@networkpro/web 1.25.21 → 1.25.23

package/.github/workflows/secret-scan.yml

@@ -14,10 +14,10 @@ on:
 
 jobs:
   gitleaks-scan:
+    if: github.actor != 'dependabot[bot]'
     runs-on: ubuntu-24.04
     permissions:
       contents: read
-      security-events: write
       issues: write
     env:
       CODEQL_ACTION_ANALYSIS_KEY: gitleaks
@@ -49,7 +49,7 @@ jobs:
       # (either not a PR, or a PR from the same repo)
       # ---------------------------------------------------------------------
       - name: Upload Gitleaks Report
-        if: always() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request')
+        if: always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
         uses: actions/upload-artifact@v6
         with:
           name: gitleaks-report
@@ -59,6 +59,10 @@ jobs:
       # LAYER 1: Output redaction
       # Public-safe summary – shows only secret descriptions, hides file paths.
       # ---------------------------------------------------------------------
+      - name: Ensure jq is installed
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        run: sudo apt-get update && sudo apt-get install -y jq
+
       - name: Post Gitleaks summary
         if: always()
         run: |
@@ -91,7 +95,7 @@ jobs:
       # Create issue only in trusted repo context (avoids using tokens on forks)
       # ---------------------------------------------------------------------
       - name: Create issue for detected secrets
-        if: failure() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request')
+        if: failure() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
         uses: actions/github-script@v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -111,7 +115,7 @@ jobs:
       # Send ntfy alert only for trusted repo context.
       # ---------------------------------------------------------------------
       - name: Send ntfy notification
-        if: failure() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request')
+        if: failure() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
         run: |
           curl -d "🚨 Gitleaks found secrets in repo: $GITHUB_REPOSITORY on commit $GITHUB_SHA" \
-               https://ntfy.neteng.pro/${{ secrets.NTFY_TOPIC }}
+              https://ntfy.neteng.pro/${{ secrets.NTFY_TOPIC }}

package/CHANGELOG.md

@@ -24,6 +24,47 @@ version increments reflecting both user-visible and operational impact.
 
 ---
 
+## [1.25.23] - 2026-01-04
+
+### Changed
+
+- Updated `README.md` to accurately reflect hosting.
+- Updated timestamp in `static/.well-known/security.txt` and created a new detached signature.
+- Bumped project version to `v1.25.23`.
+
+---
+
+## [1.25.22] - 2026-01-01
+
+### Added
+
+- Conditional guards to ensure artifacts, issues, and external notifications are only created when workflows run in a trusted context (non-PR runs or PRs originating from the same repository).
+- Redacted, public-safe Gitleaks scan summaries in GitHub Actions step output to prevent accidental exposure of sensitive file paths or values.
+- Optional installation of `jq` gated to trusted execution contexts to support future structured output (e.g., SARIF) while preserving fork safety.
+
+### Changed
+
+- Updated the Gitleaks secret scanning workflow to explicitly exclude Dependabot pull requests, avoiding failures caused by unavailable organization secrets in bot-triggered PRs.
+- Refined workflow trust boundaries to distinguish between forked pull requests and trusted repository contexts.
+- Updated `.gitignore` to stop tracking generated `.svelte-kit` files.
+- Bumped project version to `v1.25.22`.
+- Updated dependencies:
+  - `stylelint-order` `^7.0.0` → `^7.0.1`
+  - `posthog-js` `^1.310.1` → `^1.313.0`
+  - `globals` `^16.5.0` → `^17.0.0`
+
+### Removed
+
+- Removed Mastodon verification in `src/routes/posts/+page.svelte`, as it was not functioning properly. This route will remain unverified.
+
+### Security
+
+- Hardened secret-handling logic in CI by preventing the use of organization-level secrets, write permissions, and external notifications in untrusted pull request contexts.
+- Ensured Gitleaks license usage is restricted to safe execution paths, eliminating false-negative or false-positive failures caused by GitHub Actions secret scoping rules.
+- Added transitive dependency override for `qs` to `^6.14.1`, in order to address CVE-2025-15284.
+
+---
+
 ## [1.25.21] - 2025-12-27
 
 ### Added
@@ -2090,7 +2131,7 @@ This enables analytics filtering and CSP hardening for the audit environment.
 
 ---
 
-## 1.12.0 – 2025-06-04
+## [1.12.0] – 2025-06-04
 
 ### Added
 
@@ -2118,7 +2159,9 @@ This enables analytics filtering and CSP hardening for the audit environment.
 
