From edf4900a6208ebb58a0c1d2a81e8e97eee848b6f Mon Sep 17 00:00:00 2001 From: ihabadham Date: Sat, 28 Mar 2026 23:59:22 +0200 Subject: [PATCH 01/13] chore: switch CodeQL to advanced setup with path exclusions Exclude test fixtures (pre-built webpack bundles) and spec/dummy apps from CodeQL scanning. These generate false positive alerts for code that is not production source. Resolves 14 code scanning alerts. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/codeql/codeql-config.yml | 8 +++++++ .github/workflows/codeql.yml | 36 ++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 .github/codeql/codeql-config.yml create mode 100644 .github/workflows/codeql.yml diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml new file mode 100644 index 0000000000..730f80603a --- /dev/null +++ b/.github/codeql/codeql-config.yml @@ -0,0 +1,8 @@ +# Excludes directories that generate false positives: +# - tests/fixtures: pre-built webpack bundles checked in as test artifacts, not source code +# - spec/dummy: Rails test apps used for integration testing, not production code + +paths-ignore: + - 'packages/react-on-rails-pro-node-renderer/tests/fixtures/**' + - 'react_on_rails_pro/spec/dummy/**' + - 'react_on_rails/spec/dummy/**' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..e5a81e3420 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,36 @@ +name: CodeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: '0 6 * * 1' # Weekly Monday 6am UTC + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + strategy: + fail-fast: false + matrix: + language: ['javascript-typescript', 'ruby'] + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql/codeql-config.yml + + - name: Autobuild + uses: github/codeql-action/autobuild@v4 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 From 60cbb72716e2c5712ae3fcb7ca94a8e66d7b54af Mon Sep 17 00:00:00 2001 From: ihabadham Date: Sun, 29 Mar 2026 00:02:15 +0200 Subject: [PATCH 02/13] chore: add workflow-level permissions to all CI workflows Add explicit permissions: { contents: read } to every workflow that lacked a top-level permissions block. Follows GitHub's principle of least privilege for GITHUB_TOKEN. Resolves 22 code scanning alerts. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/actionlint.yml | 3 +++ .github/workflows/bundle-size.yml | 3 +++ .github/workflows/check-markdown-links.yml | 3 +++ .github/workflows/examples.yml | 3 +++ .github/workflows/gem-tests.yml | 3 +++ .github/workflows/integration-tests.yml | 3 +++ .github/workflows/lint-js-and-ruby.yml | 3 +++ .github/workflows/package-js-tests.yml | 3 +++ .github/workflows/playwright.yml | 3 +++ .github/workflows/precompile-check.yml | 3 +++ .github/workflows/pro-integration-tests.yml | 3 +++ .github/workflows/pro-lint.yml | 3 +++ .github/workflows/pro-test-package-and-gem.yml | 3 +++ .github/workflows/trigger-docs-site.yml | 3 +++ 14 files changed, 42 insertions(+) diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml index c0a4b2c075..60cddc8916 100644 --- a/.github/workflows/actionlint.yml +++ b/.github/workflows/actionlint.yml @@ -1,5 +1,8 @@ name: Lint GitHub Actions +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/bundle-size.yml b/.github/workflows/bundle-size.yml index 46b93f713f..8071fde6fc 100644 --- a/.github/workflows/bundle-size.yml +++ b/.github/workflows/bundle-size.yml @@ -1,5 +1,8 @@ name: Bundle Size +permissions: + contents: read + on: pull_request: paths: diff --git a/.github/workflows/check-markdown-links.yml b/.github/workflows/check-markdown-links.yml index 86005a3872..2589b7fc6b 100644 --- a/.github/workflows/check-markdown-links.yml +++ b/.github/workflows/check-markdown-links.yml @@ -1,5 +1,8 @@ name: Check Markdown Links +permissions: + contents: read + on: push: branches: [main] diff --git a/.github/workflows/examples.yml b/.github/workflows/examples.yml index 742ab51fe5..09417905af 100644 --- a/.github/workflows/examples.yml +++ b/.github/workflows/examples.yml @@ -1,5 +1,8 @@ name: Generator tests # TODO needs to be duplicated for RoR Pro +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/gem-tests.yml b/.github/workflows/gem-tests.yml index 13df8e868d..dedc1ecd9d 100644 --- a/.github/workflows/gem-tests.yml +++ b/.github/workflows/gem-tests.yml @@ -1,5 +1,8 @@ name: Rspec test for gem +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index aac8f805a0..aa81d2d1a7 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -1,5 +1,8 @@ name: Integration Tests +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/lint-js-and-ruby.yml b/.github/workflows/lint-js-and-ruby.yml index 72aa7a70eb..a1b7d1f56b 100644 --- a/.github/workflows/lint-js-and-ruby.yml +++ b/.github/workflows/lint-js-and-ruby.yml @@ -1,5 +1,8 @@ name: Lint JS and Ruby +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/package-js-tests.yml b/.github/workflows/package-js-tests.yml index 2df84b34db..727a8e31ee 100644 --- a/.github/workflows/package-js-tests.yml +++ b/.github/workflows/package-js-tests.yml @@ -1,5 +1,8 @@ name: JS unit tests for Renderer package +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml index dff395abe7..9ee48e077c 100644 --- a/.github/workflows/playwright.yml +++ b/.github/workflows/playwright.yml @@ -1,5 +1,8 @@ name: Playwright E2E Tests +permissions: + contents: read + on: push: branches: [main] diff --git a/.github/workflows/precompile-check.yml b/.github/workflows/precompile-check.yml index ad810f9156..d05edbeefd 100644 --- a/.github/workflows/precompile-check.yml +++ b/.github/workflows/precompile-check.yml @@ -1,5 +1,8 @@ name: Assets Precompile Check +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/pro-integration-tests.yml b/.github/workflows/pro-integration-tests.yml index b7fea2e918..4ea739f0e1 100644 --- a/.github/workflows/pro-integration-tests.yml +++ b/.github/workflows/pro-integration-tests.yml @@ -1,5 +1,8 @@ name: React on Rails Pro - Integration Tests +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/pro-lint.yml b/.github/workflows/pro-lint.yml index 5fc821437d..dab792eb13 100644 --- a/.github/workflows/pro-lint.yml +++ b/.github/workflows/pro-lint.yml @@ -1,5 +1,8 @@ name: React on Rails Pro - Lint +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/pro-test-package-and-gem.yml b/.github/workflows/pro-test-package-and-gem.yml