@checkstack/gitops-backend 0.3.1 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/CHANGELOG.md +76 -0
  2. package/package.json +9 -10
package/CHANGELOG.md CHANGED
@@ -1,5 +1,81 @@
1
1
  # @checkstack/gitops-backend
2
2
 
3
+ ## 0.3.3
4
+
5
+ ### Patch Changes
6
+
7
+ - b33fb4d: Refresh `bun.lock` to clear MEDIUM-severity Trivy advisories on transitive
8
+ runtime dependencies. No public API change — bumping every workspace
9
+ package that lists `@orpc/server` as a direct dep so consumers re-resolve
10
+ the optional `ws` peer to the patched release on their next install.
11
+
12
+ - `ws` `8.20.0` → `8.20.1` (CVE-2026-45736). Pulled into the install tree
13
+ as `@orpc/server`'s optional WebSocket peer; Bun auto-installs it into
14
+ every backend package that depends on `@orpc/server`, so a stale 8.20.0
15
+ ships in the consumer's `node_modules` until the parent package
16
+ re-resolves.
17
+ - `brace-expansion` `5.0.5` → `5.0.6` (CVE-2026-45149). Pulled in only
18
+ through dev tooling (`minimatch@10` via `@typescript-eslint` and
19
+ `storybook`'s `glob@13`), so it does not ship to consumers and no
20
+ workspace `package.json` lists it; the lockfile bump alone clears the
21
+ finding for the Docker image and the local dev tree. No version bump
22
+ is attributed to this advisory.
23
+
24
+ The fix lives entirely in `bun.lock` — no `package.json`, `overrides`, or
25
+ `resolutions` change is needed because both parent ranges (`minimatch@10
26
+ → brace-expansion@^5.0.5`, `@orpc/server / storybook / happy-dom →
27
+ ws@>=8.18.x`) already accept the patched releases, and `bun install`
28
+ keeps the resolved versions sticky after the initial `bun update`.
29
+
30
+ - Updated dependencies [1909a61]
31
+ - Updated dependencies [b33fb4d]
32
+ - @checkstack/backend-api@0.15.3
33
+ - @checkstack/command-backend@0.1.27
34
+ - @checkstack/queue-api@0.3.2
35
+
36
+ ## 0.3.2
37
+
38
+ ### Patch Changes
39
+
40
+ - b627562: Bump direct and transitive dependencies to clear MEDIUM-severity advisories
41
+ that Trivy now surfaces alongside CRITICAL/HIGH.
42
+
43
+ Direct version bumps in package.json:
44
+
45
+ - `@checkstack/catalog-backend`, `@checkstack/gitops-backend`,
46
+ `@checkstack/healthcheck-frontend`: `uuid` `^13.0.0` → `^14.0.0`
47
+ (GHSA-w5hq-g745-h8pq, missing buffer bounds check in v3/v5/v6). Also
48
+ dropped the now-redundant `@types/uuid` devDependency — uuid 14 ships
49
+ its own types and the npm `@types/uuid` package is a stub.
50
+ - `@checkstack/gitops-backend`: `yaml` `^2.7.0` → `^2.8.3`
51
+ (GHSA-48c2-rrv3-qjmp, stack overflow on deeply nested collections).
52
+ - `@checkstack/dev-server`: `vite` `^5.4.0` → `^8.0.12`
53
+ (GHSA-4w7w-66w2-5vf9, path traversal in optimized-deps `.map` handling)
54
+ and `@vitejs/plugin-react` `^4.3.4` → `^6.0.1` to stay inside the new
55
+ vite peer range.
56
+
57
+ Root `overrides` / `resolutions` to bypass transitive pins that block the
58
+ walk:
59
+
60
+ - `dompurify` `^3.4.3` — `monaco-editor@0.55.1` pins `dompurify@3.2.7`
61
+ exactly, so the only way to pick up the eight DOMPurify XSS / prototype
62
+ pollution advisories (GHSA-v2wj-7wpq-c8vv et al.) is an override.
63
+ Affects `@checkstack/ui`, which is the only consumer of monaco.
64
+ - `uuid` `^14.0.0` — also forces `bullmq`'s nested `uuid@11.1.0`
65
+ (vulnerable per GHSA-w5hq-g745-h8pq) to the patched line. Affects
66
+ `@checkstack/queue-bullmq-backend`.
67
+ - `yaml` `^2.9.0` — covers transitive resolutions that would otherwise
68
+ pin pre-2.8.3 yaml.
69
+
70
+ The CI image scan (`.github/workflows/pr-checks.yml`) and the local
71
+ `bun run audit:*` helper now include `MEDIUM` alongside `CRITICAL,HIGH`,
72
+ so future MEDIUM regressions fail the pipeline. The production Dockerfile
73
+ also strips vendored `test/`, `tests/`, `__tests__/`, `benchmark/`,
74
+ `benchmarks/`, `example/` and `examples/` folders from `node_modules`
75
+ before the runtime stage — those tarball artefacts ship their own
76
+ nested `package.json` (`benchmark`, `tedious-benchmarks`, etc.) which
77
+ Trivy was scanning as if they were real packages.
78
+
3
79
  ## 0.3.1
4
80
 
5
81
  ### Patch Changes
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@checkstack/gitops-backend",
3
- "version": "0.3.1",
3
+ "version": "0.3.3",
4
4
  "license": "Elastic-2.0",
5
5
  "type": "module",
6
6
  "main": "src/index.ts",
@@ -14,25 +14,24 @@
14
14
  "lint:code": "eslint . --max-warnings 0"
15
15
  },
16
16
  "dependencies": {
17
- "@checkstack/backend-api": "0.15.1",
18
- "@checkstack/gitops-common": "0.3.0",
19
- "@checkstack/common": "0.9.0",
20
- "@checkstack/command-backend": "0.1.25",
21
- "@checkstack/queue-api": "0.3.0",
17
+ "@checkstack/backend-api": "0.15.2",
18
+ "@checkstack/gitops-common": "0.4.0",
19
+ "@checkstack/common": "0.10.0",
20
+ "@checkstack/command-backend": "0.1.26",
21
+ "@checkstack/queue-api": "0.3.1",
22
22
  "@orpc/server": "^1.13.2",
23
23
  "drizzle-orm": "^0.45.0",
24
24
  "minimatch": "^10.0.0",
25
- "uuid": "^13.0.0",
25
+ "uuid": "^14.0.0",
26
26
  "zod": "^4.2.1",
27
- "yaml": "^2.7.0"
27
+ "yaml": "^2.8.3"
28
28
  },
29
29
  "devDependencies": {
30
30
  "@checkstack/drizzle-helper": "0.0.5",
31
- "@checkstack/scripts": "0.3.1",
31
+ "@checkstack/scripts": "0.3.2",
32
32
  "@checkstack/tsconfig": "0.0.7",
33
33
  "@types/bun": "^1.3.5",
34
34
  "@types/node": "^20.0.0",
35
- "@types/uuid": "^11.0.0",
36
35
  "drizzle-kit": "^0.31.10",
37
36
  "typescript": "^5.0.0"
38
37
  }