jonah/hoppscotch
1
0
Fork 0
mirror of https://github.com/hoppscotch/hoppscotch.git synced 2026-02-07 00:36:02 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

chore: security patch for the dependency chain v2026.1.0 (#5786)
Some checks failed
Node.js CI / Test (22) (push) Has been cancelled
Details

Browse Source 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
This commit is contained in:
Mir Arif Hasan
2026-01-21 23:55:40 +06:00
committed by GitHub
parent 69c7c2d9ad
commit 4f13549ed2
18 changed files with 2779 additions and 1897 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docker-compose.yml
View File

@@ -67,8 +67,8 @@ services:
target: app
env_file:
- ./.env
# depends_on:
# - hoppscotch-backend
depends_on:
- hoppscotch-backend
ports:
- "3080:80"
- "3000:3000"
@@ -86,8 +86,8 @@ services:
target: sh_admin
env_file:
- ./.env
# depends_on:
# - hoppscotch-backend
depends_on:
- hoppscotch-backend
ports:
- "3280:80"
- "3100:3100"

16
package.json
View File

@@ -5,7 +5,7 @@
"author": "Hoppscotch (support@hoppscotch.io)",
"private": true,
"license": "MIT",
"packageManager": "pnpm@10.23.0",
"packageManager": "pnpm@10.28.1",
"scripts": {
"preinstall": "npx only-allow pnpm",
"prepare": "husky",
@@ -25,7 +25,7 @@
],
"devDependencies": {
"@commitlint/cli": "20.2.0",
"@commitlint/config-conventional": "20.2.0",
"@commitlint/config-conventional": "20.3.1",
"@hoppscotch/ui": "0.2.5",
"@types/node": "24.10.1",
"cross-env": "10.1.0",
@@ -40,12 +40,14 @@
"body-parser": "2.2.1",
"cross-spawn": "7.0.6",
"execa@0.10.0": "2.0.0",
"jws@<3.2.3": "3.2.3",
"nodemailer@<7.0.11": "7.0.11",
"glob@<11.1.0": "11.1.0",
"subscriptions-transport-ws>ws": "7.5.10",
"vue": "3.5.26",
"form-data": "4.0.4",
"glob@<11.1.0": "11.1.0",
"hono@4.10.6": "4.11.4",
"jws@<3.2.3": "3.2.3",
"nodemailer@<7.0.12": "7.0.12",
"qs@6.14.0": "6.14.1",
"subscriptions-transport-ws>ws": "7.5.10",
"vue": "3.5.27",
"ws": "8.17.1"
},
"onlyBuiltDependencies": [

2
packages/codemirror-lang-graphql/package.json
View File

@@ -25,7 +25,7 @@
"@lezer/generator": "1.8.0",
"@rollup/plugin-typescript": "12.1.4",
"mocha": "11.7.5",
"rollup": "4.53.5",
"rollup": "4.55.3",
"typescript": "5.9.3"
}
}

12
packages/hoppscotch-agent/package.json
View File

@@ -24,21 +24,21 @@
"axios": "1.13.2",
"fp-ts": "2.16.11",
"lodash-es": "4.17.22",
"vue": "3.5.26"
"vue": "3.5.27"
},
"devDependencies": {
"@iconify-json/lucide": "1.2.81",
"@iconify-json/lucide": "1.2.86",
"@tauri-apps/cli": "2.9.3",
"@types/lodash-es": "4.17.12",
"@types/node": "24.10.1",
"@typescript-eslint/eslint-plugin": "8.50.0",
"@typescript-eslint/parser": "8.50.0",
"@typescript-eslint/eslint-plugin": "8.53.1",
"@typescript-eslint/parser": "8.53.1",
"@vitejs/plugin-vue": "6.0.3",
"@vue/eslint-config-typescript": "14.6.0",
"autoprefixer": "10.4.23",
"cross-env": "10.1.0",
"eslint": "9.39.2",
"eslint-plugin-prettier": "5.5.4",
"eslint-plugin-prettier": "5.5.5",
"eslint-plugin-vue": "10.6.2",
"globals": "16.5.0",
"postcss": "8.5.6",
@@ -46,7 +46,7 @@
"typescript": "5.9.3",
"unplugin-icons": "22.5.0",
"unplugin-vue-components": "30.0.0",
"vite": "7.3.0",
"vite": "7.3.1",
"vue-tsc": "2.2.0"
}
}

