/.cache/ms-playwright key: playwright-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }} @@ -191,15 +190,15 @@ jobs: SCCACHE_GHA_ENABLED: 'true' RUSTC_WRAPPER: sccache steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: 'true' - name: setup pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 - name: setup node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 cache: pnpm @@ -207,7 +206,7 @@ jobs: # The tauri tests run `next dev`, whose Turbopack cache lives in # `.next/dev/cache` (a different path from the `next build` cache). - name: cache Turbopack dev cache - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: apps/readest-app/.next/dev/cache key: turbo-dev-tauri-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }} @@ -220,20 +219,20 @@ jobs: pnpm install && pnpm setup-vendors - name: setup sccache - uses: mozilla-actions/sccache-action@v0.0.10 + uses: mozilla-actions/sccache-action@9e7fa8a12102821edf02ca5dbea1acd0f89a2696 # v0.0.10 - name: install Rust toolchain - uses: actions-rust-lang/setup-rust-toolchain@v1 + uses: actions-rust-lang/setup-rust-toolchain@46268bd060767258de96ed93c1251119784f2ab6 # v1 with: toolchain: stable - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 with: key: tauri-cargo cache-all-crates: 'true' - name: Cache apt packages - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 with: path: /var/cache/apt/archives key: apt-tauri-${{ runner.os }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3533ea04..ce745010 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,10 +5,12 @@ on: release: types: [published] +permissions: read-all + jobs: get-release: permissions: - contents: write + contents: read runs-on: ubuntu-latest outputs: release_id: ${{ steps.get-release.outputs.release_id }} @@ -17,14 +19,14 @@ jobs: release_version: ${{ steps.get-release-notes.outputs.release_version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: setup node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 - name: get version run: echo "PACKAGE_VERSION=$(node -p "require('./apps/readest-app/package.json').version")" >> $GITHUB_ENV - name: get release id: get-release - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: script: | const { data } = await github.rest.repos.getLatestRelease({ @@ -35,7 +37,7 @@ jobs: core.setOutput('release_tag', data.tag_name); - name: get release notes id: get-release-notes - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 with: script: | const fs = require('fs'); @@ -57,7 +59,7 @@ jobs: steps: - name: update release id: update-release - uses: actions/github-script@v9 + uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9 env: release_id: ${{ needs.get-release.outputs.release_id }} release_tag: ${{ needs.get-release.outputs.release_tag }} @@ -87,7 +89,7 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: create KOReader plugin zip env: @@ -154,30 +156,30 @@ jobs: runs-on: ${{ matrix.config.os }} timeout-minutes: 60 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: initialize git submodules run: git submodule update --init --recursive - name: setup pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 - name: setup node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 cache: pnpm - name: setup Java (for Android build only) if: matrix.config.release == 'android' - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: distribution: 'zulu' java-version: '17' - name: setup Android SDK (for Android build only) if: matrix.config.release == 'android' - uses: android-actions/setup-android@v4 + uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4 - name: install NDK (for Android build only) if: matrix.config.release == 'android' @@ -190,11 +192,11 @@ jobs: run: pnpm --filter @readest/readest-app setup-vendors - name: install Rust stable - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable with: targets: ${{ matrix.config.rust_target }} - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2 with: key: ${{ matrix.config.os }}-${{ matrix.config.release }}-${{ matrix.config.arch }}-cargo @@ -295,7 +297,7 @@ jobs: if: matrix.config.release == 'linux' run: cargo install tauri-cli --git https://github.com/tauri-apps/tauri --branch feat/truly-portable-appimage --force - - uses: tauri-apps/tauri-action@v0 + - uses: tauri-apps/tauri-action@84b9d35b5fc46c1e45415bdb6144030364f7ebc5 # v0 if: matrix.config.release != 'android' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -404,7 +406,6 @@ jobs: needs: [get-release, build-tauri] permissions: contents: read - actions: write uses: ./.github/workflows/upload-to-r2.yml with: tag: ${{ needs.get-release.outputs.release_tag }} diff --git a/.github/workflows/retry-workflow.yml b/.github/workflows/retry-workflow.yml deleted file mode 100644 index 7e0dd24c..00000000 --- a/.github/workflows/retry-workflow.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: Retry workflow - -on: - workflow_dispatch: - inputs: - run_id: - required: true -jobs: - rerun: - runs-on: ubuntu-latest - permissions: - actions: write - steps: - - name: rerun ${{ inputs.run_id }} - env: - GH_REPO: ${{ github.repository }} - GH_TOKEN: ${{ github.token }} - run: | - gh run watch ${{ inputs.run_id }} > /dev/null 2>&1 - gh run rerun ${{ inputs.run_id }} --failed diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index be3a6ea6..58495b21 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -73,6 +73,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3 with: sarif_file: results.sarif diff --git a/.github/workflows/upload-to-r2.yml b/.github/workflows/upload-to-r2.yml index c462893d..4425793e 100644 --- a/.github/workflows/upload-to-r2.yml +++ b/.github/workflows/upload-to-r2.yml @@ -14,6 +14,8 @@ on: required: true type: string +permissions: read-all + jobs: upload-to-r2: runs-on: ubuntu-latest @@ -36,7 +38,9 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Install rclone - run: curl https://rclone.org/install.sh | sudo bash + run: | + sudo apt-get update + sudo apt-get install -y rclone - name: Configure rclone run: | @@ -67,15 +71,3 @@ jobs: - name: Upload successful if: success() run: echo "Upload completed successfully" - - retry-on-failure: - if: failure() && fromJSON(github.run_attempt) < 3 - needs: [upload-to-r2] - runs-on: ubuntu-latest - permissions: - actions: write - steps: - - env: - GH_REPO: ${{ github.repository }} - GH_TOKEN: ${{ github.token }} - run: gh workflow run retry-workflow.yml -F run_id=${{ github.run_id }} diff --git a/.github/workflows/vercel-merge.yml b/.github/workflows/vercel-merge.yml index dd35a377..ef2ab59d 100644 --- a/.github/workflows/vercel-merge.yml +++ b/.github/workflows/vercel-merge.yml @@ -4,17 +4,18 @@ on: branches: - main permissions: - contents: write - deployments: write - pull-requests: write + contents: read jobs: build_and_deploy: runs-on: ubuntu-latest + permissions: + contents: read + deployments: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: submodules: 'true' - - uses: amondnet/vercel-action@v42 + - uses: amondnet/vercel-action@de09aeac2ace6599ec9b11ef87558759a496bac4 # v42 with: vercel-token: ${{ secrets.VERCEL_TOKEN }} github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/Dockerfile b/Dockerfile index 0a899b26..d473a79b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/node:22-slim AS base +FROM docker.io/library/node:24-slim@sha256:24dc26ef1e3c3690f27ebc4136c9c186c3133b25563ae4d7f0692e4d1fe5db0e AS dependencies ENV PNPM_HOME="/pnpm" ENV PATH="$PNPM_HOME:$PATH" RUN corepack enable @@ -8,18 +8,27 @@ COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./ COPY apps/readest-app/package.json ./apps/readest-app/ COPY patches/ ./patches/ COPY packages/ ./packages/ - -FROM base AS dependencies RUN --mount=type=cache,id=pnpm,target=/pnpm/store pnpm install --frozen-lockfile RUN pnpm --filter @readest/readest-app setup-vendors -FROM dependencies AS development-stage +FROM docker.io/library/node:24-slim@sha256:24dc26ef1e3c3690f27ebc4136c9c186c3133b25563ae4d7f0692e4d1fe5db0e AS development-stage +ENV PNPM_HOME="/pnpm" +ENV PATH="$PNPM_HOME:$PATH" +RUN corepack enable +RUN corepack prepare pnpm@10.29.3 --activate +WORKDIR /app +COPY --from=dependencies /app /app COPY . . WORKDIR /app/apps/readest-app EXPOSE 3000 ENTRYPOINT ["pnpm", "dev-web", "-H", "0.0.0.0"] -FROM base AS build +FROM docker.io/library/node:24-slim@sha256:24dc26ef1e3c3690f27ebc4136c9c186c3133b25563ae4d7f0692e4d1fe5db0e AS build +ENV PNPM_HOME="/pnpm" +ENV PATH="$PNPM_HOME:$PATH" +RUN corepack enable +RUN corepack prepare pnpm@10.29.3 --activate +WORKDIR /app ARG NEXT_PUBLIC_SUPABASE_URL ARG NEXT_PUBLIC_SUPABASE_ANON_KEY ARG NEXT_PUBLIC_APP_PLATFORM @@ -35,6 +44,13 @@ COPY . . WORKDIR /app/apps/readest-app RUN pnpm build-web -FROM build as production-stage +FROM docker.io/library/node:24-slim@sha256:24dc26ef1e3c3690f27ebc4136c9c186c3133b25563ae4d7f0692e4d1fe5db0e AS production-stage +ENV PNPM_HOME="/pnpm" +ENV PATH="$PNPM_HOME:$PATH" +RUN corepack enable +RUN corepack prepare pnpm@10.29.3 --activate +WORKDIR /app +COPY --from=build /app /app +WORKDIR /app/apps/readest-app ENTRYPOINT ["pnpm", "start-web", "-H", "0.0.0.0"] EXPOSE 3000 diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 402e4729..449bc67b 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -18,16 +18,18 @@ overrides: picomatch: '>=4.0.4' path-to-regexp: '>=8.4.0' protobufjs: '>=7.5.5' - serialize-javascript: '>=7.0.5' + serialize-javascript: 7.0.5 fast-xml-parser: '>=5.7.0' lodash: '>=4.18.0' lodash-es: '>=4.18.0' + postcss: 8.5.14 basic-ftp: '>=5.3.0' qs: '>=6.14.2' '@babel/runtime': '>=7.26.10' '@babel/helpers': '>=7.26.10' mdast-util-gfm-autolink-literal: 2.0.1 uuid: '>=14.0.0' + ws: 8.20.1 '@emnapi/core': 1.8.1 '@emnapi/runtime': 1.8.1 @@ -285,7 +287,7 @@ importers: version: 3.0.1 isomorphic-ws: specifier: ^5.0.0 - version: 5.0.0(ws@8.20.0) + version: 5.0.0(ws@8.20.1) jieba-wasm: specifier: ^2.4.0 version: 2.4.0 @@ -377,8 +379,8 @@ importers: specifier: '>=14.0.0' version: 14.0.0 ws: - specifier: ^8.18.3 - version: 8.20.0 + specifier: 8.20.1 + version: 8.20.1 zod: specifier: ^4.0.8 version: 4.4.3 @@ -516,7 +518,7 @@ importers: specifier: ^1.58.2 version: 1.60.0 postcss: - specifier: ^8.4.49 + specifier: 8.5.14 version: 8.5.14 postcss-cli: specifier: ^11.0.0 @@ -3179,6 +3181,7 @@ packages: '@smithy/core@3.24.1': resolution: {integrity: sha512-3mT7o4qQyUWttYnVK3A0Z/u3Xha3E81tXn32Tz6vjZiUXhBrkEivpw1hBYfh84iFF9CSzkBU9Y1DJ3Q6RQ231g==} engines: {node: '>=18.0.0'} + deprecated: Deprecated due to bug in browser bundling instructions https://github.com/smithy-lang/smithy-typescript/issues/2025 '@smithy/credential-provider-imds@4.3.1': resolution: {integrity: sha512-0S/acwHnqX4WrjXzhdiDRxsG2s9SC0cpPIK9nZ1R6UOHd+j7uL28+4bHu22urbLk2TVw3fkp6na/+fkUt/pLNQ==} @@ -4342,7 +4345,7 @@ packages: engines: {node: ^10 || ^12 || >=14} hasBin: true peerDependencies: - postcss: ^8.1.0 + postcss: 8.5.14 aws4fetch@1.0.20: resolution: {integrity: sha512-/djoAN709iY65ETD6LKCtyyEI04XIBP5xVvfmNxsEP0uJB5tyaGBztSryRr4HqMStr9R06PisQE7m9zDTXKu6g==} @@ -6016,7 +6019,7 @@ packages: isomorphic-ws@5.0.0: resolution: {integrity: sha512-muId7Zzn9ywDsyXgTIafTry2sV3nySZeUDe6YedVd1Hvuuep5AsIlqK+XefWpYTyJG5e503F2xIuT2lcU6rCSw==} peerDependencies: - ws: '*' + ws: 8.20.1 istanbul-lib-coverage@3.2.2: resolution: {integrity: sha512-O8dpsF+r0WV/8MNRKfnmrtCWhuKjxrq2w+jpzBL5UZKTi2LeVWnWOmWRxFlesJONmc+wLAGvKQZEOanko0LFTg==} @@ -6972,26 +6975,26 @@ packages: engines: {node: '>=18'} hasBin: true peerDependencies: - postcss: ^8.0.0 + postcss: 8.5.14 postcss-import@15.1.0: resolution: {integrity: sha512-hpr+J05B2FVYUAXHeK1YyI267J/dDDhMU6B6civm8hSY1jYJnBXxzKDKDswzJmtLHryrjhnDjqqp/49t8FALew==} engines: {node: '>=14.0.0'} peerDependencies: - postcss: ^8.0.0 + postcss: 8.5.14 postcss-js@4.1.0: resolution: {integrity: sha512-oIAOTqgIo7q2EOwbhb8UalYePMvYoIeRY2YKntdpFQXNosSu3vLrniGgmH9OKs/qAkfoj5oB3le/7mINW1LCfw==} engines: {node: ^12 || ^14 || >= 16} peerDependencies: - postcss: ^8.4.21 + postcss: 8.5.14 postcss-load-config@5.1.0: resolution: {integrity: sha512-G5AJ+IX0aD0dygOE0yFZQ/huFFMSNneyfp0e3/bT05a8OfPC5FUoZRPfGijUdGOJNMewJiwzcHJXFafFzeKFVA==} engines: {node: '>= 18'} peerDependencies: jiti: '>=1.21.0' - postcss: '>=8.0.9' + postcss: 8.5.14 tsx: ^4.8.1 peerDependenciesMeta: jiti: @@ -7006,7 +7009,7 @@ packages: engines: {node: '>= 18'} peerDependencies: jiti: '>=1.21.0' - postcss: '>=8.0.9' + postcss: 8.5.14 tsx: ^4.8.1 yaml: ^2.4.2 peerDependenciesMeta: @@ -7023,19 +7026,19 @@ packages: resolution: {integrity: sha512-HQbt28KulC5AJzG+cZtj9kvKB93CFCdLvog1WFLf1D+xmMvPGlBstkpTEZfK5+AN9hfJocyBFCNiqyS48bpgzQ==} engines: {node: '>=12.0'} peerDependencies: - postcss: ^8.2.14 + postcss: 8.5.14 postcss-nested@7.0.2: resolution: {integrity: sha512-5osppouFc0VR9/VYzYxO03VaDa3e8F23Kfd6/9qcZTUI8P58GIYlArOET2Wq0ywSl2o2PjELhYOFI4W7l5QHKw==} engines: {node: '>=18.0'} peerDependencies: - postcss: ^8.2.14 + postcss: 8.5.14 postcss-reporter@7.1.0: resolution: {integrity: sha512-/eoEylGWyy6/DOiMP5lmFRdmDKThqgn7D6hP2dXKJI/0rJSO1ADFNngZfDzxL0YAxFvws+Rtpuji1YIHj4mySA==} engines: {node: '>=10'} peerDependencies: - postcss: ^8.1.0 + postcss: 8.5.14 postcss-selector-parser@6.0.10: resolution: {integrity: sha512-IQ7TZdoaqbT+LCpShg46jnZVlhWD2w6iQYAcYXfHARZ7X1t/UGhhceQDs5X0cGqKvYlHNOuv7Oa1xmb0oQuA3w==} @@ -7052,10 +7055,6 @@ packages: postcss-value-parser@4.2.0: resolution: {integrity: sha512-1NNCs6uurfkVbeXG4S8JFT9t19m45ICnif8zWLd5oPSZ50QnwMfK+H3jv408d4jw/7Bttv5axS5IiHoLaVNHeQ==} - postcss@8.4.31: - resolution: {integrity: sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==} - engines: {node: ^10 || ^12 || >=14} - postcss@8.5.14: resolution: {integrity: sha512-SoSL4+OSEtR99LHFZQiJLkT59C5B1amGO1NzTwj7TT1qCUgUO6hxOvzkOYxD+vMrXBM3XJIKzokoERdqQq/Zmg==} engines: {node: ^10 || ^12 || >=14} @@ -8085,10 +8084,6 @@ packages: undici-types@6.21.0: resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==} - undici@7.24.8: - resolution: {integrity: sha512-6KQ/+QxK49Z/p3HO6E5ZCZWNnCasyZLa5ExaVYyvPxUwKtbCPMKELJOqh7EqOle0t9cH/7d2TaaTRRa6Nhs4YQ==} - engines: {node: '>=20.18.1'} - undici@7.25.0: resolution: {integrity: sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==} engines: {node: '>=20.18.1'} @@ -8531,32 +8526,8 @@ packages: wrappy@1.0.2: resolution: {integrity: sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==} - ws@7.5.10: - resolution: {integrity: sha512-+dbF1tHwZpXcbOJdVOkzLDxZP1ailvSxM6ZweXTegylPny803bFhA+vqBYw4s31NSAk4S2Qz+AKXK9a4wkdjcQ==} - engines: {node: '>=8.3.0'} - peerDependencies: - bufferutil: ^4.0.1 - utf-8-validate: ^5.0.2 - peerDependenciesMeta: - bufferutil: - optional: true - utf-8-validate: - optional: true - - ws@8.18.0: - resolution: {integrity: sha512-8VbfWfHLbbwu3+N6OKsOMpBdT4kXPDDB9cJk2bJ6mh9ucxdlnNvH1e+roYkKmN9Nxw2yjz7VzeO9oOz2zJ04Pw==} - engines: {node: '>=10.0.0'} - peerDependencies: - bufferutil: ^4.0.1 - utf-8-validate: '>=5.0.2' - peerDependenciesMeta: - bufferutil: - optional: true - utf-8-validate: - optional: true - - ws@8.20.0: - resolution: {integrity: sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==} + ws@8.20.1: + resolution: {integrity: sha512-It4dO0K5v//JtTXuPkfEOaI3uUN87iYPnqo/ZzqCoG3g8uhA66QUMs/SrM0YK7/NAu+r4LMh/9dq2A7k+rHs+w==} engines: {node: '>=10.0.0'} peerDependencies: bufferutil: ^4.0.1 @@ -12317,7 +12288,7 @@ snapshots: sirv: 3.0.2 tinyrainbow: 3.1.0 vitest: 4.1.6(@opentelemetry/api@1.9.1)(@types/node@22.19.19)(@vitest/browser-playwright@4.1.6)(@vitest/browser-webdriverio@4.1.6)(@vitest/coverage-v8@4.1.6)(jsdom@28.1.0(@noble/hashes@1.8.0))(vite@7.3.3(@types/node@22.19.19)(jiti@1.21.7)(terser@5.47.1)(tsx@4.21.0)(yaml@2.9.0)) - ws: 8.20.0 + ws: 8.20.1 transitivePeerDependencies: - bufferutil - msw @@ -14740,9 +14711,9 @@ snapshots: isobject@3.0.1: {} - isomorphic-ws@5.0.0(ws@8.20.0): + isomorphic-ws@5.0.0(ws@8.20.1): dependencies: - ws: 8.20.0 + ws: 8.20.1 istanbul-lib-coverage@3.2.2: {} @@ -15539,9 +15510,9 @@ snapshots: dependencies: '@cspotcode/source-map-support': 0.8.1 sharp: 0.34.5 - undici: 7.24.8 + undici: 7.25.0 workerd: 1.20260507.1 - ws: 8.18.0 + ws: 8.20.1 youch: 4.1.0-beta.10 transitivePeerDependencies: - bufferutil @@ -15634,7 +15605,7 @@ snapshots: '@swc/helpers': 0.5.15 baseline-browser-mapping: 2.10.29 caniuse-lite: 1.0.30001792 - postcss: 8.4.31 + postcss: 8.5.14 react: 19.2.5 react-dom: 19.2.5(react@19.2.5) styled-jsx: 5.1.6(@babel/core@7.29.0)(react@19.2.5) @@ -16011,12 +15982,6 @@ snapshots: postcss-value-parser@4.2.0: {} - postcss@8.4.31: - dependencies: - nanoid: 3.3.12 - picocolors: 1.1.1 - source-map-js: 1.2.1 - postcss@8.5.14: dependencies: nanoid: 3.3.12 @@ -17212,8 +17177,6 @@ snapshots: undici-types@6.21.0: {} - undici@7.24.8: {} - undici@7.25.0: {} unenv@2.0.0-rc.24: @@ -17559,7 +17522,7 @@ snapshots: deepmerge-ts: 7.1.5 https-proxy-agent: 7.0.6 undici: 7.25.0 - ws: 8.20.0 + ws: 8.20.1 transitivePeerDependencies: - bare-abort-controller - bare-buffer @@ -17623,7 +17586,7 @@ snapshots: opener: 1.5.2 picocolors: 1.1.1 sirv: 2.0.4 - ws: 7.5.10 + ws: 8.20.1 transitivePeerDependencies: - bufferutil - utf-8-validate @@ -17764,11 +17727,7 @@ snapshots: wrappy@1.0.2: {} - ws@7.5.10: {} - - ws@8.18.0: {} - - ws@8.20.0: {} + ws@8.20.1: {} xml-name-validator@5.0.0: {} diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 9b237571..e147f8ef 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -33,15 +33,17 @@ overrides: picomatch: '>=4.0.4' path-to-regexp: '>=8.4.0' protobufjs: '>=7.5.5' - serialize-javascript: '>=7.0.5' + serialize-javascript: 7.0.5 fast-xml-parser: '>=5.7.0' lodash: '>=4.18.0' lodash-es: '>=4.18.0' + postcss: 8.5.14 basic-ftp: '>=5.3.0' qs: '>=6.14.2' '@babel/runtime': '>=7.26.10' '@babel/helpers': '>=7.26.10' mdast-util-gfm-autolink-literal: 2.0.1 uuid: '>=14.0.0' + ws: 8.20.1 '@emnapi/core': 1.8.1 '@emnapi/runtime': 1.8.1