chore(deps): update npm-non-major to ^10.5.0#1073
Merged
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
…ntries Renovate's automated update removed top-level node_modules entries for eslint@10.5.0 (and transitive deps eslint-visitor-keys, ignore) from frontend/package-lock.json, causing all CI jobs to fail at npm ci.
Contributor
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Contributor
✅ Supply Chain Verification Results✅ PASSED 📦 SBOM Summary
🔍 Vulnerability Scan
📎 Artifacts
Generated by Supply Chain Verification workflow • View Details |
Contributor
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
Wikid82
added a commit
that referenced
this pull request
Jun 15, 2026
* chore(deps): update github-actions-non-major * chore(deps): update go-non-major * chore(deps): update npm-non-major * fix: regenerate lockfile to restore missing eslint and vite package entries Renovate's automated update regenerated package-lock.json incorrectly, omitting top-level node_modules entries for eslint and vite. This caused npm ci to fail in CI during dependency installation. Regenerating with Node v22.22.1 and npm v11.16.0 restores the correct entries. * fix(security): restore stale Grype code scanning pipeline The supply-chain Grype scan last ran on Feb 4, 2026 due to a cascade of compounding failures. This commit resolves all root causes: - Twelve .trivyignore CVE suppressions expired between Apr 30 and May 25, causing the Trivy PR gate to block all PR merges and starve the pipeline of push events. All entries extended 60–90 days with appropriate review comments; no entry exceeds Sep 1, 2026. - Ten .grype.yaml suppressions also expired in May, meaning Grype scans that did run would immediately fail on HIGH findings and produce no fresh SARIF. All entries extended with matching dates. - The supply-chain-pr.yml job condition had a dead workflow_run branch and was missing the push and schedule event names, silently skipping the verify-supply-chain job on every push to main. Added push and schedule to the condition. - Added a weekly schedule trigger (Mondays at 02:00 UTC) so scans run regardless of PR activity. Added development to push branches to match docker-build.yml scope. - Removed continue-on-error: true from the SARIF upload step so upload failures surface as visible workflow failures rather than silent no-ops. - Simplified concurrency.group to remove dead workflow_run expressions. Refs: GitHub Code Scanning "last scanned Feb 4, 2026" alert * fix(deps): update Renovate configuration to correctly map gopkg.in/yaml.v3 * chore(deps): update go-non-major * fix(deps): update Caddy version to 2.11.4 in Dockerfile * fix(deps): update prometheus/common to v0.68.1 * fix(deps): update @tanstack/react-query to v5.101.0 and axios to v1.17.0 * fix(deps): update Go version to 1.26.4 in settings, Dockerfile, and module files * fix(deps): update Syft version to v1.45.0 in multiple workflows and scripts * fix(theme): prevent flash of unstyled content on page load Add anti-FOUC inline script to index.html that applies the stored theme class synchronously before React mounts. Switch ThemeContext to useLayoutEffect for synchronous class application, add explicit light-mode CSS overrides, update CSP to allowlist the inline script hash, and add a Playwright regression suite. * fix(dep): update grype version to 0.113.0 * fix(go): align all workflow and VS Code go.goroot references to 1.26.4 Update GO_VERSION from 1.26.3 to 1.26.4 in all 9 CI workflow files and fix go.goroot in .vscode/settings.json to point to /usr/local/go where 1.26.4 is installed, replacing the missing sdk/go1.26.4 path. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore(deps): update go-non-major to v1.75.0 * fix(ci): resolve Go toolchain mismatch in CodeQL and all CI workflows Switch setup-go from go-version env var to go-version-file: backend/go.mod so the action reads the required version directly from go.mod instead of relying on a cached toolchain version that may lag behind. Change GOTOOLCHAIN from auto to local across all workflows so Go uses exactly the version installed by setup-go without attempting auto-downloads that can silently fall back to an older release. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(sec): patch CVE-2026-40898 in buger/jsonparser via crowdsec-builder Upgrades github.com/buger/jsonparser to v1.1.2 in the CrowdSec dependency patch block to fix a panic in Delete() caused by a negative slice index on malformed JSON input. Affects both the crowdsec and cscli binaries. