Commit graph

22 commits

Author SHA1 Message Date
SamTV12345
0b0883c02b chore: allow installs on release 2026-05-06 23:19:07 +02:00
John McLear
958590d1c8
chore(docker): clear most CVEs in published image (npm/pnpm/uuid + drop curl) (#7674)
* chore(docker): clear most CVEs in published image — npm/pnpm/uuid + drop curl

Cuts published-image vulnerabilities from 18 (4H/13M/1L) across 8 packages
to 12 (2H/9M/1L) across 3 packages. The remaining three (curl/libcurl,
git, busybox) are all upstream Alpine 3.23 packages with "not fixed"
status — libcurl is pulled in transitively by git and cannot be
removed independently.

Changes:

- Provision pnpm via corepack instead of `npm install -g pnpm`, then
  remove the bundled npm. The base image's npm@10.9.7 ships old
  transitives (picomatch 4.0.3 → CVE-2026-33671/33672, brace-expansion
  2.0.2 → CVE-2026-33750) that we don't otherwise need at runtime;
  corepack handles pnpm directly without npm. Fixes 1H + 1M.

- Bump PnpmVersion 10.28.2 → 10.33.2 to align with the rest of the
  workflow and pull in pnpm's patched bundled brace-expansion (5.0.5
  vs 5.0.4). Fixes 1M.

- Add `uuid@<14.0.0` → `>=14.0.0` to pnpm.overrides
  (GHSA-w5hq-g745-h8pq). Fixes 1M.

- Drop `curl` from the runtime apk add list and switch HEALTHCHECK to
  wget (busybox built-in). curl was only invoked by the healthcheck and
  by dev/CI scripts that don't run in the container. Removes the curl
  CLI binary; libcurl remains as a git transitive dep, so the
  `apk/alpine/curl` advisories scout reports against libcurl persist
  but aren't reachable from any code we ship. As a side-effect this
  also clears nghttp2 (CVE-2026-27135) which was a curl-CLI dep.

- Switch HEALTHCHECK URL from `localhost` to `127.0.0.1` — alpine/musl
  resolves localhost to ::1 first and Etherpad only binds IPv4.

Verified locally: docker build → docker run → healthy → docker scout
cves shows 12 CVEs / 3 packages.

* fix(docker): refresh corepack before preparing pnpm (Qodo)

Node 22's bundled corepack ships a stale signing-key list and can reject
newer pnpm releases (nodejs/corepack#612), which would fail the image
build at `corepack prepare`. Mirror the snap/snapcraft.yaml workaround:
`npm install -g corepack@latest` before activating pnpm, in both
adminbuild and build stages. npm is still removed afterwards.

* docs(changelog): note docker image dropping curl/npm/npx (Qodo)

Address Qodo's "backwards-incompatible change without mitigation" rule
violations by documenting the removal in the 2.7.3 breaking-changes
section. Operators who exec into the container can apk add curl on
demand or use the busybox wget / pnpm already present.

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

* chore: pnpm

---------

Co-authored-by: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
2026-05-06 22:00:13 +02:00
SamTV12345
a05bb7d7b3
chore: added release notes for 2.7.1 (#7604)
* chore: added release notes for 2.7.1

* chore: don't cache node_modules due to cas
2026-04-26 11:30:43 +02:00
dependabot[bot]
00dc6dba89
build(deps): bump reitzig/actions-asciidoctor from 2.0.3 to 2.0.4 (#7370)
Bumps [reitzig/actions-asciidoctor](https://github.com/reitzig/actions-asciidoctor) from 2.0.3 to 2.0.4.
- [Release notes](https://github.com/reitzig/actions-asciidoctor/releases)
- [Changelog](https://github.com/reitzig/actions-asciidoctor/blob/master/CHANGELOG.md)
- [Commits](https://github.com/reitzig/actions-asciidoctor/compare/v2.0.3...v2.0.4)

---
updated-dependencies:
- dependency-name: reitzig/actions-asciidoctor
  dependency-version: 2.0.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-03-16 16:34:06 +00:00
dependabot[bot]
530987573f
build(deps): bump reitzig/actions-asciidoctor from 2.0.2 to 2.0.3 (#7319)
Bumps [reitzig/actions-asciidoctor](https://github.com/reitzig/actions-asciidoctor) from 2.0.2 to 2.0.3.
- [Release notes](https://github.com/reitzig/actions-asciidoctor/releases)
- [Changelog](https://github.com/reitzig/actions-asciidoctor/blob/master/CHANGELOG.md)
- [Commits](https://github.com/reitzig/actions-asciidoctor/compare/v2.0.2...v2.0.3)

---
updated-dependencies:
- dependency-name: reitzig/actions-asciidoctor
  dependency-version: 2.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-02-15 19:59:43 +01:00
dependabot[bot]
5306df6bae
build(deps): bump actions/cache from 4 to 5 (#7264)
Bumps [actions/cache](https://github.com/actions/cache) from 4 to 5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-19 21:24:15 +01:00
dependabot[bot]
4f469d666c
build(deps): bump actions/checkout from 5 to 6 (#7233)
Bumps [actions/checkout](https://github.com/actions/checkout) from 5 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-11-30 20:31:22 +01:00
SamTV12345
1268e9b352 chore: install deps for release 2025-10-08 22:55:53 +02:00
SamTV12345
d5a23d5347
chore: use gnpm (#7156)
* chore: use gnpm

* chore: fixed pnpm

* chore: fixed gnpm

* chore: fixed jq

* chore: use 0.0.7

* chore: use flag for building

* chore: fixed all backend tests

* chore: continue with porting things

* chore: fixed path

* chore: fixed backend tests

* chore: upgraded all to gnpm

* chore: updated to gnpm 0.0.9

* chore: echo current env with debug logs

* chore: install with frozen lockfile

* chore: use 0.0.10

* chore: use 0.0.11

* chore: use 0.0.12 globally

* chore: reworked handleRelease workflow to be up to date and depend on other workflows
2025-10-05 22:56:14 +02:00
dependabot[bot]
2da679a531
build(deps): bump actions/setup-node from 4 to 5 (#7114)
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 5.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-09-08 19:25:00 +02:00
SamTV12345
27e4f7290a
Potential fix for code scanning alert no. 107: Workflow does not contain permissions (#7091)
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2025-08-24 23:24:20 +02:00
dependabot[bot]
c1d214300d
build(deps): bump actions/checkout from 4 to 5 (#7067)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-08-12 21:21:29 +02:00
SamTV12345
283bf8e407 chore: use asciidoctor 2025-08-02 13:45:17 +02:00
SamTV12345
71e2678a92 chore: set git config 2025-08-02 13:39:46 +02:00
SamTV12345
bf1792e441 chore: change working directory 2025-08-02 13:37:56 +02:00
SamTV12345
2bfcbca58c chore: disabled other actions 2025-08-02 13:37:12 +02:00
SamTV12345
a9b578e111 chore: check out every branch 2025-08-02 13:33:19 +02:00
SamTV12345
8c1e86321b chore: check out origin/master 2025-08-02 12:16:02 +02:00
SamTV12345
bb7c735956 chore: also check out master 2025-08-02 12:12:58 +02:00
SamTV12345
4e8bb72381 chore: fixed cd bin 2025-08-02 12:04:39 +02:00
SamTV12345
d831ab7d74 chore: use dispatch 2025-08-02 12:00:39 +02:00
SamTV12345
2d9a8914b9 chore: added release.yml 2025-08-02 11:58:32 +02:00