34
packages/hoppscotch-backend/package.json
View File

@@ -35,15 +35,15 @@
"@as-integrations/express5": "1.1.2",
"@nestjs-modules/mailer": "2.0.2",
"@nestjs/apollo": "13.2.3",
"@nestjs/common": "11.1.9",
"@nestjs/common": "11.1.12",
"@nestjs/config": "4.0.2",
"@nestjs/core": "11.1.9",
"@nestjs/core": "11.1.12",
"@nestjs/graphql": "13.2.3",
"@nestjs/jwt": "11.0.2",
"@nestjs/passport": "11.0.0",
"@nestjs/platform-express": "11.1.9",
"@nestjs/platform-express": "11.1.12",
"@nestjs/schedule": "6.1.0",
"@nestjs/swagger": "11.2.3",
"@nestjs/swagger": "11.2.5",
"@nestjs/terminus": "11.0.0",
"@nestjs/throttler": "6.5.0",
"@prisma/adapter-pg": "7.2.0",
@@ -65,15 +65,15 @@
"handlebars": "4.7.8",
"io-ts": "2.2.22",
"morgan": "1.10.1",
"nodemailer": "7.0.11",
"nodemailer": "7.0.12",
"passport": "0.7.0",
"passport-github2": "0.1.12",
"passport-google-oauth20": "2.0.0",
"passport-jwt": "4.0.1",
"passport-local": "1.0.0",
"passport-microsoft": "2.1.0",
"pg": "8.16.3",
"posthog-node": "5.17.4",
"pg": "8.17.1",
"posthog-node": "5.23.0",
"prisma": "7.2.0",
"reflect-metadata": "0.2.2",
"rimraf": "6.1.2",
@@ -82,34 +82,34 @@
"devDependencies": {
"@eslint/eslintrc": "3.3.3",
"@eslint/js": "9.39.2",
"@nestjs/cli": "11.0.14",
"@nestjs/cli": "11.0.16",
"@nestjs/schematics": "11.0.9",
"@nestjs/testing": "11.1.9",
"@nestjs/testing": "11.1.12",
"@relmify/jest-fp-ts": "2.1.1",
"@types/bcrypt": "6.0.0",
"@types/cookie-parser": "1.4.10",
"@types/express": "5.0.6",
"@types/jest": "30.0.0",
"@types/node": "25.0.3",
"@types/nodemailer": "7.0.4",
"@types/node": "25.0.9",
"@types/nodemailer": "7.0.5",
"@types/passport-github2": "1.2.9",
"@types/passport-google-oauth20": "2.0.17",
"@types/passport-jwt": "4.0.1",
"@types/passport-microsoft": "2.1.1",
"@types/pg": "8.16.0",
"@types/supertest": "6.0.3",
"@typescript-eslint/eslint-plugin": "8.50.0",
"@typescript-eslint/parser": "8.50.0",
"@typescript-eslint/eslint-plugin": "8.53.1",
"@typescript-eslint/parser": "8.53.1",
"cross-env": "10.1.0",
"eslint": "9.39.2",
"eslint-config-prettier": "10.1.8",
"eslint-plugin-prettier": "5.5.4",
"globals": "16.5.0",
"eslint-plugin-prettier": "5.5.5",
"globals": "17.0.0",
"jest": "30.2.0",
"jest-mock-extended": "4.0.0",
"prettier": "3.7.4",
"prettier": "3.8.0",
"source-map-support": "0.5.21",
"supertest": "7.1.4",
"supertest": "7.2.2",
"ts-jest": "29.4.6",
"ts-loader": "9.5.4",
"ts-node": "10.9.2",

6
packages/hoppscotch-cli/package.json
View File

@@ -51,7 +51,7 @@
"jsonc-parser": "3.3.1",
"lodash-es": "4.17.22",
"papaparse": "5.5.3",
"qs": "6.14.0",
"qs": "6.14.1",
"tough-cookie": "6.0.0",
"verzod": "0.4.0",
"xmlbuilder2": "4.0.3",
@@ -65,11 +65,11 @@
"@types/papaparse": "5.5.2",
"@types/qs": "6.14.0",
"fp-ts": "2.16.11",
"prettier": "3.7.4",
"prettier": "3.8.0",
"qs": "6.11.2",
"semver": "7.7.3",
"tsup": "8.5.1",
"typescript": "5.9.3",
"vitest": "4.0.16"
"vitest": "4.0.17"
}
}