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore(deps): update go-non-major * chore(deps): update i18next version to 26.3.1 * chore(deps): update github-actions-non-major * chore(deps): update go-non-major * fix(deps): update npm-non-major to ^7.17.0 * fix(sec): patch CVE-2026-40898 in buger/jsonparser via caddy-builder Adds go get github.com/buger/jsonparser@v1.2.0 to the xcaddy build stage. The Caddy binary embeds buger/jsonparser transitively through caddy-crowdsec-bouncer -> crowdsec, which Trivy flags as a blocker. The crowdsec-builder stage already had this pin; this closes the gap in the caddy-builder stage. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(sec): patch CVE-2026-40898 (quic-go QPACK) in crowdsec-builder CVE-2026-40898 / GHSA-vvgj-x9jq-8cj9 is a quic-go HTTP/3 QPACK Trailer Expansion Memory Exhaustion, fixed in github.com/quic-go/quic-go@v0.59.1. CrowdSec v1.7.8 embeds quic-go v0.57.0; this is what Trivy flags as 2 blockers (crowdsec + cscli binaries). Caddy already resolves v0.59.1 through its own module graph and is unaffected. Also corrects the caddy-builder comment for buger/jsonparser, which was incorrectly attributed to CVE-2026-40898 in the prior commit. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(sec): suppress GO-2024-2565, GO-2024-2557, GO-2026-4518 in grype/trivy Three new findings block CI on the development branch: - GO-2024-2565 / CVE-2024-21495 (CRITICAL): Insufficient randomness in caddy-security. FALSE POSITIVE — Go vulndb has no fixed version recorded, but per Snyk/NVD the fix shipped in v1.0.42; we run v1.1.62. Suppressed with documented rationale pending Go vulndb update. - GO-2024-2557 / CVE-2024-21492 (HIGH): Insufficient session expiration in caddy-security. No upstream fix; stateless JWT architecture means no server-side revocation. JWT TTL bounds exploitation window. Risk accepted. - GO-2026-4518 (HIGH): Go vulndb alias for the pgproto3/v2 DataRow negative field length panic already suppressed under GHSA-jqcq-xjh3-6g23 / CVE-2026-4427. Same EOL-module rationale applies. All entries include expiry dates (2026-09-05 for caddy-security, 2026-09-01 for pgproto3) and removal criteria. .trivyignore updated for the two CVE IDs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(dep) update syft to v 1.45.1 in multiple workflows * fix(dep): update knip to v 6.16.0 * fix(dep): update bytedance/sonic to v1.15.2 and mattn/go-sqlite3 to v1.14.45 * chore: add Claude Code configuration from .github copilot files Convert the project's GitHub Copilot configuration into native Claude Code equivalents so the same team conventions, agent roles, and slash commands work out-of-the-box in Claude Code sessions. - CLAUDE.md — project-wide instructions adapted from copilot-instructions.md; covers architecture rules, backend/frontend workflows, DoD checklist, and a quick-reference skills table - .claude/agents/ — nine specialized subagents (management, planning, supervisor, backend-dev, frontend-dev, qa-security, devops, docs-writer, playwright-dev) translated from .github/agents/*.agent.md, with VS Code- specific frontmatter removed and references updated to CLAUDE.md - .claude/commands/ — five slash commands translated from .github/prompts/: /create-implementation-plan, /debug-web-console-errors, /supply-chain-remediation, /playwright-generate-test, /fix-patch-coverage Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(frontend): remove deprecated Firefox CSS and add modern browserslist targets (#1060) Remove -moz-osx-font-smoothing (Firefox never supported it; -webkit-font-smoothing already handles Chrome/Safari). Add .browserslistrc targeting modern browsers so autoprefixer stops emitting legacy -moz- vendor prefixes eliminated from Firefox ESR+. Co-authored-by: GitHub Actions <actions@github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: update ignore files * fix(dep) update npm deps to lates versions * chore(deps): update dependency anchore/syft to v1.45.1 (#1061) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update dependency anchore/grype to v0.114.0 (#1062) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(dep): update codecov action * chore(docker): update GeoLite2-Country.mmdb checksum (#1064) Automated checksum update for GeoLite2-Country.mmdb database. Old: c77ac1d7e64b3fcd1447045615fc3aefb3ed886e176608c568b01f29f955e21a New: abce3a42f4f6bfb2c90cded582341da6764f5e152782ce6c832bc8fa1d873778 Auto-generated by: .github/workflows/update-geolite2.yml Co-authored-by: Wikid82 <176516789+Wikid82@users.noreply.github.com> * fix(assets): serve banner.webp and use picture element for optimized image delivery (#1063) * fix(assets): serve banner.webp and use picture element for optimized image delivery Register /banner.webp, /banner.svg, /logo.webp, and /logo.svg as static routes so browsers receive WebP variants with correct MIME types instead of falling through to index.html. Replace the bare <img src="/banner.png"> in the sidebar with a <picture> element that serves the 74%-smaller WebP to capable browsers and falls back to PNG, eliminating NS_BINDING_ABORTED caused by the 1.2 MB PNG stalling under load. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: remove tracked worktree gitlink and ignore .claude/worktrees/ The .claude/worktrees/enumerated-snacking-parnas path was committed as a gitlink (unregistered submodule), causing `git submodule foreach` to exit with code 128 and failing Codecov upload steps in CI. Remove it from the index and add .claude/worktrees/ to .gitignore so future worktrees are never inadvertently staged. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: GitHub Actions <actions@github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore(deps): bump quic-go, maxminddb, and sqlite dependencies * chore(deps): bump knip from 6.16.0 to 6.16.1 * docs: add no-worktrees instruction to CLAUDE.md * chore(deps): bump react-hook-form and eslint-plugin-unicorn * chore: ignore gorilla/websocket in renovate updates * fix(deps): add Renovate sourceUrl overrides for gin packages (#1065) * chore(deps): bump quic-go, maxminddb, and sqlite dependencies * fix(deps): add sourceUrl overrides for gin packages in Renovate config Renovate fails to resolve github.com/gin-gonic/gin and its sibling packages gin-contrib/gzip and gin-contrib/sse with a "no-result" error. Adds three sourceUrl packageRules entries following the established pattern already present for google/uuid, gorm.io/gorm, and other Go packages in this repo. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: GitHub Actions <actions@github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> * chore: clean node_modules before npm install in update script * chore(frontend): bump typescript-eslint to 8.61.0 and update deps * chore: bump dev dependencies (obug, semver, tinyexec) * chore(deps): bump golang.org/x/sys from v0.45.0 to v0.46.0 * chore(deps): bump golang.org/x and modernc.org dependencies * fix(ci): pass pr_number when dispatching security-pr.yml from weekly promotion The trigger-required-checks job in weekly-nightly-promotion.yml dispatched security-pr.yml without providing the required pr_number input, causing HttpError: Required input 'pr_number' not provided. The fix resolves the PR number from the create-promotion-pr job output and passes it as an input when dispatching the security workflow. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(ci): extend no-cache-filters to caddy-builder and crowdsec-builder in e2e workflow Prevents stale GHA BuildKit layer cache from serving outdated caddy-builder and crowdsec-builder stage outputs in e2e-tests-split.yml, mirroring the same fix already applied to nightly-build.yml for CVE-2026-45135. Also corrects a stale fallback version comment in Dockerfile (v2.11.3 → v2.11.4) and updates SECURITY.md to mark CVE-2026-45135 as fully remediated across all affected build workflows. * chore: bump prettier from 3.8.3 to 3.8.4 * chore(deps): bump eslint-plugin-unicorn to 65.0.1 * fix(dockerfile): gate Delve install on BUILD_DEBUG, pin x/sys for GO-2026-5024 Production builds now install a harmless stub instead of Delve to avoid shipping golang.org/x/sys < v0.27.0 (GO-2026-5024). Debug builds pin golang.org/x/sys to v0.46.0 via a temporary module before installing dlv. * fix(entrypoint): gracefully handle production dlv stub when CHARON_DEBUG=1 The GO-2026-5024 fix replaced the Delve binary with a shell stub in production images. When CI integration tests run with CHARON_DEBUG=1, the entrypoint tried to launch `dlv exec /app/charon`, the stub exited immediately with code 1, APP_PID captured the dead stub PID, and the wait loop triggered container shutdown before Charon ever started. Guard the Delve path with `dlv version` — real Delve exits 0, the stub exits 1 — and fall back to direct execution when the stub is detected. * chore(deps): update go-non-major (#1058) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Jeremy <jhatfield82@gmail.com> * chore(deps): update github-actions-non-major to v46.1.15 (#1067) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Jeremy <jhatfield82@gmail.com> * fix(deps): update go-non-major to v0.7.2 (#1068) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update alpine docker tag to v3.24.0 (#1069) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): bump go-pkcs12 from v0.7.1 to v0.7.2 * chore: bump semver from 7.8.3 to 7.8.4 * chore(deps): bump frontend dev dependencies to latest patch versions * chore: replace eslint-plugin-react-compiler with react-hooks built-in * fix(frontend): unregister auth error handler on AuthProvider unmount (#1070) Issue #579 reported that page reload did not redirect to /login when the session expired. Root-cause tracing showed the reload guard already works on development (all 16 auth E2E tests pass), but the trace surfaced a real hazard: the axios 401 interceptor kept a stale handler closure