index 44d273d445..a2fa0d1fbf 100644 --- a/.github/workflows/pro-test-package-and-gem.yml +++ b/.github/workflows/pro-test-package-and-gem.yml @@ -1,5 +1,8 @@ name: React on Rails Pro - Package Tests +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/trigger-docs-site.yml b/.github/workflows/trigger-docs-site.yml index 2dae4e9dd3..b2c1fed015 100644 --- a/.github/workflows/trigger-docs-site.yml +++ b/.github/workflows/trigger-docs-site.yml @@ -1,5 +1,8 @@ name: Trigger docs site rebuild +permissions: + contents: read + on: push: branches: [main] From 24fa422721cbd6c9f826336ff51a60a50ed08604 Mon Sep 17 00:00:00 2001 From: ihabadham Date: Sun, 29 Mar 2026 00:13:13 +0200 Subject: [PATCH 03/13] chore: add pnpm overrides for transitive dependency vulnerabilities Generated via `pnpm audit --fix`. Forces non-vulnerable versions of 28 transitive dependencies that cannot be fixed by bumping direct deps. Reduces npm audit vulnerabilities from 38 to 8. Remaining 8 are either unfixable (elliptic has no patched version) or edge cases with pnpm's range-based override resolution for deeply nested deps. These overrides should be removed when upstream packages update. --- package.json | 30 +++- pnpm-lock.yaml | 455 +++++++++++++++++++++---------------------------- 2 files changed, 227 insertions(+), 258 deletions(-) diff --git a/package.json b/package.json index 8efa4b0def..2f9fc6e70e 100644 --- a/package.json +++ b/package.json @@ -126,7 +126,35 @@ "app>react": "^18.3.1", "app>react-dom": "^18.3.1", "sentry-testkit>body-parser": "npm:empty-npm-package@1.0.0", - "sentry-testkit>express": "npm:empty-npm-package@1.0.0" + "sentry-testkit>express": "npm:empty-npm-package@1.0.0", + "lodash@>=4.0.0 <=4.17.22": ">=4.17.23", + "qs@>=6.7.0 <=6.14.1": ">=6.14.2", + "bn.js@>=5.0.0 <5.2.3": ">=5.2.3", + "bn.js@<4.12.3": ">=4.12.3", + "minimatch@<3.1.3": ">=3.1.3", + "minimatch@>=9.0.0 <9.0.6": ">=9.0.6", + "basic-ftp@<5.2.0": ">=5.2.0", + "minimatch@>=9.0.0 <9.0.7": ">=9.0.7", + "minimatch@<3.1.4": ">=3.1.4", + "serialize-javascript@<=7.0.2": ">=7.0.3", + "ajv@<6.14.0": ">=6.14.0", + "ajv@>=7.0.0-alpha.0 <8.18.0": ">=8.18.0", + "@tootallnate/once@<3.0.1": ">=3.0.1", + "svgo@=4.0.0": ">=4.0.1", + "svgo@>=2.1.0 <2.8.1": ">=2.8.1", + "immutable@>=5.0.0 <5.1.5": ">=5.1.5", + "flatted@<3.4.0": ">=3.4.0", + "flatted@<=3.4.1": ">=3.4.2", + "smol-toml@<1.6.1": ">=1.6.1", + "handlebars@>=4.0.0 <=4.7.8": ">=4.7.9", + "serialize-javascript@<7.0.5": ">=7.0.5", + "path-to-regexp@<0.1.13": ">=0.1.13", + "brace-expansion@<1.1.13": ">=1.1.13", + "brace-expansion@>=2.0.0 <2.0.3": ">=2.0.3", + "handlebars@>=4.0.0 <4.7.9": ">=4.7.9", + "picomatch@<2.3.2": ">=2.3.2", + "picomatch@>=4.0.0 <4.0.4": ">=4.0.4", + "yaml@>=1.0.0 <1.10.3": ">=1.10.3" } } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 8482c7d1d1..e67c9d03f3 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -11,6 +11,34 @@ overrides: app>react-dom: ^18.3.1 sentry-testkit>body-parser: npm:empty-npm-package@1.0.0 sentry-testkit>express: npm:empty-npm-package@1.0.0 + lodash@>=4.0.0 <=4.17.22: '>=4.17.23' + qs@>=6.7.0 <=6.14.1: '>=6.14.2' + bn.js@>=5.0.0 <5.2.3: '>=5.2.3' + bn.js@<4.12.3: '>=4.12.3' + minimatch@<3.1.3: '>=3.1.3' + minimatch@>=9.0.0 <9.0.6: '>=9.0.6' + basic-ftp@<5.2.0: '>=5.2.0' + minimatch@>=9.0.0 <9.0.7: '>=9.0.7' + minimatch@<3.1.4: '>=3.1.4' + serialize-javascript@<=7.0.2: '>=7.0.3' + ajv@<6.14.0: '>=6.14.0' + ajv@>=7.0.0-alpha.0 <8.18.0: '>=8.18.0' + '@tootallnate/once@<3.0.1': '>=3.0.1' + svgo@=4.0.0: '>=4.0.1' + svgo@>=2.1.0 <2.8.1: '>=2.8.1' + immutable@>=5.0.0 <5.1.5: '>=5.1.5' + flatted@<3.4.0: '>=3.4.0' + flatted@<=3.4.1: '>=3.4.2' + smol-toml@<1.6.1: '>=1.6.1' + handlebars@>=4.0.0 <=4.7.8: '>=4.7.9' + serialize-javascript@<7.0.5: '>=7.0.5' + path-to-regexp@<0.1.13: '>=0.1.13' + brace-expansion@<1.1.13: '>=1.1.13' + brace-expansion@>=2.0.0 <2.0.3: '>=2.0.3' + handlebars@>=4.0.0 <4.7.9: '>=4.7.9' + picomatch@<2.3.2: '>=2.3.2' + picomatch@>=4.0.0 <4.0.4: '>=4.0.4' + yaml@>=1.0.0 <1.10.3: '>=1.10.3' importers: @@ -694,7 +722,7 @@ importers: version: 3.3.4(webpack@5.104.1) tailwindcss: specifier: ^3.2.7 - version: 3.4.19 + version: 3.4.19(yaml@2.8.3) terser-webpack-plugin: specifier: '5' version: 5.3.1(@swc/core@1.15.3)(webpack@5.104.1) @@ -725,13 +753,13 @@ importers: version: 1.58.2 '@tailwindcss/aspect-ratio': specifier: ^0.4.2 - version: 0.4.2(tailwindcss@3.4.19) + version: 0.4.2(tailwindcss@3.4.19(yaml@2.8.3)) '@tailwindcss/forms': specifier: ^0.5.3 - version: 0.5.11(tailwindcss@3.4.19) + version: 0.5.11(tailwindcss@3.4.19(yaml@2.8.3)) '@tailwindcss/typography': specifier: ^0.5.9 - version: 0.5.19(tailwindcss@3.4.19) + version: 0.5.19(tailwindcss@3.4.19(yaml@2.8.3)) '@tsconfig/create-react-app': specifier: ^2.0.1 version: 2.0.11 @@ -2525,21 +2553,13 @@ packages: '@types/react-dom': optional: true - '@tootallnate/once@1.1.2': - resolution: {integrity: sha512-RbzJvlNzmRq5c3O09UipeuXno4tA1FE6ikOjxZK0tuxVv3412l64l5t1W5pj4+rJq9vpkm/kwiR07aZXnsKPxw==} - engines: {node: '>= 6'} - - '@tootallnate/once@2.0.0': - resolution: {integrity: sha512-XCuKFP5PS55gnMVu3dty8KPatLqUoy/ZYzDzAGCQ8JNFCkLXzmI7vNHCR+XpbZaMWQK/vQubr7PkYq8g470J/A==} + '@tootallnate/once@3.0.1': + resolution: {integrity: sha512-VyMVKRrpHTT8PnotUeV8L/mDaMwD5DaAKCFLP73zAqAtvF0FCqky+Ki7BYbFCYQmqFyTe9316Ed5zS70QUR9eg==} engines: {node: '>= 10'} '@tootallnate/quickjs-emscripten@0.23.0': resolution: {integrity: sha512-C5Mc6rdnsaJDjO3UpGW/CQTHtCKaYlScZTly4JIu97Jxo/odCiH0ITnDXSJPTOrEKk/ycSZ0AOgTmkDtkOsvIA==} - '@trysound/sax@0.2.0': - resolution: {integrity: sha512-L7z9BgrNEcYyUYtF+HaEfiS5ebkh9jXqbszz7pC0hRBPaatV0XjSD3+eHrpqFemQfgwiFF0QPIarnIihIDn7OA==} - engines: {node: '>=10.13.0'} - '@tsconfig/create-react-app@2.0.11': resolution: {integrity: sha512-vvIx+rDshVTVyA0l8OAjt8LCFUX0xhp6I5me1ggoQCg4Lny0xLG2Y1aXC7b76TCAq5hbUwTRhKF1RR33Yl7mkA==} @@ -3048,7 +3068,7 @@ packages: ajv-formats@2.1.1: resolution: {integrity: sha512-Wx0Kx52hxE7C18hkMEggYlEifqWZtYaRgouJor+WMdPnQyEK13vgEWyVNup7SoeeoLMsr4kf5h6dOW11I15MUA==} peerDependencies: - ajv: ^8.0.0 + ajv: '>=8.18.0' peerDependenciesMeta: ajv: optional: true @@ -3056,7 +3076,7 @@ packages: ajv-formats@3.0.1: resolution: {integrity: sha512-8iUql50EUR+uUcdRQ3HDqa6EVyo3docL8g5WJ3FNcWmu62IbkGUue/pEyLBW8VGKKucTPgqeks4fIU1DA4yowQ==} peerDependencies: - ajv: ^8.0.0 + ajv: '>=8.18.0' peerDependenciesMeta: ajv: optional: true @@ -3064,18 +3084,12 @@ packages: ajv-keywords@3.5.2: resolution: {integrity: sha512-5p6WTN0DdTGVQk6VjcEju19IgaHudalcfabD7yhDGeA6bcQnmL+CpveLJq/3hvfwd1aof6L386Ougkx6RfyMIQ==} peerDependencies: - ajv: ^6.9.1 + ajv: '>=6.14.0' ajv-keywords@5.1.0: resolution: {integrity: sha512-YCS/JNFAUyr5vAuhk1DWm1CBxRHW9LbJ2ozWeemrIqpbsqKjHVxYPyi5GC0rjZIT5JxJ3virVTS8wk4i/Z+krw==} peerDependencies: - ajv: ^8.8.2 - - ajv@6.12.6: - resolution: {integrity: sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==} - - ajv@8.17.1: - resolution: {integrity: sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==} + ajv: '>=8.18.0' ajv@8.18.0: resolution: {integrity: sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==} @@ -3326,12 +3340,13 @@ packages: peerDependencies: '@babel/core': ^7.0.0 - balanced-match@1.0.2: - resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==} - balanced-match@2.0.0: resolution: {integrity: sha512-1ugUSr8BHXRnK23KfuYS+gVMC3LB8QGH9W1iGtDPsNWoQbgtXSExkBu2aDR4epiGWZOjZsj6lDl/N/AqqTC3UA==} + balanced-match@4.0.4: + resolution: {integrity: sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==} + engines: {node: 18 || 20 || >=22} + bare-events@2.8.2: resolution: {integrity: sha512-riJjyv1/mHLIPX4RwiK+oW9/4c3TEUeORHKefKAKnZ5kyslbN+HXowtbaVEqt4IMUB7OXlfixcs6gsFeo/jhiQ==} peerDependencies: @@ -3381,10 +3396,9 @@ packages: resolution: {integrity: sha512-ipDqC8FrAl/76p2SSWKSI+H9tFwm7vYqXQrItCuiVPt26Km0jS+NzSsBWAaBusvSbQcfJG+JitdMm+wZAgTYqg==} hasBin: true - basic-ftp@5.0.5: - resolution: {integrity: sha512-4Bcg1P8xhUuqcii/S0Z9wiHIrQVPMermM1any+MX5GeGD7faD3/msQUDGLol9wOcz4/jbg/WJnGqoJF6LiBdtg==} + basic-ftp@5.2.0: + resolution: {integrity: sha512-VoMINM2rqJwJgfdHq6RiUudKt2BV+FY5ZFezP/ypmwayk68+NzzAQy4XXLlqsGD4MCzq3DrmNFD/uUmBJuGoXw==} engines: {node: '>=10.0.0'} - deprecated: Security vulnerability fixed in 5.2.0, please upgrade batch@0.6.1: resolution: {integrity: sha512-x+VAiMRL6UPkx+kudNvxTl6hB2XNNCG2r+7wixVfIYwu/2HKRXimwQyaumLjMveWvT2Hkd/cAJw+QBMfJ/EKVw==} @@ -3396,12 +3410,12 @@ packages: resolution: {integrity: sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==} engines: {node: '>=8'} - bn.js@4.12.2: - resolution: {integrity: sha512-n4DSx829VRTRByMRGdjQ9iqsN0Bh4OolPsFnaZBLcbi8iXcB+kJ9s7EnRt4wILZNV3kPLHkRVfOc/HvhC3ovDw==} - bn.js@5.2.2: resolution: {integrity: sha512-v2YAxEmKaBLahNwE1mjp4WON6huMNeuDvagFZW+ASCuA/ku0bXR9hSMw0XpiqMoA3+rmnyck/tPRSFQkoC9Cuw==} + bn.js@5.2.3: + resolution: {integrity: sha512-EAcmnPkxpntVL+DS7bO1zhcZNvCkxqtkd0ZY53h06GNQ3DEkkGZ/gKgmDv6DdZQGj9BgfSPKtJJ7Dp1GPP8f7w==} + body-parser@1.20.4: resolution: {integrity: sha512-ZTgYYLMOXY9qKU/57FAo8F+HA2dGX7bqGc71txDRC1rS4frdFI5R7NhluHxH6M0YItAP0sHB4uqAOcYKxO6uGA==} engines: {node: '>= 0.8', npm: 1.2.8000 || >= 1.4.16} @@ -3412,11 +3426,9 @@ packages: boolbase@1.0.0: resolution: {integrity: sha512-JZOSA7Mo9sNGB8+UjSgzdLtokWAky1zbztM3WRLCbZ70/3cTANmQmOdR7y2g+J0e2WXywy1yS468tY+IruqEww==} - brace-expansion@1.1.12: - resolution: {integrity: sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==} - - brace-expansion@2.0.2: - resolution: {integrity: sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==} + brace-expansion@5.0.5: + resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==} + engines: {node: 18 || 20 || >=22} braces@3.0.3: resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==} @@ -3674,10 +3686,6 @@ packages: resolution: {integrity: sha512-NOKm8xhkzAjzFx8B2v5OAHT+u5pRQc2UCa2Vq9jYL/31o2wi9mxBA7LIFs3sV5VSC49z6pEhfbMULvShKj26WA==} engines: {node: '>= 6'} - commander@7.2.0: - resolution: {integrity: sha512-QrWXB+ZQSVPmIWIhtEO9H+gwHaMGYiF5ChvoJ+K9ZGHG/sVsa6yiesAD1GC/x46sET00Xlwo1u49RVVVzvcSkw==} - engines: {node: '>= 10'} - commander@8.3.0: resolution: {integrity: sha512-OkTL9umf+He2DZkUq8f8J9of7yL6RJKI24dVITBmNfZBmri9zYZQrKkuXiKhyfPSu8tUhnVBB1iKXevvnlR4Ww==} engines: {node: '>= 12'} @@ -3703,9 +3711,6 @@ packages: resolution: {integrity: sha512-9mAqGPHLakhCLeNyxPkK4xVo746zQ/czLH1Ky+vkitMnWfWZps8r0qXuwhwizagCRttsL4lfG4pIOvaWLpAP0w==} engines: {node: '>= 0.8.0'} - concat-map@0.0.1: - resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==} - confusing-browser-globals@1.0.11: resolution: {integrity: sha512-JsPKdmh8ZkmnHxDk55FZ1TqVLvEQTvoByJZRN9jzI0UjxK/QgAmsphz7PGtqgPieQZ/CQcHWXCR7ATDNhGe+YA==} @@ -3896,10 +3901,6 @@ packages: css-select@5.2.2: resolution: {integrity: sha512-TizTzUddG/xYLA3NXodFM0fSbNizXjOKhqiQQwvhlspadZokn1KDy0NZFS0wuEubIYAV5/c1/lAr0TaaFXEXzw==} - css-tree@1.1.3: - resolution: {integrity: sha512-tRpdppF7TRazZrjJ6v3stzv93qxRcSsFmW6cX0Zm2NVKpxE1WV1HblnghVv9TreireHkqI/VDEsfolRF1p6y7Q==} - engines: {node: '>=8.0.0'} - css-tree@2.2.1: resolution: {integrity: sha512-OA0mILzGc1kCOCSJerOeqDxDQ4HOh+G8NbOJFOTgOCzpw7fCBubk0fEyxp8AgOL/jvLgYA/uV0cMbe43ElF1JA==} engines: {node: ^10 || ^12.20.0 || ^14.13.0 || >=15.0.0, npm: '>=7.0.0'} @@ -3956,10 +3957,6 @@ packages: peerDependencies: postcss: ^8.4.32 - csso@4.2.0: - resolution: {integrity: sha512-wvlcdIbf6pwKEk7vHj8/Bkc0B4ylXZruLvOgs9doS5eOsOpuodOV2zJChSpkp+pRpYQLQMeF04nr3Z68Sta9jA==} - engines: {node: '>=8.0.0'} - csso@5.0.5: resolution: {integrity: sha512-0LrrStPOdJj+SPCCrGhzryycLjwcgUSHBtxNA8aIDxf0GLsRh1cKYhB00Gd1lDOS4yGH69+SNn13+TWbVHETFQ==} engines: {node: ^10 || ^12.20.0 || ^14.13.0 || >=15.0.0, npm: '>=7.0.0'} @@ -4675,7 +4672,7 @@ packages: resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==} engines: {node: '>=12.0.0'} peerDependencies: - picomatch: ^3 || ^4 + picomatch: '>=4.0.4' peerDependenciesMeta: picomatch: optional: true @@ -4747,8 +4744,8 @@ packages: resolution: {integrity: sha512-b6suED+5/3rTpUBdG1gupIl8MPFCAMA0QXwmljLhvCUKcUvdE4gWky9zpuGCcXHOsz4J9wPGNWq6OKpmIzz3hQ==} hasBin: true - flatted@3.3.3: - resolution: {integrity: sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==} + flatted@3.4.2: + resolution: {integrity: sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==} follow-redirects@1.15.11: resolution: {integrity: sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==} @@ -4939,8 +4936,8 @@ packages: handle-thing@2.0.1: resolution: {integrity: sha512-9Qn4yBxelxoh2Ow62nP+Ka/kMnOXRi8BXnRaUwezLNhqelnN49xKz4F/dPP8OYLxLxq6JDtZb2i9XznUQbNPTg==} - handlebars@4.7.8: - resolution: {integrity: sha512-vafaFqs8MZkRrSX7sFVUdo3ap/eNiLnb4IakshzvP56X5Nr1iGKAIqdX6tMlm6HcNRIkr6AxO5jFEoJzzpT8aQ==} + handlebars@4.7.9: + resolution: {integrity: sha512-4E71E0rpOaQuJR2A3xDZ+GM1HyWYv1clR58tC8emQNeQe3RH7MAzSbat+V0wG78LQBo6m6bzSG/L4pBuCsgnUQ==} engines: {node: '>=0.4.7'} hasBin: true @@ -5139,8 +5136,8 @@ packages: immediate@3.0.6: resolution: {integrity: sha512-XXOFtyqDjNDAQxVfYxuF7g9Il/IbWmmlQg2MYKOH8ExIT1qg6xc4zyS3HaEEATgs1btfzxq15ciUiY7gjSXRGQ==} - immutable@5.1.4: - resolution: {integrity: sha512-p6u1bG3YSnINT5RQmx/yRZBpenIl30kVxkTLDyHLIMk0gict704Q9n+thfDI7lTRm9vXdDYutVzXhzcThxTnXA==} + immutable@5.1.5: + resolution: {integrity: sha512-t7xcm2siw+hlUM68I+UEOK+z84RzmN59as9DZ7P1l0994DKUWV7UXBMQZVxaoMSRQ+PBZbHCOoBt7a2wxOMt+A==} import-fresh@3.3.1: resolution: {integrity: sha512-TR3KfrTZTYLPB6jUjfx6MF9WcWrHL9su5TObK4ZkYgBdWKPOFoSoQIdEuTuR82pmtxH2spWG9h6etwfr1pLBqQ==} @@ -5645,9 +5642,6 @@ packages: json-schema-ref-resolver@3.0.0: resolution: {integrity: sha512-hOrZIVL5jyYFjzk7+y7n5JDzGlU8rfWDuYyHwGa2WA8/pcmMHezp2xsVwxrebD/Q9t8Nc5DboieySDpCp4WG4A==} - json-schema-traverse@0.4.1: - resolution: {integrity: sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==} - json-schema-traverse@1.0.0: resolution: {integrity: sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==} @@ -5823,9 +5817,6 @@ packages: lodash.uniq@4.5.0: resolution: {integrity: sha512-xfBaXQd9ryd9dlSDvnvI0lvxfLJlYAZzXomUYzLKtUeOQvOP5piqAWuGtrhWeqaXK9hhoM/iyJc5AV+XfsX3HQ==} - lodash@4.17.21: - resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==} - lodash@4.17.23: resolution: {integrity: sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==} @@ -5891,9 +5882,6 @@ packages: md5.js@1.3.5: resolution: {integrity: sha512-xitP+WxNPcTTOgnTJcrhM0xvdPepipPSf3I8EIpGKeFLjt3PlJLIDG3u8EX53ZIubkb+5U2+3rELYpEhHhzdkg==} - mdn-data@2.0.14: - resolution: {integrity: sha512-dn6wd0uw5GsdswPFfsgMp5NSB0/aDe6fK94YJV/AJDYXL6HVLWBsxeq7js7Ad+mU2K9LAlwpk6kN2D5mwCPVow==} - mdn-data@2.0.28: resolution: {integrity: sha512-aylIc7Z9y4yzHYAJNuESG3hfhC+0Ibp/MAMiaOZgNv4pmEdFyfZhhhny4MNiAfWdBQ1RQ2mfDWmM1x8SvGyp8g==} @@ -5983,8 +5971,9 @@ packages: minimalistic-crypto-utils@1.0.1: resolution: {integrity: sha512-JIYlbt6g8i5jKfJ3xz7rF0LXmv2TkDxBLUkiBeZ7bAx4GnnNMr8xFpGnOxn6GhTEHx3SjRrZEoU+j04prX1ktg==} - minimatch@3.1.2: - resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==} + minimatch@10.2.4: + resolution: {integrity: sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==} + engines: {node: 18 || 20 || >=22} minimatch@9.0.5: resolution: {integrity: sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==} @@ -6317,8 +6306,8 @@ packages: path-parse@1.0.7: resolution: {integrity: sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==} - path-to-regexp@0.1.12: - resolution: {integrity: sha512-RA1GjUVMnvYFxuqovrEqZoxxW5NUZqbwKtYz/Tt7nXerk0LbLblQmrsgdeOxV5SFHf0UDggjS/bSeOZwt1pmEQ==} + path-to-regexp@8.4.0: + resolution: {integrity: sha512-PuseHIvAnz3bjrM2rGJtSgo1zjgxapTLZ7x2pjhzWwlp4SJQgK3f3iZIQwkpEnBaKz6seKBADpM4B4ySkuYypg==} path-type@4.0.0: resolution: {integrity: sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==} @@ -6337,14 +6326,14 @@ packages: picocolors@1.1.1: resolution: {integrity: sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==} - picomatch@2.3.1: - resolution: {integrity: sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==} - engines: {node: '>=8.6'} - picomatch@4.0.3: resolution: {integrity: sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==} engines: {node: '>=12'} + picomatch@4.0.4: + resolution: {integrity: sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==} + engines: {node: '>=12'} + pify@2.3.0: resolution: {integrity: sha512-udgsAY+fTnvv7kI7aaxbqwWNb0AHiB0qBO89PZKPkoTmGOgdbrHDKD+0B2X4uTfJ/FT1R09r9gTsjUjNJotuog==} engines: {node: '>=0.10.0'} @@ -6936,8 +6925,8 @@ packages: resolution: {integrity: sha512-7gJ6mxcQb9vUBOtbKm5mDevbe2uRcOEVp1g4gb/Q+oLntB3HY8eBhOYRxFI2mlDFlY1e4DOSCptzxarXRvzxCA==} engines: {node: '>=20'} - qs@6.14.1: - resolution: {integrity: sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==} + qs@6.15.0: + resolution: {integrity: sha512-mAZTtNCeetKMH+pSjrb76NAM8V9a05I9aBZOHztWy/UqcJdQYNsf59vrRKWnojAT9Y+GbIvoTBC++CPHqpDBhQ==} engines: {node: '>=0.6'} querystring-es3@0.2.1: @@ -7296,6 +7285,10 @@ packages: resolution: {integrity: sha512-1n3r/tGXO6b6VXMdFT54SHzT9ytu9yr7TaELowdYpMqY/Ao7EnlQGmAQ1+RatX7Tkkdm6hONI2owqNx2aZj5Sw==} engines: {node: '>=11.0.0'} + sax@1.6.0: + resolution: {integrity: sha512-6R3J5M4AcbtLUdZmRv2SygeVaM7IhrLXu9BmnOGmmACak8fiUtOsYNWUS4uK7upbmHIBbLBeFeI//477BKLBzA==} + engines: {node: '>=11.0.0'} + saxes@5.0.1: resolution: {integrity: sha512-5LBh1Tls8c9xgGjw3QrMwETmTMVk0oFgvrFSvWx62llR2hcEInrKNZ2GZCCuuy2lvWrdl5jhbpeqc5hRYKFOcw==} engines: {node: '>=10'} @@ -7353,8 +7346,9 @@ packages: sentry-testkit@5.0.10: resolution: {integrity: sha512-wpvt29IIK+L1Pe02uc0y7rJkXQcnIk46hvB02Zqd4UNgP2lIhzv80GjR2lu8RtsbAmf7LJnGz8zLuV3rVa69ew==} - serialize-javascript@6.0.2: - resolution: {integrity: sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==} + serialize-javascript@7.0.5: + resolution: {integrity: sha512-F4LcB0UqUl1zErq+1nYEEzSHJnIwb3AF2XWB94b+afhrekOUijwooAYqFyRbjYkm2PAKBabx6oYv/xDxNi8IBw==} + engines: {node: '>=20.0.0'} seroval-plugins@1.5.0: resolution: {integrity: sha512-EAHqADIQondwRZIdeW2I636zgsODzoBDwb3PT/+7TLDWyw1Dy/Xv7iGUIEXXav7usHDE9HVhOU61irI3EnyyHA==} @@ -7555,8 +7549,8 @@ packages: resolution: {integrity: sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg==} engines: {node: '>= 6.0.0', npm: '>= 3.0.0'} - smol-toml@1.5.2: - resolution: {integrity: sha512-QlaZEqcAH3/RtNyet1IPIYPsEWAaYyXXv1Krsi+1L/QHppjX4Ifm8MQsBISz9vE8cHicIq3clogsheili5vhaQ==} + smol-toml@1.6.1: + resolution: {integrity: sha512-dWUG8F5sIIARXih1DTaQAX4SsiTXhInKf1buxdY9DIg4ZYPZK5nGM1VRIYmEbDbsHt7USo99xSLFu5Q1IqTmsg==} engines: {node: '>= 18'} sockjs@0.3.24: @@ -7618,10 +7612,6 @@ packages: resolution: {integrity: sha512-o3yWv49B/o4QZk5ZcsALc6t0+eCelPc44zZsLtCQnZPDwFpDYSWcDnrv2TtMmMbQ7uKo3J0HTURCqckw23czNQ==} engines: {node: '>=12.0.0'} - stable@0.1.8: - resolution: {integrity: sha512-ji9qxRnOVfcuLDySj9qzhGSEFVobyt1kIOSkj1qZzYLzq7Tos/oUUWvotUPQLlrsidqsK6tBH89Bc9kL5zHA6w==} - deprecated: 'Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility' - stack-utils@2.0.6: resolution: {integrity: sha512-XlkWvfIm6RmsWtNJx+uqtKLS8eqFbxUg0ZzLXqY0caEy9l7hruX8IpiDnjsLavoBgqCCR71TqWO8MaXYheJ3RQ==} engines: {node: '>=10'} @@ -7832,16 +7822,16 @@ packages: svg-tags@1.0.0: resolution: {integrity: sha512-ovssysQTa+luh7A5Weu3Rta6FJlFBBbInjOh722LIt6klpU2/HtdUbszju/G4devcvk8PGt7FCLv5wftu3THUA==} - svgo@2.8.0: - resolution: {integrity: sha512-+N/Q9kV1+F+UeWYoSiULYo4xYSDQlTgb+ayMobAXPwMnLvop7oxKMo9OzIrX5x3eS4L4f2UHhc9axXwY8DpChg==} - engines: {node: '>=10.13.0'} - hasBin: true - svgo@4.0.0: resolution: {integrity: sha512-VvrHQ+9uniE+Mvx3+C9IEe/lWasXCU0nXMY2kZeLrHNICuRiC8uMPyM14UEaMOFA5mhyQqEkB02VoQ16n3DLaw==} engines: {node: '>=16'} hasBin: true + svgo@4.0.1: + resolution: {integrity: sha512-XDpWUOPC6FEibaLzjfe0ucaV0YrOjYotGJO1WpF0Zd+n6ZGEQUsSugaoLq9QkEZtAfQIxT42UChcssDVPP3+/w==} + engines: {node: '>=16'} + hasBin: true + swc-loader@0.2.6: resolution: {integrity: sha512-9Zi9UP2YmDpgmQVbyOPJClY0dwf58JDyDMQ7uRc4krmc72twNI2fvlBWHLqVekBpPc7h5NJkGVT1zNDxFrqhvg==} peerDependencies: @@ -8216,9 +8206,6 @@ packages: peerDependencies: browserslist: '>= 4.21.0' - uri-js@4.4.1: - resolution: {integrity: sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==} - url-loader@4.1.1: resolution: {integrity: sha512-3BTV812+AVHHOJQO8O5MkWgZ5aosP7GnROJwvzLS9hWDj00lZ6Z0wNak423Lp9PBZN05N+Jk/N5Si8jRAlGyWA==} engines: {node: '>= 10.13.0'} @@ -8554,9 +8541,10 @@ packages: yallist@3.1.1: resolution: {integrity: sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==} - yaml@1.10.2: - resolution: {integrity: sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==} - engines: {node: '>= 6'} + yaml@2.8.3: + resolution: {integrity: sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==} + engines: {node: '>= 14.6'} + hasBin: true yargs-parser@15.0.3: resolution: {integrity: sha512-/MVEVjTXy/cGAjdtQf8dW3V9b97bPN7rNn8ETj6BmAQL7ibC7O1Q9SPJbGjgh3SlwoBNXMzj/ZGIj8mBgl12YA==} @@ -9567,7 +9555,7 @@ snapshots: dependencies: '@eslint/object-schema': 2.1.7 debug: 4.4.3 - minimatch: 3.1.2 + minimatch: 9.0.5 transitivePeerDependencies: - supports-color @@ -9581,14 +9569,14 @@ snapshots: '@eslint/eslintrc@3.3.1': dependencies: - ajv: 6.12.6 + ajv: 8.18.0 debug: 4.4.3 espree: 10.4.0 globals: 14.0.0 ignore: 5.3.2 import-fresh: 3.3.1 js-yaml: 4.1.1 - minimatch: 3.1.2 + minimatch: 9.0.5 strip-json-comments: 3.1.1 transitivePeerDependencies: - supports-color @@ -10199,7 +10187,7 @@ snapshots: detect-libc: 2.1.2 is-glob: 4.0.3 node-addon-api: 7.1.1 - picomatch: 4.0.3 + picomatch: 4.0.4 optionalDependencies: '@parcel/watcher-android-arm64': 2.5.6 '@parcel/watcher-darwin-arm64': 2.5.6 @@ -10540,19 +10528,19 @@ snapshots: dependencies: '@swc/counter': 0.1.3 - '@tailwindcss/aspect-ratio@0.4.2(tailwindcss@3.4.19)': + '@tailwindcss/aspect-ratio@0.4.2(tailwindcss@3.4.19(yaml@2.8.3))': dependencies: - tailwindcss: 3.4.19 + tailwindcss: 3.4.19(yaml@2.8.3) - '@tailwindcss/forms@0.5.11(tailwindcss@3.4.19)': + '@tailwindcss/forms@0.5.11(tailwindcss@3.4.19(yaml@2.8.3))': dependencies: mini-svg-data-uri: 1.4.4 - tailwindcss: 3.4.19 + tailwindcss: 3.4.19(yaml@2.8.3) - '@tailwindcss/typography@0.5.19(tailwindcss@3.4.19)': + '@tailwindcss/typography@0.5.19(tailwindcss@3.4.19(yaml@2.8.3))': dependencies: postcss-selector-parser: 6.0.10 - tailwindcss: 3.4.19 + tailwindcss: 3.4.19(yaml@2.8.3) '@tanstack/history@1.161.4': {} @@ -10634,14 +10622,10 @@ snapshots: '@types/react': 19.2.7 '@types/react-dom': 19.2.3(@types/react@19.2.7) - '@tootallnate/once@1.1.2': {} - - '@tootallnate/once@2.0.0': {} + '@tootallnate/once@3.0.1': {} '@tootallnate/quickjs-emscripten@0.23.0': {} - '@trysound/sax@0.2.0': {} - '@tsconfig/create-react-app@2.0.11': {} '@tsconfig/node14@14.1.8': {} @@ -10953,7 +10937,7 @@ snapshots: '@typescript-eslint/types': 8.48.0 '@typescript-eslint/visitor-keys': 8.48.0 debug: 4.4.3 - minimatch: 9.0.5 + minimatch: 10.2.4 semver: 7.7.4 tinyglobby: 0.2.15 ts-api-utils: 2.1.0(typescript@5.9.3) @@ -11219,36 +11203,22 @@ snapshots: agent-base@7.1.4: {} - ajv-formats@2.1.1(ajv@8.17.1): + ajv-formats@2.1.1(ajv@8.18.0): optionalDependencies: - ajv: 8.17.1 + ajv: 8.18.0 ajv-formats@3.0.1(ajv@8.18.0): optionalDependencies: ajv: 8.18.0 - ajv-keywords@3.5.2(ajv@6.12.6): + ajv-keywords@3.5.2(ajv@8.18.0): dependencies: - ajv: 6.12.6 - - ajv-keywords@5.1.0(ajv@8.17.1): - dependencies: - ajv: 8.17.1 - fast-deep-equal: 3.1.3 + ajv: 8.18.0 - ajv@6.12.6: + ajv-keywords@5.1.0(ajv@8.18.0): dependencies: + ajv: 8.18.0 fast-deep-equal: 3.1.3 - fast-json-stable-stringify: 2.1.0 - json-schema-traverse: 0.4.1 - uri-js: 4.4.1 - - ajv@8.17.1: - dependencies: - fast-deep-equal: 3.1.3 - fast-uri: 3.1.0 - json-schema-traverse: 1.0.0 - require-from-string: 2.0.2 ajv@8.18.0: dependencies: @@ -11290,7 +11260,7 @@ snapshots: anymatch@3.1.3: dependencies: normalize-path: 3.0.0 - picomatch: 2.3.1 + picomatch: 4.0.3 arg@5.0.2: {} @@ -11381,7 +11351,7 @@ snapshots: asn1.js@4.10.1: dependencies: - bn.js: 4.12.2 + bn.js: 5.2.2 inherits: 2.0.4 minimalistic-assert: 1.0.1 @@ -11573,10 +11543,10 @@ snapshots: babel-plugin-jest-hoist: 29.6.3 babel-preset-current-node-syntax: 1.2.0(@babel/core@7.28.5) - balanced-match@1.0.2: {} - balanced-match@2.0.0: {} + balanced-match@4.0.4: {} + bare-events@2.8.2: {} bare-fs@4.5.2: @@ -11620,7 +11590,7 @@ snapshots: baseline-browser-mapping@2.9.19: {} - basic-ftp@5.0.5: {} + basic-ftp@5.2.0: {} batch@0.6.1: {} @@ -11628,10 +11598,10 @@ snapshots: binary-extensions@2.3.0: {} - bn.js@4.12.2: {} - bn.js@5.2.2: {} + bn.js@5.2.3: {} + body-parser@1.20.4: dependencies: bytes: 3.1.2 @@ -11642,7 +11612,7 @@ snapshots: http-errors: 2.0.1 iconv-lite: 0.4.24 on-finished: 2.4.1 - qs: 6.14.1 + qs: 6.15.0 raw-body: 2.5.3 type-is: 1.6.18 unpipe: 1.0.0 @@ -11656,14 +11626,9 @@ snapshots: boolbase@1.0.0: {} - brace-expansion@1.1.12: - dependencies: - balanced-match: 1.0.2 - concat-map: 0.0.1 - - brace-expansion@2.0.2: + brace-expansion@5.0.5: dependencies: - balanced-match: 1.0.2 + balanced-match: 4.0.4 braces@3.0.3: dependencies: @@ -11697,13 +11662,13 @@ snapshots: browserify-rsa@4.1.1: dependencies: - bn.js: 5.2.2 + bn.js: 5.2.3 randombytes: 2.1.0 safe-buffer: 5.2.1 browserify-sign@4.2.5: dependencies: - bn.js: 5.2.2 + bn.js: 5.2.3 browserify-rsa: 4.1.1 create-hash: 1.2.0 create-hmac: 1.1.7 @@ -11948,8 +11913,6 @@ snapshots: commander@4.1.1: {} - commander@7.2.0: {} - commander@8.3.0: {} common-tags@1.8.2: {} @@ -11963,13 +11926,13 @@ snapshots: compression-webpack-plugin@9.2.0(webpack@5.104.1): dependencies: schema-utils: 4.3.3 - serialize-javascript: 6.0.2 + serialize-javascript: 7.0.5 webpack: 5.104.1(@swc/core@1.15.3)(webpack-cli@6.0.1) compression-webpack-plugin@9.2.0(webpack@5.105.2): dependencies: schema-utils: 4.3.3 - serialize-javascript: 6.0.2 + serialize-javascript: 7.0.5 webpack: 5.105.2(@swc/core@1.15.3)(webpack-cli@6.0.1) compression@1.8.1: @@ -11984,8 +11947,6 @@ snapshots: transitivePeerDependencies: - supports-color - concat-map@0.0.1: {} - confusing-browser-globals@1.0.11: {} connect-history-api-fallback@2.0.0: {} @@ -12026,7 +11987,7 @@ snapshots: import-fresh: 3.3.1 parse-json: 5.2.0 path-type: 4.0.0 - yaml: 1.10.2 + yaml: 2.8.3 cosmiconfig@8.3.6(typescript@5.9.3): dependencies: @@ -12048,7 +12009,7 @@ snapshots: create-ecdh@4.0.4: dependencies: - bn.js: 4.12.2 + bn.js: 5.2.2 elliptic: 6.6.1 create-hash@1.2.0: @@ -12170,7 +12131,7 @@ snapshots: jest-worker: 27.5.1 postcss: 8.5.6 schema-utils: 4.3.3 - serialize-javascript: 6.0.2 + serialize-javascript: 7.0.5 source-map: 0.6.1 webpack: 5.104.1(@swc/core@1.15.3)(webpack-cli@6.0.1) @@ -12181,7 +12142,7 @@ snapshots: jest-worker: 30.2.0 postcss: 8.5.6 schema-utils: 4.3.3 - serialize-javascript: 6.0.2 + serialize-javascript: 7.0.5 webpack: 5.104.1(@swc/core@1.15.3)(webpack-cli@6.0.1) css-select@4.3.0: @@ -12200,11 +12161,6 @@ snapshots: domutils: 3.2.2 nth-check: 2.1.1 - css-tree@1.1.3: - dependencies: - mdn-data: 2.0.14 - source-map: 0.6.1 - css-tree@2.2.1: dependencies: mdn-data: 2.0.28 @@ -12301,7 +12257,7 @@ snapshots: cssnano-preset-default: 5.2.14(postcss@8.5.6) lilconfig: 2.1.0 postcss: 8.5.6 - yaml: 1.10.2 + yaml: 2.8.3 cssnano@7.1.2(postcss@8.5.6): dependencies: @@ -12309,10 +12265,6 @@ snapshots: lilconfig: 3.1.3 postcss: 8.5.6 - csso@4.2.0: - dependencies: - css-tree: 1.1.3 - csso@5.0.5: dependencies: css-tree: 2.2.1 @@ -12456,7 +12408,7 @@ snapshots: diffie-hellman@5.0.3: dependencies: - bn.js: 4.12.2 + bn.js: 5.2.2 miller-rabin: 4.0.1 randombytes: 2.1.0 @@ -12551,7 +12503,7 @@ snapshots: elliptic@6.6.1: dependencies: - bn.js: 4.12.2 + bn.js: 5.2.2 brorand: 1.1.0 hash.js: 1.1.7 hmac-drbg: 1.0.1 @@ -12822,7 +12774,7 @@ snapshots: hasown: 2.0.2 is-core-module: 2.16.1 is-glob: 4.0.3 - minimatch: 3.1.2 + minimatch: 9.0.5 object.fromentries: 2.0.8 object.groupby: 1.0.3 object.values: 1.2.1 @@ -12861,7 +12813,7 @@ snapshots: hasown: 2.0.2 jsx-ast-utils: 3.3.5 language-tags: 1.0.9 - minimatch: 3.1.2 + minimatch: 9.0.5 object.fromentries: 2.0.8 safe-regex-test: 1.1.0 string.prototype.includes: 2.0.1 @@ -12892,7 +12844,7 @@ snapshots: estraverse: 5.3.0 hasown: 2.0.2 jsx-ast-utils: 3.3.5 - minimatch: 3.1.2 + minimatch: 9.0.5 object.entries: 1.1.9 object.fromentries: 2.0.8 object.values: 1.2.1 @@ -12941,7 +12893,7 @@ snapshots: '@humanwhocodes/module-importer': 1.0.1 '@humanwhocodes/retry': 0.4.3 '@types/estree': 1.0.8 - ajv: 6.12.6 + ajv: 8.18.0 chalk: 4.1.2 cross-spawn: 7.0.6 debug: 4.4.3 @@ -12960,7 +12912,7 @@ snapshots: is-glob: 4.0.3 json-stable-stringify-without-jsonify: 1.0.1 lodash.merge: 4.6.2 - minimatch: 3.1.2 + minimatch: 9.0.5 natural-compare: 1.4.0 optionator: 0.9.4 optionalDependencies: @@ -13087,9 +13039,9 @@ snapshots: methods: 1.1.2 on-finished: 2.4.1 parseurl: 1.3.3 - path-to-regexp: 0.1.12 + path-to-regexp: 8.4.0 proxy-addr: 2.0.7 - qs: 6.14.1 + qs: 6.15.0 range-parser: 1.2.1 safe-buffer: 5.2.1 send: 0.19.2 @@ -13197,9 +13149,9 @@ snapshots: dependencies: pend: 1.2.0 - fdir@6.5.0(picomatch@4.0.3): + fdir@6.5.0(picomatch@4.0.4): optionalDependencies: - picomatch: 4.0.3 + picomatch: 4.0.4 fflate@0.8.2: {} @@ -13285,18 +13237,18 @@ snapshots: flat-cache@4.0.1: dependencies: - flatted: 3.3.3 + flatted: 3.4.2 keyv: 4.5.4 flat-cache@6.1.19: dependencies: cacheable: 2.2.0 - flatted: 3.3.3 + flatted: 3.4.2 hookified: 1.13.0 flat@5.0.2: {} - flatted@3.3.3: {} + flatted@3.4.2: {} follow-redirects@1.15.11: {} @@ -13414,7 +13366,7 @@ snapshots: get-uri@6.0.5: dependencies: - basic-ftp: 5.0.5 + basic-ftp: 5.2.0 data-uri-to-buffer: 6.0.2 debug: 4.4.3 transitivePeerDependencies: @@ -13439,7 +13391,7 @@ snapshots: fs.realpath: 1.0.0 inflight: 1.0.6 inherits: 2.0.4 - minimatch: 3.1.2 + minimatch: 9.0.5 once: 1.4.0 path-is-absolute: 1.0.1 @@ -13488,7 +13440,7 @@ snapshots: handle-thing@2.0.1: {} - handlebars@4.7.8: + handlebars@4.7.9: dependencies: minimist: 1.2.8 neo-async: 2.6.2 @@ -13639,7 +13591,7 @@ snapshots: http-proxy-agent@4.0.1: dependencies: - '@tootallnate/once': 1.1.2 + '@tootallnate/once': 3.0.1 agent-base: 6.0.2 debug: 4.4.3 transitivePeerDependencies: @@ -13647,7 +13599,7 @@ snapshots: http-proxy-agent@5.0.0: dependencies: - '@tootallnate/once': 2.0.0 + '@tootallnate/once': 3.0.1 agent-base: 6.0.2 debug: 4.4.3 transitivePeerDependencies: @@ -13720,7 +13672,7 @@ snapshots: immediate@3.0.6: {} - immutable@5.1.4: {} + immutable@5.1.5: {} import-fresh@3.3.1: dependencies: @@ -14287,7 +14239,7 @@ snapshots: chalk: 4.1.2 ci-info: 3.9.0 graceful-fs: 4.2.11 - picomatch: 2.3.1 + picomatch: 4.0.3 jest-util@30.2.0: dependencies: @@ -14296,7 +14248,7 @@ snapshots: chalk: 4.1.2 ci-info: 4.4.0 graceful-fs: 4.2.11 - picomatch: 4.0.3 + picomatch: 4.0.4 jest-validate@29.7.0: dependencies: @@ -14483,8 +14435,6 @@ snapshots: dependencies: dequal: 2.0.3 - json-schema-traverse@0.4.1: {} - json-schema-traverse@1.0.0: {} json-stable-stringify-without-jsonify@1.0.1: {} @@ -14561,8 +14511,8 @@ snapshots: minimist: 1.2.8 oxc-resolver: 11.14.0 picocolors: 1.1.1 - picomatch: 4.0.3 - smol-toml: 1.5.2 + picomatch: 4.0.4 + smol-toml: 1.6.1 strip-json-comments: 5.0.3 typescript: 5.9.3 zod: 4.1.13 @@ -14667,8 +14617,6 @@ snapshots: lodash.uniq@4.5.0: {} - lodash@4.17.21: {} - lodash@4.17.23: {} loose-envify@1.4.0: @@ -14730,8 +14678,6 @@ snapshots: inherits: 2.0.4 safe-buffer: 5.2.1 - mdn-data@2.0.14: {} - mdn-data@2.0.28: {} mdn-data@2.12.2: {} @@ -14770,11 +14716,11 @@ snapshots: micromatch@4.0.8: dependencies: braces: 3.0.3 - picomatch: 2.3.1 + picomatch: 4.0.3 miller-rabin@4.0.1: dependencies: - bn.js: 4.12.2 + bn.js: 5.2.2 brorand: 1.1.0 mime-db@1.52.0: {} @@ -14813,13 +14759,13 @@ snapshots: minimalistic-crypto-utils@1.0.1: {} - minimatch@3.1.2: + minimatch@10.2.4: dependencies: - brace-expansion: 1.1.12 + brace-expansion: 5.0.5 