34
packages/hoppscotch-common/package.json
View File

@@ -52,7 +52,7 @@
"@types/hawk": "9.0.7",
"@types/markdown-it": "14.1.2",
"@types/node": "24.10.1",
"@unhead/vue": "2.0.19",
"@unhead/vue": "2.1.2",
"@urql/core": "6.0.1",
"@urql/devtools": "2.0.3",
"@urql/exchange-auth": "3.0.0",
@@ -90,9 +90,9 @@
"path": "0.12.7",
"postman-collection": "5.2.0",
"process": "0.11.10",
"qs": "6.14.0",
"qs": "6.14.1",
"quicktype-core": "23.2.6",
"rollup": "4.53.5",
"rollup": "4.55.3",
"rxjs": "7.8.2",
"set-cookie-parser": "2.7.2",
"set-cookie-parser-es": "1.0.5",
@@ -111,8 +111,8 @@
"util": "0.12.5",
"uuid": "13.0.0",
"verzod": "0.4.0",
"vue": "3.5.26",
"vue-i18n": "11.2.2",
"vue": "3.5.27",
"vue-i18n": "11.2.8",
"vue-json-pretty": "2.6.0",
"vue-pdf-embed": "2.1.3",
"vue-router": "4.6.4",
@@ -130,14 +130,14 @@
"@eslint/eslintrc": "3.3.3",
"@eslint/js": "9.39.2",
"@graphql-codegen/add": "6.0.0",
"@graphql-codegen/cli": "6.1.0",
"@graphql-codegen/cli": "6.1.1",
"@graphql-codegen/typed-document-node": "6.1.5",
"@graphql-codegen/typescript": "5.0.7",
"@graphql-codegen/typescript-operations": "5.0.7",
"@graphql-codegen/typescript-urql-graphcache": "3.1.1",
"@graphql-codegen/urql-introspection": "3.0.1",
"@graphql-typed-document-node/core": "3.2.0",
"@iconify-json/lucide": "1.2.81",
"@iconify-json/lucide": "1.2.86",
"@import-meta-env/cli": "0.7.4",
"@intlify/unplugin-vue-i18n": "11.0.3",
"@relmify/jest-fp-ts": "2.1.1",
@@ -151,35 +151,35 @@
"@types/qs": "6.14.0",
"@types/splitpanes": "2.2.6",
"@types/yargs-parser": "21.0.3",
"@typescript-eslint/eslint-plugin": "8.50.0",
"@typescript-eslint/parser": "8.50.0",
"@typescript-eslint/eslint-plugin": "8.53.1",
"@typescript-eslint/parser": "8.53.1",
"@vitejs/plugin-vue": "6.0.3",
"@vue/compiler-sfc": "3.5.26",
"@vue/compiler-sfc": "3.5.27",
"@vue/eslint-config-typescript": "14.6.0",
"@vue/runtime-core": "3.5.26",
"@vue/runtime-core": "3.5.27",
"autoprefixer": "10.4.23",
"cross-env": "10.1.0",
"dotenv": "17.2.3",
"eslint": "9.39.2",
"eslint-plugin-prettier": "5.5.4",
"eslint-plugin-prettier": "5.5.5",
"eslint-plugin-vue": "10.6.2",
"glob": "13.0.0",
"globals": "16.5.0",
"jsdom": "27.3.0",
"jsdom": "27.4.0",
"npm-run-all": "4.1.5",
"openapi-types": "12.1.3",
"postcss": "8.5.6",
"prettier": "3.7.4",
"prettier": "3.8.0",
"prettier-plugin-tailwindcss": "0.7.1",
"rollup-plugin-polyfill-node": "0.13.0",
"sass": "1.97.0",
"sass": "1.97.2",
"tailwindcss": "3.4.16",
"tsup": "8.5.1",
"typescript": "5.9.3",
"unplugin-fonts": "1.4.0",
"unplugin-icons": "22.5.0",
"unplugin-vue-components": "30.0.0",
"vite": "7.3.0",
"vite": "7.3.1",
"vite-plugin-checker": "0.11.0",
"vite-plugin-fonts": "0.7.0",
"vite-plugin-html-config": "2.0.2",
@@ -187,7 +187,7 @@
"vite-plugin-pages-sitemap": "1.7.1",
"vite-plugin-pwa": "1.2.0",
"vite-plugin-vue-layouts": "0.11.0",
"vitest": "4.0.16",
"vitest": "4.0.17",
"vue-tsc": "1.8.8"
}
}