after AuthProvider unmounted. setAuthErrorHandler now accepts null and the provider unregisters its handler on unmount. Adds regression tests for RequireAuth, AuthContext mount/unmount handler lifecycle, and the client interceptor null-handler path. Closes #579 Co-authored-by: GitHub Actions <actions@github.com> Co-authored-by: Claude Fable 5 <noreply@anthropic.com> * chore: bump golang.org/x/net from v0.55.0 to v0.56.0 * chore: bump @napi-rs/wasm-runtime from 1.1.4 to 1.1.5 * chore: bump frontend dev dependencies to latest versions * chore: add Docker Scout CLI install script * fix(docker): move frontend builder to node alpine3.24 base to clear critical/high base-image CVEs The pinned node:24.16.0-alpine (alpine 3.23) base was flagged with 1 critical and 8 high vulnerabilities. Repin to the freshly published alpine 3.24 variant, which also aligns the builder with the alpine 3.24 runtime base. Remaining openssl advisories (CVE-2026-45447) are patched in-stage by the existing apk upgrade step; the rebuilt stage scans clean for critical/high findings. * chore: bump @types/node from 25.9.2 to 25.9.3 * chore: remove lint step from npm_update script * chore: enhance go_update.sh with vuln checks and test runs - Auto-install govulncheck if missing - Update go/toolchain directives before deps - Include test dependencies with -t flag - Run tests and govulncheck after each module update * fix(go_update): simplify PATH export and remove redundant list cmd * chore(renovate): group Dockerfile ARG updates separately from Go/NPM - Replace Go github-tags Dockerfile fallback rule with a generic custom.regex + Dockerfile filename matcher - New group: dockerfile-non-major with "dockerfile" label - Preserves npm-non-major grouping rule unchanged * chore(deps): update go-non-major to v0.56.0 (#1071) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore: update acorn from 8.16.0 to 8.17.0 * chore: bump frontend deps (acorn, caniuse-lite, enhanced-resolve) * chore: bump felixge/httpsnoop from v1.0.4 to v1.1.0 * chore: update frontend lock file dependencies * fix(security): prepare for npm v12 breaking changes (#1072) * chore(ci): bump e2e workflow Node to 24.12.0 and track NODE_VERSION via Renovate Node 20 is EOL and will be unsupported by npm 12. Adds a Renovate custom manager so all workflow NODE_VERSION pins receive update PRs. * fix(security): disable dependency install scripts for all npm installs Adopts npm v12's secure default today: every npm ci/install call site (CI workflows, Dockerfile, Makefile, scripts, package.json pre-hooks) now passes --ignore-scripts, and unrs-resolver's postinstall is explicitly denied via allowScripts (it ships prebuilt binaries; the script is only a fallback build). Verified: clean installs, frontend build, type-check, and full unit suite all pass with scripts disabled. --------- Co-authored-by: GitHub Actions <actions@github.com> * chore: bump eslint-plugin-security to 4.0.1 * chore: bump npm to 11.17.0 * chore(frontend): bump lucide-react, tailwindcss, and eslint deps * chore: bump obug from 2.1.2 to 2.1.3 * chore(deps): bump modernc.org/libc from v1.73.0 to v1.73.1 * chore: fix renovate datasource config for expr-lang/expr * chore(deps): bump react-hook-form from 7.78.0 to 7.79.0 * chore(deps): update npm-non-major to ^10.5.0 (#1073) * chore(deps): update npm-non-major to ^10.5.0 * fix: regenerate frontend lock file to restore missing eslint@10.5.0 entries Renovate's automated update removed top-level node_modules entries for eslint@10.5.0 (and transitive deps eslint-visitor-keys, ignore) from frontend/package-lock.json, causing all CI jobs to fail at npm ci. --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: GitHub Actions <actions@github.com> * chore: bump regjsparser from 0.13.1 to 0.13.2 * chore: update go.work.sum with golang.org/x/term v0.44.0 * chore(deps): bump modernc.org/libc from v1.73.1 to v1.73.3 * chore: bump @csstools/css-color-parser to 4.1.4 * chore(deps): update eslint-plugin-unicorn to v66 and react-refresh to v0.5.3 * chore(docker): update GeoLite2-Country.mmdb checksum (#1074) Automated checksum update for GeoLite2-Country.mmdb database. Old: abce3a42f4f6bfb2c90cded582341da6764f5e152782ce6c832bc8fa1d873778 New: 11b88595d026953920668d91f6d531057b397f05170237fc98a13a8b051ab861 Auto-generated by: .github/workflows/update-geolite2.yml Co-authored-by: Wikid82 <176516789+Wikid82@users.noreply.github.com> --------- Co-authored-by: Jeremy <jhatfield82@gmail.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: GitHub Actions <actions@github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Wikid82 <176516789+Wikid82@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^10.4.1→^10.5.0Configuration
📅 Schedule: (in timezone America/New_York)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.