npm - @networkpro/web - Versions diffs - 1.25.21 → 1.25.22 - Mend

@networkpro/web 1.25.21 → 1.25.22

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.github/workflows/secret-scan.yml +9 -5
package/CHANGELOG.md +35 -2
package/package.json +8 -6
package/src/routes/posts/+page.svelte +0 -7
package/static/sitemap.xml +2 -2
package/.svelte-kit/tsconfig.json +0 -52

package/.github/workflows/secret-scan.yml CHANGED Viewed

@@ -14,10 +14,10 @@ on:
 jobs:
   gitleaks-scan:
+    if: github.actor != 'dependabot[bot]'
     runs-on: ubuntu-24.04
     permissions:
       contents: read
-      security-events: write
       issues: write
     env:
       CODEQL_ACTION_ANALYSIS_KEY: gitleaks
@@ -49,7 +49,7 @@ jobs:
       # (either not a PR, or a PR from the same repo)
       # ---------------------------------------------------------------------
       - name: Upload Gitleaks Report
-        if: always() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request')
+        if: always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
         uses: actions/upload-artifact@v6
         with:
           name: gitleaks-report
@@ -59,6 +59,10 @@ jobs:
       # LAYER 1: Output redaction
       # Public-safe summary – shows only secret descriptions, hides file paths.
       # ---------------------------------------------------------------------
+      - name: Ensure jq is installed
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        run: sudo apt-get update && sudo apt-get install -y jq
       - name: Post Gitleaks summary
         if: always()
         run: |
@@ -91,7 +95,7 @@ jobs:
       # Create issue only in trusted repo context (avoids using tokens on forks)
       # ---------------------------------------------------------------------
       - name: Create issue for detected secrets
-        if: failure() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request')
+        if: failure() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
         uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -111,7 +115,7 @@ jobs:
       # Send ntfy alert only for trusted repo context.
       # ---------------------------------------------------------------------
       - name: Send ntfy notification
-        if: failure() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request')
+        if: failure() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
         run: |
           curl -d "🚨 Gitleaks found secrets in repo: $GITHUB_REPOSITORY on commit $GITHUB_SHA" \
-               https://ntfy.neteng.pro/${{ secrets.NTFY_TOPIC }}
+              https://ntfy.neteng.pro/${{ secrets.NTFY_TOPIC }}

package/CHANGELOG.md CHANGED Viewed

@@ -24,6 +24,37 @@ version increments reflecting both user-visible and operational impact.
 ---
+## [1.25.22] - 2026-01-01
+### Added
+- Conditional guards to ensure artifacts, issues, and external notifications are only created when workflows run in a trusted context (non-PR runs or PRs originating from the same repository).
+- Redacted, public-safe Gitleaks scan summaries in GitHub Actions step output to prevent accidental exposure of sensitive file paths or values.
+- Optional installation of `jq` gated to trusted execution contexts to support future structured output (e.g., SARIF) while preserving fork safety.
+### Changed
+- Updated the Gitleaks secret scanning workflow to explicitly exclude Dependabot pull requests, avoiding failures caused by unavailable organization secrets in bot-triggered PRs.
+- Refined workflow trust boundaries to distinguish between forked pull requests and trusted repository contexts.
+- Updated `.gitignore` to stop tracking generated `.svelte-kit` files.
+- Bumped project version to `v1.25.22`.
+- Updated dependencies:
+  - `stylelint-order` `^7.0.0` → `^7.0.1`
+  - `posthog-js` `^1.310.1` → `^1.313.0`
+  - `globals` `^16.5.0` → `^17.0.0`
+### Removed
+- Removed Mastodon verification in `src/routes/posts/+page.svelte`, as it was not functioning properly. This route will remain unverified.
+### Security
+- Hardened secret-handling logic in CI by preventing the use of organization-level secrets, write permissions, and external notifications in untrusted pull request contexts.
+- Ensured Gitleaks license usage is restricted to safe execution paths, eliminating false-negative or false-positive failures caused by GitHub Actions secret scoping rules.
+- Added transitive dependency override for `qs` to `^6.14.1`, in order to address CVE-2025-15284.
+---
 ## [1.25.21] - 2025-12-27
 ### Added
@@ -2090,7 +2121,7 @@ This enables analytics filtering and CSP hardening for the audit environment.
 ---
-## 1.12.0 – 2025-06-04
+## [1.12.0] – 2025-06-04
 ### Added
@@ -2118,7 +2149,8 @@ This enables analytics filtering and CSP hardening for the audit environment.
 <!-- Link references -->
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.21...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.22...HEAD
+[1.25.22]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.22
 [1.25.21]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.21
 [1.25.20]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.20
 [1.25.19]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.19
@@ -2190,5 +2222,6 @@ This enables analytics filtering and CSP hardening for the audit environment.
 [1.12.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.4
 [1.12.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.3
 [1.12.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.1
+[1.12.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.0
 <!-- cspell:ignore qrcode cryptom otphelp domcontentloaded -->