4
packages/hoppscotch-data/package.json
View File

@@ -35,9 +35,9 @@
},
"homepage": "https://github.com/hoppscotch/hoppscotch#readme",
"devDependencies": {
"@types/lodash": "4.17.21",
"@types/lodash": "4.17.23",
"typescript": "5.9.3",
"vite": "7.3.0"
"vite": "7.3.1"
},
"dependencies": {
"fp-ts": "2.16.11",

16
packages/hoppscotch-desktop/package.json
View File

@@ -23,7 +23,7 @@
},
"dependencies": {
"@fontsource-variable/inter": "5.2.8",
"@fontsource-variable/material-symbols-rounded": "5.2.30",
"@fontsource-variable/material-symbols-rounded": "5.2.32",
"@fontsource-variable/roboto-mono": "5.2.8",
"@hoppscotch/common": "workspace:^",
"@hoppscotch/kernel": "workspace:^",
@@ -37,7 +37,7 @@
"@tauri-apps/plugin-updater": "2.9.0",
"fp-ts": "2.16.11",
"rxjs": "7.8.2",
"vue": "3.5.26",
"vue": "3.5.27",
"vue-router": "4.6.4",
"vue-tippy": "6.7.1",
"zod": "3.25.32"
@@ -45,25 +45,25 @@
"devDependencies": {
"@eslint/eslintrc": "3.3.3",
"@eslint/js": "9.39.2",
"@iconify-json/lucide": "1.2.81",
"@iconify-json/lucide": "1.2.86",
"@rushstack/eslint-patch": "1.15.0",
"@tauri-apps/cli": "2.9.3",
"@typescript-eslint/eslint-plugin": "8.50.0",
"@typescript-eslint/parser": "8.50.0",
"@typescript-eslint/eslint-plugin": "8.53.1",
"@typescript-eslint/parser": "8.53.1",
"@vitejs/plugin-vue": "6.0.3",
"@vue/eslint-config-typescript": "14.6.0",
"autoprefixer": "10.4.23",
"eslint": "9.39.2",
"eslint-plugin-prettier": "5.5.4",
"eslint-plugin-prettier": "5.5.5",
"eslint-plugin-vue": "10.6.2",
"globals": "16.5.0",
"postcss": "8.5.6",
"sass": "1.97.0",
"sass": "1.97.2",
"tailwindcss": "3.4.16",
"typescript": "5.9.3",
"unplugin-icons": "22.5.0",
"unplugin-vue-components": "30.0.0",
"vite": "7.3.0",
"vite": "7.3.1",
"vue-tsc": "2.2.0"
}
}

2
packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-appload/examples/tauri-app/package.json
View File

@@ -17,6 +17,6 @@
"@sveltejs/vite-plugin-svelte": "^1.0.1",
"@tauri-apps/cli": "^2.0.0-alpha.17",
"svelte": "^3.49.0",
"vite": "^7.3.0"
"vite": "^7.3.1"
}
}

2
packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-appload/package.json
View File

@@ -26,7 +26,7 @@
},
"devDependencies": {
"@rollup/plugin-typescript": "^12.3.0",
"rollup": "^4.53.5",
"rollup": "^4.55.3",
"tslib": "^2.6.2",
"typescript": "5.9.3"
}

2
packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/package.json
View File

@@ -26,7 +26,7 @@
},
"devDependencies": {
"@rollup/plugin-typescript": "^12.3.0",
"rollup": "^4.53.5",
"rollup": "^4.55.3",
"tslib": "^2.6.2",
"typescript": "5.9.3"
}

