@networkpro/web 1.23.0 → 1.24.0

package/.github/workflows/build-and-publish.yml

@@ -38,7 +38,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           cache: npm
           cache-dependency-path: package-lock.json
 
@@ -123,7 +123,7 @@ jobs:
       - name: Set up Node.js for npmjs
         uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           registry-url: https://registry.npmjs.org/
           cache: npm
           cache-dependency-path: package-lock.json
@@ -184,7 +184,7 @@ jobs:
       - name: Set up Node.js for GPR
         uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           registry-url: https://npm.pkg.github.com/
           cache: npm
           cache-dependency-path: package-lock.json

package/.github/workflows/lighthouse.yml

@@ -44,7 +44,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           cache: npm
           cache-dependency-path: package-lock.json
 

package/.github/workflows/meta-check.yml

@@ -25,7 +25,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
 
       - name: Install dependencies
         run: npm ci

package/.github/workflows/publish-test.yml

@@ -36,7 +36,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           cache: npm
           cache-dependency-path: package-lock.json
 
@@ -121,7 +121,7 @@ jobs:
       - name: Set up Node.js for npmjs
         uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           registry-url: https://registry.npmjs.org/
           cache: npm
           cache-dependency-path: package-lock.json
@@ -182,7 +182,7 @@ jobs:
       - name: Set up Node.js for GPR
         uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           registry-url: https://npm.pkg.github.com/
           cache: npm
           cache-dependency-path: package-lock.json

package/.github/workflows/secret-scan.yml

@@ -0,0 +1,105 @@
+# .github/workflows/secret-scan.yml
+#
+# Copyright © 2025 Network Pro Strategies (Network Pro™)
+# SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
+# This file is part of Network Pro
+
+name: Secret Scan (Gitleaks)
+
+on:
+  pull_request:
+  schedule:
+    - cron: '0 8 * * *' # nightly scan at 8 AM UTC
+  workflow_dispatch:
+
+jobs:
+  gitleaks-scan:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      # ---------------------------------------------------------------------
+      # Checkout the full repo history (needed for Gitleaks to scan all commits)
+      # ---------------------------------------------------------------------
+      - uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      # ---------------------------------------------------------------------
+      # Run Gitleaks scan
+      # Uses org license key (safe because GitHub never passes secrets to forks)
+      # ---------------------------------------------------------------------
+      - name: Run Gitleaks scan
+        id: gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
+          GITLEAKS_REPORT_PATH: gitleaks-report.json
+
+      # ---------------------------------------------------------------------
+      # LAYER 2: Secret-handling / fork guard
+      # Upload artifact only if workflow runs in trusted context
+      # (either not a PR, or a PR from the same repo)
+      # ---------------------------------------------------------------------
+      - name: Upload Gitleaks Report
+        if: always() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request')
+        uses: actions/upload-artifact@v4
+        with:
+          name: gitleaks-report
+          path: gitleaks-report.json
+
+      # ---------------------------------------------------------------------
+      # LAYER 1: Output redaction
+      # Public-safe summary – shows only secret descriptions, hides file paths.
+      # ---------------------------------------------------------------------
+      - name: Post Gitleaks summary
+        if: always()
+        run: |
+          echo "### 🧩 Gitleaks Scan Summary" >> $GITHUB_STEP_SUMMARY
+          if [ -s gitleaks-report.json ]; then
+            count=$(jq '.findings | length' gitleaks-report.json)
+            if [ "$count" -gt 0 ]; then
+              echo "🚨 **$count potential secret$( [ "$count" -ne 1 ] && echo "s" ) detected!**" >> $GITHUB_STEP_SUMMARY
+              echo "" >> $GITHUB_STEP_SUMMARY
+              # 🔒 Redacted output: no file paths or secret values
+              jq -r '.findings[] | "- \(.Description) (at undisclosed path)"' gitleaks-report.json | head -n 10 >> $GITHUB_STEP_SUMMARY
+              echo "" >> $GITHUB_STEP_SUMMARY
+              echo "_Full report available in Artifacts section (maintainers only)._ " >> $GITHUB_STEP_SUMMARY
+            else
+              echo "✅ No secrets detected." >> $GITHUB_STEP_SUMMARY
+            fi
+          else
+            echo "⚠️ No report file found." >> $GITHUB_STEP_SUMMARY
+          fi
+
+      # ---------------------------------------------------------------------
+      # LAYER 2: Secret-handling / fork guard
+      # Create issue only in trusted repo context (avoids using tokens on forks)
+      # ---------------------------------------------------------------------
+      - name: Create issue for detected secrets
+        if: failure() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request')
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const issueTitle = `🚨 Secret(s) detected in ${context.repo.repo}`;
+            const issueBody = `Gitleaks found potential secrets in commit ${context.sha}.\n\nCheck workflow logs and artifacts for details.`;
+            await github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: issueTitle,
+              body: issueBody,
+              labels: ['security', 'gitleaks']
+            });
+
+      # ---------------------------------------------------------------------
+      # LAYER 2: Secret-handling / fork guard
+      # Send ntfy alert only for trusted repo context.
+      # ---------------------------------------------------------------------
+      - name: Send ntfy notification
+        if: failure() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request')
+        run: |
+          curl -d "🚨 Gitleaks found secrets in repo: $GITHUB_REPOSITORY on commit $GITHUB_SHA" \
+               https://ntfy.neteng.pro/${{ secrets.NTFY_TOPIC }}

package/.github/workflows/templates/publish.template.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           cache: npm
           cache-dependency-path: package-lock.json
 