package/package.json CHANGED Viewed

@@ -1,12 +1,13 @@
 {
   "name": "@networkpro/web",
   "private": false,
-  "version": "1.25.21",
+  "version": "1.25.22",
   "description": "Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies",
   "keywords": [
     "consulting",
     "cybersecurity",
     "networking",
+    "policy",
     "privacy",
     "pwa",
     "security",
@@ -85,7 +86,7 @@
   },
   "dependencies": {
     "dompurify": "^3.3.1",
-    "posthog-js": "^1.310.1",
+    "posthog-js": "^1.313.0",
     "semver": "^7.7.3",
     "svelte": "5.46.1"
   },
@@ -107,7 +108,7 @@
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-jsdoc": "^61.5.0",
     "eslint-plugin-svelte": "^3.13.1",
-    "globals": "^16.5.0",
+    "globals": "^17.0.0",
     "globby": "^16.1.0",
     "jsdom": "27.4.0",
     "lightningcss": "^1.30.2",
@@ -122,7 +123,7 @@
     "stylelint": "^16.26.1",
     "stylelint-config-html": "^1.1.0",
     "stylelint-config-recommended": "^17.0.0",
-    "stylelint-order": "^7.0.0",
+    "stylelint-order": "^7.0.1",
     "svelte-check": "^4.3.5",
     "svelte-eslint-parser": "^1.4.1",
     "svelte-preprocess": "^6.0.3",
@@ -137,7 +138,8 @@
     "cookie": "^1.0.0",
     "glob": "^11.1.0",
     "js-yaml": "^4.1.1",
-    "tar": ">=7.5.2",
-    "tmp": ">=0.2.4"
+    "qs": "^6.14.1",
+    "tar": "^7.5.2",
+    "tmp": "^0.2.4"
   }
 }

package/src/routes/posts/+page.svelte CHANGED Viewed

@@ -45,13 +45,6 @@ This file is part of Network Pro.
   });
 </script>
-<svelte:head>
-  <a
-    rel="me"
-    href="https://noc.social/@neteng_pro"
-    aria-label="Mastodon profile"></a>
-</svelte:head>
 {#if show && target}
   <RedirectPage to={target} rel={PAGE.REL} />
 {:else}

package/static/sitemap.xml CHANGED Viewed

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- Sitemap last updated 2025-12-27 -->
+<!-- Sitemap last updated 2026-01-01 -->
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
@@ -7,7 +7,7 @@
     <loc>https://netwk.pro</loc>
-    <lastmod>2025-12-25</lastmod>
+    <lastmod>2026-01-01</lastmod>
     <changefreq>weekly</changefreq>

package/.svelte-kit/tsconfig.json DELETED Viewed

@@ -1,52 +0,0 @@
-{
-	"compilerOptions": {
-		"paths": {
-			"$lib": [
-				"../src/lib"
-			],
-			"$lib/*": [
-				"../src/lib/*"
-			],
-			"$app/types": [
-				"./types/index.d.ts"
-			]
-		},
-		"rootDirs": [
-			"..",
-			"./types"
-		],
-		"verbatimModuleSyntax": true,
-		"isolatedModules": true,
-		"lib": [
-			"esnext",
-			"DOM",
-			"DOM.Iterable"
-		],
-		"moduleResolution": "bundler",
-		"module": "esnext",
-		"noEmit": true,
-		"target": "esnext"
-	},
-	"include": [
-		"ambient.d.ts",
-		"non-ambient.d.ts",
-		"./types/**/$types.d.ts",
-		"../vite.config.js",
-		"../vite.config.ts",
-		"../src/**/*.js",
-		"../src/**/*.ts",
-		"../src/**/*.svelte",
-		"../tests/**/*.js",
-		"../tests/**/*.ts",
-		"../tests/**/*.svelte"
-	],
-	"exclude": [
-		"../node_modules/**",
-		"../src/service-worker.js",
-		"../src/service-worker/**/*.js",
-		"../src/service-worker.ts",
-		"../src/service-worker/**/*.ts",
-		"../src/service-worker.d.ts",
-		"../src/service-worker/**/*.d.ts"
-	]
-}