22
packages/hoppscotch-js-sandbox/package.json
View File

@@ -52,7 +52,7 @@
"dependencies": {
"@hoppscotch/data": "workspace:^",
"@types/lodash-es": "4.17.12",
"chai": "6.2.1",
"chai": "6.2.2",
"faraday-cage": "0.1.0",
"fp-ts": "2.16.11",
"lodash": "4.17.21",
@@ -60,24 +60,24 @@
},
"devDependencies": {
"@digitak/esrun": "3.2.26",
"@eslint/eslintrc": "3.3.3",
"@eslint/js": "9.39.2",
"@relmify/jest-fp-ts": "2.1.1",
"@types/chai": "5.2.3",
"@types/jest": "30.0.0",
"@types/lodash": "4.17.21",
"@types/lodash": "4.17.23",
"@types/node": "24.10.1",
"@typescript-eslint/eslint-plugin": "8.50.0",
"@typescript-eslint/parser": "8.50.0",
"@eslint/eslintrc": "3.3.3",
"@eslint/js": "9.39.2",
"@typescript-eslint/eslint-plugin": "8.53.1",
"@typescript-eslint/parser": "8.53.1",
"eslint": "9.39.2",
"globals": "16.5.0",
"eslint-config-prettier": "10.1.8",
"eslint-plugin-prettier": "5.5.4",
"eslint-plugin-prettier": "5.5.5",
"globals": "16.5.0",
"io-ts": "2.2.22",
"prettier": "3.7.4",
"prettier": "3.8.0",
"typescript": "5.9.3",
"vite": "7.3.0",
"vitest": "4.0.16"
"vite": "7.3.1",
"vitest": "4.0.17"
},
"peerDependencies": {
"isolated-vm": "6.0.2"

8
packages/hoppscotch-kernel/package.json
View File

@@ -41,13 +41,13 @@
"devDependencies": {
"@eslint/js": "9.39.2",
"@types/node": "24.9.1",
"@typescript-eslint/eslint-plugin": "8.50.0",
"@typescript-eslint/parser": "8.50.0",
"@typescript-eslint/eslint-plugin": "8.53.1",
"@typescript-eslint/parser": "8.53.1",
"eslint": "9.39.2",
"eslint-plugin-prettier": "5.5.4",
"eslint-plugin-prettier": "5.5.5",
"globals": "16.5.0",
"typescript": "5.9.3",
"vite": "7.3.0"
"vite": "7.3.1"
},
"peerDependencies": {
"@tauri-apps/api": "2.1.1"

18
packages/hoppscotch-selfhost-web/package.json
View File

@@ -24,7 +24,7 @@
},
"dependencies": {
"@fontsource-variable/inter": "5.2.8",
"@fontsource-variable/material-symbols-rounded": "5.2.30",
"@fontsource-variable/material-symbols-rounded": "5.2.32",
"@fontsource-variable/roboto-mono": "5.2.8",
"@hoppscotch/common": "workspace:^",
"@hoppscotch/data": "workspace:^",
@@ -46,7 +46,7 @@
"stream-browserify": "3.0.0",
"util": "0.12.5",
"verzod": "0.4.0",
"vue": "3.5.26",
"vue": "3.5.27",
"workbox-window": "7.4.0",
"zod": "3.25.32"
},
@@ -54,18 +54,18 @@
"@eslint/eslintrc": "3.3.3",
"@eslint/js": "9.39.2",
"@graphql-codegen/add": "6.0.0",
"@graphql-codegen/cli": "6.1.0",
"@graphql-codegen/cli": "6.1.1",
"@graphql-codegen/typed-document-node": "6.1.5",
"@graphql-codegen/typescript": "5.0.7",
"@graphql-codegen/typescript-operations": "5.0.7",
"@graphql-codegen/typescript-urql-graphcache": "3.1.1",
"@graphql-codegen/urql-introspection": "3.0.1",
"@graphql-typed-document-node/core": "3.2.0",
"@iconify-json/lucide": "1.2.81",
"@iconify-json/lucide": "1.2.86",
"@intlify/unplugin-vue-i18n": "11.0.3",
"@rushstack/eslint-patch": "1.15.0",
"@typescript-eslint/eslint-plugin": "8.50.0",
"@typescript-eslint/parser": "8.50.0",
"@typescript-eslint/eslint-plugin": "8.53.1",
"@typescript-eslint/parser": "8.53.1",
"@vitejs/plugin-legacy": "7.2.1",
"@vitejs/plugin-vue": "6.0.3",
"@vue/eslint-config-typescript": "14.6.0",
@@ -73,7 +73,7 @@
"cross-env": "10.1.0",
"dotenv": "17.2.3",
"eslint": "9.39.2",
"eslint-plugin-prettier": "5.5.4",
"eslint-plugin-prettier": "5.5.5",
"eslint-plugin-vue": "10.6.2",
"globals": "16.5.0",
"npm-run-all": "4.1.5",
@@ -84,14 +84,14 @@
"unplugin-fonts": "1.4.0",
"unplugin-icons": "22.5.0",
"unplugin-vue-components": "30.0.0",
"vite": "7.3.0",
"vite": "7.3.1",
"vite-plugin-fonts": "0.7.0",
"vite-plugin-html-config": "2.0.2",
"vite-plugin-inspect": "11.3.3",
"vite-plugin-pages": "0.33.2",
"vite-plugin-pages-sitemap": "1.7.1",
"vite-plugin-pwa": "1.2.0",
"vite-plugin-static-copy": "3.1.4",
"vite-plugin-static-copy": "3.1.5",
"vite-plugin-vue-layouts": "0.11.0",
"vue-tsc": "2.1.6"
}