@@ -131,7 +131,7 @@ jobs:
       - name: Set up Node.js for npmjs
         uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           registry-url: https://registry.npmjs.org/
           cache: npm
           cache-dependency-path: package-lock.json
@@ -192,7 +192,7 @@ jobs:
       - name: Set up Node.js for GPR
         uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           registry-url: https://npm.pkg.github.com/
           cache: npm
           cache-dependency-path: package-lock.json

package/.node-version

@@ -1 +1 @@
-22.21.1
+24.11.0

package/.nvmrc

@@ -1 +1 @@
-22.21.1
+24.11.0

package/CHANGELOG.md

@@ -22,6 +22,47 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 ---
 
+## [1.24.0]
+
+### Added
+
+- Introduced [GitLeaks](https://github.com/gitleaks/gitleaks-action) secret scan CI action as `.github/workflows/secret-scan.yml`.
+- Introduced two-phase scan strategy:
+  - **Pull Request scans** to detect secrets before merge.
+  - **Nightly scheduled scans** (`cron: "0 4 * * *"`) for full-history coverage.
+- Added **artifact upload** for the `gitleaks-report.json` file, allowing maintainers to download complete results from the Actions UI.
+- Implemented **public-safe summary output** in `$GITHUB_STEP_SUMMARY`:
+  - Displays secret descriptions only.
+  - Redacts file paths and other sensitive details.
+  - Provides a concise, readable summary of findings.
+- Added **GitHub Issue creation step** to automatically open a security issue when leaks are detected.
+- Integrated optional **ntfy.sh notifications** for real-time alerting on secret leaks.
+- Implemented **fork-safety guards** to prevent workflows triggered from untrusted forks from:
+  - Accessing organization secrets (license keys, ntfy topic).
+  - Uploading artifacts or creating issues.
+- Added descriptive comments and logical layer separation:
+  - **Layer 1 – Output Redaction**
+  - **Layer 2 – Secret / Fork Handling**
+
+### Changed
+
+- Bumped project version to `v1.23.1`.
+- Updated `.node-version` and `.nvmrc` to utilize **Node.js** `24.11.0` (LTS).
+- Updated CI workflows to utilize `node-version: 24`:
+  - `build-and-publish.yml`
+  - `lighthouse.yml`
+  - `meta-check.yml`
+  - `playwright.yml`
+  - `publish-test.yml`
+  - `templates/publish.template.yml`
+- Updated dependencies:
+  - `@eslint/js` `^9.38.0` → `^9.39.0`
+  - `eslint` `^9.38.0` → `^9.39.0`
+  - `globals` `^16.4.0` → `^16.5.0`
+  - `posthog-js` `^1.282.0` → `^1.284.0`
+
+---
+
 ## [1.23.0] - 2025-10-30
 
 ### Documentation
@@ -1362,7 +1403,8 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 <!-- Link references -->
 
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.23.0...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.24.0...HEAD
+[1.24.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.24.0
 [1.23.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.23.0
 [1.22.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.22.2
 [1.22.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.22.1

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@networkpro/web",
   "private": false,
-  "version": "1.23.0",
+  "version": "1.24.0",
   "description": "Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies",
   "keywords": [
     "advisory",
@@ -79,13 +79,13 @@
   },
   "dependencies": {
     "dompurify": "^3.3.0",
-    "posthog-js": "^1.282.0",
+    "posthog-js": "^1.284.0",
     "semver": "^7.7.3",
     "svelte": "5.43.2"
   },
   "devDependencies": {
     "@eslint/compat": "^1.4.1",
-    "@eslint/js": "^9.38.0",
+    "@eslint/js": "^9.39.0",
     "@lhci/cli": "^0.15.1",
     "@playwright/test": "^1.56.1",
     "@sveltejs/adapter-vercel": "^6.1.1",
@@ -96,11 +96,11 @@
     "@vitest/coverage-v8": "3.2.4",
     "autoprefixer": "^10.4.21",
     "browserslist": "^4.27.0",
-    "eslint": "^9.38.0",
+    "eslint": "^9.39.0",
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-jsdoc": "^61.1.11",
     "eslint-plugin-svelte": "^3.13.0",
-    "globals": "^16.4.0",
+    "globals": "^16.5.0",
     "jsdom": "26.1.0",
     "lightningcss": "^1.30.2",
     "markdownlint": "^0.39.0",