@checkstack/gitops-backend 0.3.1 → 0.3.2

package/CHANGELOG.md

@@ -1,5 +1,48 @@
 # @checkstack/gitops-backend
 
+## 0.3.2
+
+### Patch Changes
+
+- b627562: Bump direct and transitive dependencies to clear MEDIUM-severity advisories
+  that Trivy now surfaces alongside CRITICAL/HIGH.
+
+  Direct version bumps in package.json:
+
+  - `@checkstack/catalog-backend`, `@checkstack/gitops-backend`,
+    `@checkstack/healthcheck-frontend`: `uuid` `^13.0.0` → `^14.0.0`
+    (GHSA-w5hq-g745-h8pq, missing buffer bounds check in v3/v5/v6). Also
+    dropped the now-redundant `@types/uuid` devDependency — uuid 14 ships
+    its own types and the npm `@types/uuid` package is a stub.
+  - `@checkstack/gitops-backend`: `yaml` `^2.7.0` → `^2.8.3`
+    (GHSA-48c2-rrv3-qjmp, stack overflow on deeply nested collections).
+  - `@checkstack/dev-server`: `vite` `^5.4.0` → `^8.0.12`
+    (GHSA-4w7w-66w2-5vf9, path traversal in optimized-deps `.map` handling)
+    and `@vitejs/plugin-react` `^4.3.4` → `^6.0.1` to stay inside the new
+    vite peer range.
+
+  Root `overrides` / `resolutions` to bypass transitive pins that block the
+  walk:
+
+  - `dompurify` `^3.4.3` — `monaco-editor@0.55.1` pins `dompurify@3.2.7`
+    exactly, so the only way to pick up the eight DOMPurify XSS / prototype
+    pollution advisories (GHSA-v2wj-7wpq-c8vv et al.) is an override.
+    Affects `@checkstack/ui`, which is the only consumer of monaco.
+  - `uuid` `^14.0.0` — also forces `bullmq`'s nested `uuid@11.1.0`
+    (vulnerable per GHSA-w5hq-g745-h8pq) to the patched line. Affects
+    `@checkstack/queue-bullmq-backend`.
+  - `yaml` `^2.9.0` — covers transitive resolutions that would otherwise
+    pin pre-2.8.3 yaml.
+
+  The CI image scan (`.github/workflows/pr-checks.yml`) and the local
+  `bun run audit:*` helper now include `MEDIUM` alongside `CRITICAL,HIGH`,
+  so future MEDIUM regressions fail the pipeline. The production Dockerfile
+  also strips vendored `test/`, `tests/`, `__tests__/`, `benchmark/`,
+  `benchmarks/`, `example/` and `examples/` folders from `node_modules`
+  before the runtime stage — those tarball artefacts ship their own
+  nested `package.json` (`benchmark`, `tedious-benchmarks`, etc.) which
+  Trivy was scanning as if they were real packages.
+
 ## 0.3.1
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/gitops-backend",
-  "version": "0.3.1",
+  "version": "0.3.2",
   "license": "Elastic-2.0",
   "type": "module",
   "main": "src/index.ts",
@@ -14,25 +14,24 @@
     "lint:code": "eslint . --max-warnings 0"
   },
   "dependencies": {
-    "@checkstack/backend-api": "0.15.1",
-    "@checkstack/gitops-common": "0.3.0",
-    "@checkstack/common": "0.9.0",
-    "@checkstack/command-backend": "0.1.25",
-    "@checkstack/queue-api": "0.3.0",
+    "@checkstack/backend-api": "0.15.2",
+    "@checkstack/gitops-common": "0.4.0",
+    "@checkstack/common": "0.10.0",
+    "@checkstack/command-backend": "0.1.26",
+    "@checkstack/queue-api": "0.3.1",
     "@orpc/server": "^1.13.2",
     "drizzle-orm": "^0.45.0",
     "minimatch": "^10.0.0",
-    "uuid": "^13.0.0",
+    "uuid": "^14.0.0",
     "zod": "^4.2.1",
-    "yaml": "^2.7.0"
+    "yaml": "^2.8.3"
   },
   "devDependencies": {
     "@checkstack/drizzle-helper": "0.0.5",
-    "@checkstack/scripts": "0.3.1",
+    "@checkstack/scripts": "0.3.2",
     "@checkstack/tsconfig": "0.0.7",
     "@types/bun": "^1.3.5",
     "@types/node": "^20.0.0",
-    "@types/uuid": "^11.0.0",
     "drizzle-kit": "^0.31.10",
     "typescript": "^5.0.0"
   }