16
packages/hoppscotch-sh-admin/package.json
View File

@@ -14,7 +14,7 @@
},
"dependencies": {
"@fontsource-variable/inter": "5.2.8",
"@fontsource-variable/material-symbols-rounded": "5.2.30",
"@fontsource-variable/material-symbols-rounded": "5.2.32",
"@fontsource-variable/roboto-mono": "5.2.8",
"@graphql-typed-document-node/core": "3.2.0",
"@hoppscotch/ui": "0.2.5",
@@ -39,13 +39,13 @@
"ts-node-dev": "2.0.0",
"unplugin-icons": "22.5.0",
"unplugin-vue-components": "30.0.0",
"vue": "3.5.26",
"vue-i18n": "11.2.2",
"vue": "3.5.27",
"vue-i18n": "11.2.8",
"vue-router": "4.6.4",
"vue-tippy": "6.7.1"
},
"devDependencies": {
"@graphql-codegen/cli": "6.1.0",
"@graphql-codegen/cli": "6.1.1",
"@graphql-codegen/client-preset": "5.2.2",
"@graphql-codegen/introspection": "5.0.0",
"@graphql-codegen/typed-document-node": "6.1.5",
@@ -53,22 +53,22 @@
"@graphql-codegen/typescript-document-nodes": "5.0.7",
"@graphql-codegen/typescript-operations": "5.0.7",
"@graphql-codegen/urql-introspection": "3.0.1",
"@iconify-json/lucide": "1.2.81",
"@iconify-json/lucide": "1.2.86",
"@import-meta-env/cli": "0.7.4",
"@import-meta-env/unplugin": "0.6.3",
"@types/lodash-es": "4.17.12",
"@vitejs/plugin-vue": "6.0.3",
"@vue/compiler-sfc": "3.5.26",
"@vue/compiler-sfc": "3.5.27",
"autoprefixer": "10.4.23",
"dotenv": "17.2.3",
"graphql-tag": "2.12.6",
"hoppscotch-backend": "workspace:^",
"npm-run-all": "4.1.5",
"sass": "1.97.0",
"sass": "1.97.2",
"ts-node": "10.9.2",
"typescript": "5.9.3",
"unplugin-fonts": "1.4.0",
"vite": "7.3.0",
"vite": "7.3.1",
"vite-plugin-pages": "0.33.2",
"vite-plugin-vue-layouts": "0.11.0",
"vue-tsc": "2.1.6"