minimatch@9.0.5: dependencies: - brace-expansion: 2.0.2 + brace-expansion: 5.0.5 minimist@1.2.8: {} @@ -14939,7 +14885,7 @@ snapshots: common-tags: 1.8.2 find-up: 2.1.0 js-yaml: 3.14.2 - lodash: 4.17.21 + lodash: 4.17.23 manage-path: 2.0.0 prefix-matches: 1.0.1 readline-sync: 1.4.10 @@ -15191,7 +15137,7 @@ snapshots: path-parse@1.0.7: {} - path-to-regexp@0.1.12: {} + path-to-regexp@8.4.0: {} path-type@4.0.0: {} @@ -15212,10 +15158,10 @@ snapshots: picocolors@1.1.1: {} - picomatch@2.3.1: {} - picomatch@4.0.3: {} + picomatch@4.0.4: {} + pify@2.3.0: {} pino-abstract-transport@2.0.0: @@ -15368,12 +15314,13 @@ snapshots: camelcase-css: 2.0.1 postcss: 8.5.6 - postcss-load-config@6.0.1(jiti@1.21.7)(postcss@8.5.6): + postcss-load-config@6.0.1(jiti@1.21.7)(postcss@8.5.6)(yaml@2.8.3): dependencies: lilconfig: 3.1.3 optionalDependencies: jiti: 1.21.7 postcss: 8.5.6 + yaml: 2.8.3 postcss-loader@7.3.4(postcss@8.5.6)(typescript@5.9.3)(webpack@5.104.1): dependencies: @@ -15644,13 +15591,13 @@ snapshots: dependencies: postcss: 8.5.6 postcss-value-parser: 4.2.0 - svgo: 2.8.0 + svgo: 4.0.0 postcss-svgo@7.1.0(postcss@8.5.6): dependencies: postcss: 8.5.6 postcss-value-parser: 4.2.0 - svgo: 4.0.0 + svgo: 4.0.1 postcss-unique-selectors@5.1.1(postcss@8.5.6): dependencies: @@ -15758,7 +15705,7 @@ snapshots: public-encrypt@4.0.3: dependencies: - bn.js: 4.12.2 + bn.js: 5.2.2 browserify-rsa: 4.1.1 create-hash: 1.2.0 parse-asn1: 5.1.9 @@ -15810,7 +15757,7 @@ snapshots: dependencies: hookified: 1.13.0 - qs@6.14.1: + qs@6.15.0: dependencies: side-channel: 1.1.0 @@ -15953,7 +15900,7 @@ snapshots: readdirp@3.6.0: dependencies: - picomatch: 2.3.1 + picomatch: 4.0.3 readdirp@4.1.2: {} @@ -16168,13 +16115,15 @@ snapshots: sass@1.97.3: dependencies: chokidar: 4.0.3 - immutable: 5.1.4 + immutable: 5.1.5 source-map-js: 1.2.1 optionalDependencies: '@parcel/watcher': 2.5.6 sax@1.4.4: {} + sax@1.6.0: {} + saxes@5.0.1: dependencies: xmlchars: 2.2.0 @@ -16192,21 +16141,21 @@ snapshots: schema-utils@2.7.1: dependencies: '@types/json-schema': 7.0.15 - ajv: 6.12.6 - ajv-keywords: 3.5.2(ajv@6.12.6) + ajv: 8.18.0 + ajv-keywords: 3.5.2(ajv@8.18.0) schema-utils@3.3.0: dependencies: '@types/json-schema': 7.0.15 - ajv: 6.12.6 - ajv-keywords: 3.5.2(ajv@6.12.6) + ajv: 8.18.0 + ajv-keywords: 3.5.2(ajv@8.18.0) schema-utils@4.3.3: dependencies: '@types/json-schema': 7.0.15 - ajv: 8.17.1 - ajv-formats: 2.1.1(ajv@8.17.1) - ajv-keywords: 5.1.0(ajv@8.17.1) + ajv: 8.18.0 + ajv-formats: 2.1.1(ajv@8.18.0) + ajv-keywords: 5.1.0(ajv@8.18.0) secure-json-parse@4.1.0: {} @@ -16246,9 +16195,7 @@ snapshots: body-parser: empty-npm-package@1.0.0 express: empty-npm-package@1.0.0 - serialize-javascript@6.0.2: - dependencies: - randombytes: 2.1.0 + serialize-javascript@7.0.5: {} seroval-plugins@1.5.0(seroval@1.5.0): dependencies: @@ -16463,7 +16410,7 @@ snapshots: smart-buffer@4.2.0: {} - smol-toml@1.5.2: {} + smol-toml@1.6.1: {} sockjs@0.3.24: dependencies: @@ -16542,8 +16489,6 @@ snapshots: stable-hash-x@0.2.0: {} - stable@0.1.8: {} - stack-utils@2.0.6: dependencies: escape-string-regexp: 2.0.0 @@ -16827,17 +16772,17 @@ snapshots: svg-tags@1.0.0: {} - svgo@2.8.0: + svgo@4.0.0: dependencies: - '@trysound/sax': 0.2.0 - commander: 7.2.0 - css-select: 4.3.0 - css-tree: 1.1.3 - csso: 4.2.0 + commander: 11.1.0 + css-select: 5.2.2 + css-tree: 3.1.0 + css-what: 6.2.2 + csso: 5.0.5 picocolors: 1.1.1 - stable: 0.1.8 + sax: 1.4.4 - svgo@4.0.0: + svgo@4.0.1: dependencies: commander: 11.1.0 css-select: 5.2.2 @@ -16845,7 +16790,7 @@ snapshots: css-what: 6.2.2 csso: 5.0.5 picocolors: 1.1.1 - sax: 1.4.4 + sax: 1.6.0 swc-loader@0.2.6(@swc/core@1.15.3)(webpack@5.104.1): dependencies: @@ -16876,13 +16821,13 @@ snapshots: table@6.9.0: dependencies: - ajv: 8.17.1 + ajv: 8.18.0 lodash.truncate: 4.4.2 slice-ansi: 4.0.0 string-width: 4.2.3 strip-ansi: 6.0.1 - tailwindcss@3.4.19: + tailwindcss@3.4.19(yaml@2.8.3): dependencies: '@alloc/quick-lru': 5.2.0 arg: 5.0.2 @@ -16901,7 +16846,7 @@ snapshots: postcss: 8.5.6 postcss-import: 15.1.0(postcss@8.5.6) postcss-js: 4.1.0(postcss@8.5.6) - postcss-load-config: 6.0.1(jiti@1.21.7)(postcss@8.5.6) + postcss-load-config: 6.0.1(jiti@1.21.7)(postcss@8.5.6)(yaml@2.8.3) postcss-nested: 6.2.0(postcss@8.5.6) postcss-selector-parser: 6.1.2 resolve: 1.22.11 @@ -16941,7 +16886,7 @@ snapshots: dependencies: jest-worker: 27.5.1 schema-utils: 3.3.0 - serialize-javascript: 6.0.2 + serialize-javascript: 7.0.5 source-map: 0.6.1 terser: 5.44.1 webpack: 5.104.1(@swc/core@1.15.3)(webpack-cli@6.0.1) @@ -16952,7 +16897,7 @@ snapshots: dependencies: jest-worker: 27.5.1 schema-utils: 3.3.0 - serialize-javascript: 6.0.2 + serialize-javascript: 7.0.5 source-map: 0.6.1 terser: 5.44.1 webpack: 5.105.2(@swc/core@1.15.3)(webpack-cli@6.0.1) @@ -16964,7 +16909,7 @@ snapshots: '@jridgewell/trace-mapping': 0.3.31 jest-worker: 27.5.1 schema-utils: 4.3.3 - serialize-javascript: 6.0.2 + serialize-javascript: 7.0.5 terser: 5.46.0 webpack: 5.104.1(@swc/core@1.15.3)(webpack-cli@6.0.1) optionalDependencies: @@ -16975,7 +16920,7 @@ snapshots: '@jridgewell/trace-mapping': 0.3.31 jest-worker: 27.5.1 schema-utils: 4.3.3 - serialize-javascript: 6.0.2 + serialize-javascript: 7.0.5 terser: 5.46.0 webpack: 5.105.2(@swc/core@1.15.3) optionalDependencies: @@ -16986,7 +16931,7 @@ snapshots: '@jridgewell/trace-mapping': 0.3.31 jest-worker: 27.5.1 schema-utils: 4.3.3 - serialize-javascript: 6.0.2 + serialize-javascript: 7.0.5 terser: 5.46.0 webpack: 5.105.2(@swc/core@1.15.3)(webpack-cli@6.0.1) optionalDependencies: @@ -17017,7 +16962,7 @@ snapshots: dependencies: '@istanbuljs/schema': 0.1.3 glob: 7.2.3 - minimatch: 3.1.2 + minimatch: 9.0.5 text-decoder@1.2.3: dependencies: @@ -17055,8 +17000,8 @@ snapshots: tinyglobby@0.2.15: dependencies: - fdir: 6.5.0(picomatch@4.0.3) - picomatch: 4.0.3 + fdir: 6.5.0(picomatch@4.0.4) + picomatch: 4.0.4 tmpl@1.0.5: {} @@ -17117,7 +17062,7 @@ snapshots: dependencies: bs-logger: 0.2.6 fast-json-stable-stringify: 2.1.0 - handlebars: 4.7.8 + handlebars: 4.7.9 jest: 29.7.0(@types/node@20.19.25)(babel-plugin-macros@3.1.0) json5: 2.2.3 lodash.memoize: 4.1.2 @@ -17292,10 +17237,6 @@ snapshots: escalade: 3.2.0 picocolors: 1.1.1 - uri-js@4.4.1: - dependencies: - punycode: 2.3.1 - url-loader@4.1.1(file-loader@6.2.0(webpack@5.104.1))(webpack@5.104.1): dependencies: loader-utils: 2.0.4 @@ -17322,7 +17263,7 @@ snapshots: url@0.11.4: dependencies: punycode: 1.4.1 - qs: 6.14.1 + qs: 6.15.0 use-sync-external-store@1.6.0(react@19.2.0): dependencies: @@ -17833,7 +17774,7 @@ snapshots: yallist@3.1.1: {} - yaml@1.10.2: {} + yaml@2.8.3: {} yargs-parser@15.0.3: dependencies: From f42b61ba61dcf2748a5e46f22e2018b057b7772c Mon Sep 17 00:00:00 2001 From: ihabadham Date: Sun, 29 Mar 2026 00:16:29 +0200 Subject: [PATCH 04/13] chore: update loofah to 2.25.1 for URI detection fix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses Dependabot advisory for improper detection of disallowed URIs via `allowed_uri?