 <!-- Link references -->
 
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.21...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.23...HEAD
+[1.25.23]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.23
+[1.25.22]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.22
 [1.25.21]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.21
 [1.25.20]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.20
 [1.25.19]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.19
@@ -2190,5 +2233,6 @@ This enables analytics filtering and CSP hardening for the audit environment.
 [1.12.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.4
 [1.12.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.3
 [1.12.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.1
+[1.12.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.0
 
 <!-- cspell:ignore qrcode cryptom otphelp domcontentloaded -->

package/README.md

@@ -24,7 +24,7 @@ This file is part of Network Pro.
 This GitHub repository powers the official web presence of **[Network Pro Strategies](https://netwk.pro/about)** — a research- and infrastructure-focused technology initiative working across cybersecurity, digital systems, and privacy. Our work spans applied research and development, experimental infrastructure, educational tools and publications, and public advocacy for security- and privacy-respecting technology.
 
 Built with [SvelteKit](https://kit.svelte.dev/) and deployed via [Vercel](https://vercel.com/).  
-[Blog](https://github.com/netwk-pro/blog) and [documentation](https://github.com/netwk-pro/docs) subsites built with [Material for MkDocs](https://squidfunk.github.io/mkdocs-material/) and deployed via [Vercel](https://vercel.com/) and [Netlify](https://netlify.com/).
+[Blog](https://github.com/netwk-pro/blog) and [documentation](https://github.com/netwk-pro/docs) subsites built with [Material for MkDocs](https://squidfunk.github.io/mkdocs-material/) and deployed via [Vercel](https://vercel.com/).
 
 All infrastructure and data flows are designed with **maximum transparency, self-hosting, and user privacy** in mind.
 

package/package.json

@@ -1,12 +1,15 @@
 {
   "name": "@networkpro/web",
   "private": false,
-  "version": "1.25.21",
+  "version": "1.25.23",
   "description": "Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies",
   "keywords": [
+    "advocacy",
     "consulting",
     "cybersecurity",
+    "education",
     "networking",
+    "policy",
     "privacy",
     "pwa",
     "security",
@@ -85,7 +88,7 @@
   },
   "dependencies": {
     "dompurify": "^3.3.1",
-    "posthog-js": "^1.310.1",
+    "posthog-js": "^1.313.0",
     "semver": "^7.7.3",
     "svelte": "5.46.1"
   },
@@ -107,7 +110,7 @@
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-jsdoc": "^61.5.0",
     "eslint-plugin-svelte": "^3.13.1",
-    "globals": "^16.5.0",
+    "globals": "^17.0.0",
     "globby": "^16.1.0",
     "jsdom": "27.4.0",
     "lightningcss": "^1.30.2",
@@ -122,7 +125,7 @@
     "stylelint": "^16.26.1",
     "stylelint-config-html": "^1.1.0",
     "stylelint-config-recommended": "^17.0.0",
-    "stylelint-order": "^7.0.0",
+    "stylelint-order": "^7.0.1",
     "svelte-check": "^4.3.5",
     "svelte-eslint-parser": "^1.4.1",
     "svelte-preprocess": "^6.0.3",
@@ -137,7 +140,8 @@
     "cookie": "^1.0.0",
     "glob": "^11.1.0",
     "js-yaml": "^4.1.1",
-    "tar": ">=7.5.2",
-    "tmp": ">=0.2.4"
+    "qs": "^6.14.1",
+    "tar": "^7.5.2",
+    "tmp": "^0.2.4"
   }
 }