4441
pnpm-lock.yaml generated
View File

File diff suppressed because it is too large Load Diff

33
prod.Dockerfile
View File

@@ -1,7 +1,7 @@
# Base Go builder with Go lang installation
# This stage is used to build both Caddy and the webapp server,
# preventing vulnerable packages on the dependency chain
FROM alpine:3.23.0 AS go_builder
FROM alpine:3.23.2 AS go_builder
RUN apk add --no-cache curl git && \
mkdir -p /tmp/caddy-build && \
@@ -16,7 +16,7 @@ RUN expected="a9efa00c161922dd24650fd0bee2f4f8bb2fb69ff3e63dcc44f0694da64bb0cf"
# Install Go 1.25.4 from GitHub releases to fix CVE-2025-47907
ARG TARGETARCH
ENV GOLANG_VERSION=1.25.5
ENV GOLANG_VERSION=1.25.6
# Download and install Go from the official tarball
RUN case "${TARGETARCH}" in amd64) GOARCH=amd64 ;; arm64) GOARCH=arm64 ;; *) echo "Unsupported arch: ${TARGETARCH}" && exit 1 ;; esac && \
curl -fsSL "https://go.dev/dl/go${GOLANG_VERSION}.linux-${GOARCH}.tar.gz" -o go.tar.gz && \
@@ -61,16 +61,16 @@ RUN CGO_ENABLED=0 GOOS=linux go build -o webapp-server .
# Shared Node.js base with optimized NPM installation
FROM alpine:3.23.0 AS node_base
FROM alpine:3.23.2 AS node_base
# Install dependencies
RUN apk add --no-cache nodejs curl bash tini ca-certificates
# Set working directory for NPM installation
RUN mkdir -p /tmp/npm-install
WORKDIR /tmp/npm-install
# Download NPM tarball
RUN curl -fsSL https://registry.npmjs.org/npm/-/npm-11.6.4.tgz -o npm.tgz
RUN curl -fsSL https://registry.npmjs.org/npm/-/npm-11.7.0.tgz -o npm.tgz
# Verify checksum
RUN expected="9c07edca12853cddbf4fed4e372485aa60c064f9bf3e4cd157a2db5518a1792b" \
RUN expected="292f142dc1a8c01199ba34a07e57cf016c260ea2c59b64f3eee8aaae7a2e7504" \
&& actual=$(sha256sum npm.tgz | cut -d' ' -f1) \
&& [ "$actual" = "$expected" ] \
&& echo "✅ NPM Tarball Checksum OK" \
@@ -78,15 +78,30 @@ RUN expected="9c07edca12853cddbf4fed4e372485aa60c064f9bf3e4cd157a2db5518a1792b"
# Install NPM from verified tarball and global packages
RUN tar -xzf npm.tgz && \
cd package && \
node bin/npm-cli.js install -g npm@11.6.4 && \
node bin/npm-cli.js install -g npm@11.7.0 && \
cd / && \
rm -rf /tmp/npm-install
RUN npm install -g pnpm@10.25.0 @import-meta-env/cli
RUN npm install -g pnpm@10.28.1 @import-meta-env/cli
# Fix CVE-2025-64756 by replacing vulnerable glob with patched version
RUN npm install -g glob@11.1.0 && \
# Fix CVE-2026-23745 by replacing vulnerable tar with patched version
# Fix GHSA-73rr-hh4g-fpgx replacing vulnerable diff with patched version
RUN npm install -g glob@11.1.0 tar@7.5.3 diff@8.0.3 && \
# Replace tar in npm's node_modules
rm -rf /usr/lib/node_modules/npm/node_modules/tar && \
cp -r /usr/lib/node_modules/tar /usr/lib/node_modules/npm/node_modules/ && \
# Replace tar in npm's node_modules
rm -rf /usr/lib/node_modules/npm/node_modules/diff && \
cp -r /usr/lib/node_modules/diff /usr/lib/node_modules/npm/node_modules/ && \
# Replace glob in @import-meta-env/cli's node_modules
rm -rf /usr/lib/node_modules/@import-meta-env/cli/node_modules/glob && \
cp -r /usr/lib/node_modules/glob /usr/lib/node_modules/@import-meta-env/cli/node_modules/
cp -r /usr/lib/node_modules/glob /usr/lib/node_modules/@import-meta-env/cli/node_modules/ && \
# Replace tar in @import-meta-env/cli's node_modules
rm -rf /usr/lib/node_modules/@import-meta-env/cli/node_modules/tar && \
cp -r /usr/lib/node_modules/tar /usr/lib/node_modules/@import-meta-env/cli/node_modules/ && \
# Replace diff in @import-meta-env/cli's node_modules
rm -rf /usr/lib/node_modules/@import-meta-env/cli/node_modules/diff && \
cp -r /usr/lib/node_modules/diff /usr/lib/node_modules/@import-meta-env/cli/node_modules/
FROM node_base AS base_builder