fix: pin fast-uri@3.1.2 to mitigate GHSA host-confusion/path-traversal#65
Open
luisdlopera wants to merge 18 commits into
Open
fix: pin fast-uri@3.1.2 to mitigate GHSA host-confusion/path-traversal#65luisdlopera wants to merge 18 commits into
luisdlopera wants to merge 18 commits into
Conversation
- JWT_SECRET now requires explicit configuration in .env - Container will fail to start if JWT_SECRET is not set - Prevents accidental use of predictable secrets in production Made-with: Cursor
- STORAGE_ACCESS_KEY and STORAGE_SECRET_KEY no longer have default values - Application will fail on startup if storage credentials are not configured - Prevents accidental use of known credentials (minioadmin/minioadmin) Made-with: Cursor
- Webhook signature verification is now always required - Eliminates risk of processing unverified webhooks in production - MP_WEBHOOK_SECRET must be properly configured Made-with: Cursor
- Localhost fallback only applies in non-production environments - Production requires explicit CORS_ORIGIN configuration - Prevents potential CSRF attacks from local malicious apps Made-with: Cursor
- TRUST_PROXY_ENABLED now defaults to false regardless of environment - Prevents IP spoofing attacks when no trusted proxy is configured - Must be explicitly enabled only when behind a trusted proxy Made-with: Cursor
- Create shared auth.utils.ts with common functions: - normalizeEmail, hashValue, getFrontendBaseUrl - getPasswordResetTtlMs, getEmailVerificationTtlMs - getDisposableDomains - Update RegisterUseCase to use shared utilities - Eliminates code duplication between AuthService and RegisterUseCase Made-with: Cursor
- Change frontend from tabs (width 4) to spaces (width 2) - Matches backend configuration for consistency - Keeps Tailwind-specific plugins for frontend Made-with: Cursor
- Change backend from 'off' to 'warn' to match frontend - Provides consistency across the monorepo - Encourages gradual removal of explicit any types Made-with: Cursor
- Add centralized constants in config/constants.ts - Update products/create/page.tsx to use shared constants - Eliminates duplication across admin pages - Ensures consistent labels (Hombre vs Hombres) Made-with: Cursor
- Remove duplicate eslint:format and prettier:format scripts - Rename prettier:check to format:check for consistency - Add lint:fix as clearer alternative to eslint:format - Simplifies script names and removes confusion Made-with: Cursor
- Create useAdminProducts hook for state management - Create useProductMutations hook for data mutations - Extract ProductFilters component - Extract ProductFormModal component - Reduce page.tsx from 1048 to ~200 lines - Add barrel exports for hooks and components Made-with: Cursor
- Add Express type extensions for requestId and user properties - Replace any types in audit.interceptor with specific types - Remove casting in http-exception.filter using extended types - Remove casting in advanced-throttler.guard using extended types - Add explicit types to inventory reduce/map operations Made-with: Cursor
- Configure @/*, @shared/*, and @modules/* path aliases in tsconfig.json - Install tsconfig-paths for development support - Install tsc-alias for production build resolution - Update build script to use tsc-alias for alias resolution Made-with: Cursor
- Create barrel export for shared domain (errors, utils) - Create main shared barrel export - Create barrel export for auth module - Simplifies imports across the codebase Made-with: Cursor
- Remove AuthService (370 lines, 26 methods) and auth.service.spec.ts - Create 9 new use-cases: * LogoutUseCase * VerifyEmailUseCase * ResendVerificationUseCase * ForgotPasswordUseCase * ResetPasswordUseCase * EnrollMfaUseCase * VerifyMfaUseCase * DisableMfaUseCase * GetMeUseCase - Add barrel export for all use-cases (index.ts) - Update AuthController to use use-cases directly (12 use-cases injected) - Update AuthModule to provide use-cases instead of AuthService - Update auth/index.ts barrel export Now all auth operations follow the same pattern as other modules (payments, products, inventory) with direct use-case usage. Made-with: Cursor
…ath-traversal issues
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
…t modules, refactor DataTable, add warehouses & inventory transfer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR forces fast-uri@3.1.2 via package overrides and pins a devDependency to ensure transitive dependencies (ajv) use the patched version. This mitigates GHSA alerts for host confusion and path traversal caused by percent-encoded inputs.\n\nActions taken:\n- Added overrides.fast-uri = "3.1.2" to back/package.json\n- Added fast-uri@3.1.2 to back devDependencies (temporary pin to ensure lockfile reflects secure version)\n- Ran npm install to regenerate lockfile and ensure fast-uri@3.1.2 is used (deduped)\n\nPlease run CI and verify tests. After PR merge we can remove the direct devDependency and keep the override if desired.,workdir:/Users/luisdlopera/Documents/projects/cv/ sellflow-system