package/src/routes/posts/+page.svelte

@@ -45,13 +45,6 @@ This file is part of Network Pro.
   });
 </script>
 
-<svelte:head>
-  <a
-    rel="me"
-    href="https://noc.social/@neteng_pro"
-    aria-label="Mastodon profile"></a>
-</svelte:head>
-
 {#if show && target}
   <RedirectPage to={target} rel={PAGE.REL} />
 {:else}

package/static/.well-known/security.txt

@@ -9,4 +9,4 @@ Canonical: https://netwk.pro/.well-known/security.txt
 Signature: https://netwk.pro/.well-known/security.txt.sig
 # This file is authenticated using a detached GPG signature:
 # https://netwk.pro/.well-known/security.txt.sig
-Expires: 2025-12-31T23:59:59Z
+Expires: 2026-12-31T23:59:59Z

package/static/.well-known/security.txt.asc

@@ -0,0 +1,7 @@
+-----BEGIN PGP SIGNATURE-----
+
+iHUEARYKAB0WIQS3/h1ObKs+cUqf325Iy3KQwA0NpQUCaVpH3AAKCRBIy3KQwA0N
+paX5AQDUKoVbYdfuhOuE6d3f9LOzJaClIpLlit0fyWd1TKqNmAEAgRpH8Z22O4vf
+K6gOVLSo5QngPPXqN7kQCcN8oeydzg8=
+=WWvf
+-----END PGP SIGNATURE-----

package/static/sitemap.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- Sitemap last updated 2025-12-27 -->
+<!-- Sitemap last updated 2026-01-01 -->
 
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
 
@@ -7,7 +7,7 @@
 
     <loc>https://netwk.pro</loc>
 
-    <lastmod>2025-12-25</lastmod>
+    <lastmod>2026-01-01</lastmod>
 
     <changefreq>weekly</changefreq>
 

package/.svelte-kit/tsconfig.json

@@ -1,52 +0,0 @@
-{
-	"compilerOptions": {
-		"paths": {
-			"$lib": [
-				"../src/lib"
-			],
-			"$lib/*": [
-				"../src/lib/*"
-			],
-			"$app/types": [
-				"./types/index.d.ts"
-			]
-		},
-		"rootDirs": [
-			"..",
-			"./types"
-		],
-		"verbatimModuleSyntax": true,
-		"isolatedModules": true,
-		"lib": [
-			"esnext",
-			"DOM",
-			"DOM.Iterable"
-		],
-		"moduleResolution": "bundler",
-		"module": "esnext",
-		"noEmit": true,
-		"target": "esnext"
-	},
-	"include": [
-		"ambient.d.ts",
-		"non-ambient.d.ts",
-		"./types/**/$types.d.ts",
-		"../vite.config.js",
-		"../vite.config.ts",
-		"../src/**/*.js",
-		"../src/**/*.ts",
-		"../src/**/*.svelte",
-		"../tests/**/*.js",
-		"../tests/**/*.ts",
-		"../tests/**/*.svelte"
-	],
-	"exclude": [
-		"../node_modules/**",
-		"../src/service-worker.js",
-		"../src/service-worker/**/*.js",
-		"../src/service-worker.ts",
-		"../src/service-worker/**/*.ts",
-		"../src/service-worker.d.ts",
-		"../src/service-worker/**/*.d.ts"
-	]
-}

package/static/.well-known/security.txt.sig

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iIwEABYKADQWIQS3/h1ObKs+cUqf325Iy3KQwA0NpQUCaEyxUhYcc2VjdXJpdHlA
-cy5uZXRlbmcucHJvAAoJEEjLcpDADQ2lPAgA/0rNLm+HpBmlYn2ETD0jyX7jDdPB
-YSX2AifNCEV+AW63AQDTyKq0E0sw45eOjqZnLCxByuRWcNwj8wazWR1p+2ptDw==
-=ybGE
------END PGP SIGNATURE-----