` in loofah 2.25.0. react_on_rails/spec/dummy/Gemfile.lock not updated due to a local bootsnap compilation issue — CI can handle this lockfile update. --- react_on_rails/Gemfile.lock | 4 ++-- react_on_rails_pro/Gemfile.lock | 8 ++++---- react_on_rails_pro/spec/dummy/Gemfile.lock | 20 +++++++++---------- .../spec/execjs-compatible-dummy/Gemfile.lock | 14 ++++++------- 4 files changed, 23 insertions(+), 23 deletions(-) diff --git a/react_on_rails/Gemfile.lock b/react_on_rails/Gemfile.lock index ea535ee717..7f24913ec8 100644 --- a/react_on_rails/Gemfile.lock +++ b/react_on_rails/Gemfile.lock @@ -175,7 +175,7 @@ GEM rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) logger (1.7.0) - loofah (2.25.0) + loofah (2.25.1) crass (~> 1.0.2) nokogiri (>= 1.12.0) mail (2.9.0) @@ -204,7 +204,7 @@ GEM net-smtp (0.5.1) net-protocol nio4r (2.7.5) - nokogiri (1.19.1) + nokogiri (1.19.2) mini_portile2 (~> 2.8.2) racc (~> 1.4) ostruct (0.6.1) diff --git a/react_on_rails_pro/Gemfile.lock b/react_on_rails_pro/Gemfile.lock index 8cd0baf9a5..27b7305977 100644 --- a/react_on_rails_pro/Gemfile.lock +++ b/react_on_rails_pro/Gemfile.lock @@ -217,7 +217,7 @@ GEM rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) logger (1.7.0) - loofah (2.25.0) + loofah (2.25.1) crass (~> 1.0.2) nokogiri (>= 1.12.0) mail (2.9.0) @@ -249,11 +249,11 @@ GEM net-smtp (0.5.1) net-protocol nio4r (2.7.5) - nokogiri (1.19.1-arm64-darwin) + nokogiri (1.19.2-arm64-darwin) racc (~> 1.4) - nokogiri (1.19.1-x86_64-darwin) + nokogiri (1.19.2-x86_64-darwin) racc (~> 1.4) - nokogiri (1.19.1-x86_64-linux-gnu) + nokogiri (1.19.2-x86_64-linux-gnu) racc (~> 1.4) package_json (0.2.0) parallel (1.27.0) diff --git a/react_on_rails_pro/spec/dummy/Gemfile.lock b/react_on_rails_pro/spec/dummy/Gemfile.lock index f79f8420f1..c560258581 100644 --- a/react_on_rails_pro/spec/dummy/Gemfile.lock +++ b/react_on_rails_pro/spec/dummy/Gemfile.lock @@ -227,7 +227,7 @@ GEM rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) logger (1.7.0) - loofah (2.25.0) + loofah (2.25.1) crass (~> 1.0.2) nokogiri (>= 1.12.0) mail (2.9.0) @@ -260,24 +260,24 @@ GEM net-smtp (0.5.1) net-protocol nio4r (2.7.5) - nokogiri (1.19.1) + nokogiri (1.19.2) mini_portile2 (~> 2.8.2) racc (~> 1.4) - nokogiri (1.19.1-aarch64-linux-gnu) + nokogiri (1.19.2-aarch64-linux-gnu) racc (~> 1.4) - nokogiri (1.19.1-aarch64-linux-musl) + nokogiri (1.19.2-aarch64-linux-musl) racc (~> 1.4) - nokogiri (1.19.1-arm-linux-gnu) + nokogiri (1.19.2-arm-linux-gnu) racc (~> 1.4) - nokogiri (1.19.1-arm-linux-musl) + nokogiri (1.19.2-arm-linux-musl) racc (~> 1.4) - nokogiri (1.19.1-arm64-darwin) + nokogiri (1.19.2-arm64-darwin) racc (~> 1.4) - nokogiri (1.19.1-x86_64-darwin) + nokogiri (1.19.2-x86_64-darwin) racc (~> 1.4) - nokogiri (1.19.1-x86_64-linux-gnu) + nokogiri (1.19.2-x86_64-linux-gnu) racc (~> 1.4) - nokogiri (1.19.1-x86_64-linux-musl) + nokogiri (1.19.2-x86_64-linux-musl) racc (~> 1.4) package_json (0.2.0) parallel (1.27.0) diff --git a/react_on_rails_pro/spec/execjs-compatible-dummy/Gemfile.lock b/react_on_rails_pro/spec/execjs-compatible-dummy/Gemfile.lock index 18e9d9b1dc..569b67944a 100644 --- a/react_on_rails_pro/spec/execjs-compatible-dummy/Gemfile.lock +++ b/react_on_rails_pro/spec/execjs-compatible-dummy/Gemfile.lock @@ -165,7 +165,7 @@ GEM jwt (2.10.2) base64 logger (1.7.0) - loofah (2.25.0) + loofah (2.25.1) crass (~> 1.0.2) nokogiri (>= 1.12.0) mail (2.9.0) @@ -194,18 +194,18 @@ GEM net-smtp (0.5.1) net-protocol nio4r (2.7.5) - nokogiri (1.19.1) + nokogiri (1.19.2) mini_portile2 (~> 2.8.2) racc (~> 1.4) - nokogiri (1.19.1-aarch64-linux-gnu) + nokogiri (1.19.2-aarch64-linux-gnu) racc (~> 1.4) - nokogiri (1.19.1-arm-linux-gnu) + nokogiri (1.19.2-arm-linux-gnu) racc (~> 1.4) - nokogiri (1.19.1-arm64-darwin) + nokogiri (1.19.2-arm64-darwin) racc (~> 1.4) - nokogiri (1.19.1-x86_64-darwin) + nokogiri (1.19.2-x86_64-darwin) racc (~> 1.4) - nokogiri (1.19.1-x86_64-linux-gnu) + nokogiri (1.19.2-x86_64-linux-gnu) racc (~> 1.4) package_json (0.2.0) pp (0.6.3) From 37354a9a695e3258eba6cae6ec0213467c22b93c Mon Sep 17 00:00:00 2001 From: ihabadham Date: Sun, 29 Mar 2026 02:38:06 +0200 Subject: [PATCH 05/13] fix: remove ajv overrides that break webpack build pipeline MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The ajv overrides (v6→v6.14+ and v7→v8.18+) cause incompatibility with ajv-keywords used by schema-utils in terser-webpack-plugin. ajv v8 removed APIs that webpack's toolchain depends on. These two moderate-severity dev-only alerts are accepted as tolerable risk since fixing them requires a breaking API change. --- package.json | 2 -- pnpm-lock.yaml | 48 ++++++++++++++++++++++++++++++++++-------------- 2 files changed, 34 insertions(+), 16 deletions(-) diff --git a/package.json b/package.json index 2f9fc6e70e..716a5b2403 100644 --- a/package.json +++ b/package.json @@ -137,8 +137,6 @@ "minimatch@>=9.0.0 <9.0.7": ">=9.0.7", "minimatch@<3.1.4": ">=3.1.4", "serialize-javascript@<=7.0.2": ">=7.0.3", - "ajv@<6.14.0": ">=6.14.0", - "ajv@>=7.0.0-alpha.0 <8.18.0": ">=8.18.0", "@tootallnate/once@<3.0.1": ">=3.0.1", "svgo@=4.0.0": ">=4.0.1", "svgo@>=2.1.0 <2.8.1": ">=2.8.1", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index e67c9d03f3..394bd2d7df 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -21,8 +21,6 @@ overrides: minimatch@>=9.0.0 <9.0.7: '>=9.0.7' minimatch@<3.1.4: '>=3.1.4' serialize-javascript@<=7.0.2: '>=7.0.3' - ajv@<6.14.0: '>=6.14.0' - ajv@>=7.0.0-alpha.0 <8.18.0: '>=8.18.0' '@tootallnate/once@<3.0.1': '>=3.0.1' svgo@=4.0.0: '>=4.0.1' svgo@>=2.1.0 <2.8.1: '>=2.8.1' @@ -3068,7 +3066,7 @@ packages: ajv-formats@2.1.1: resolution: {integrity: sha512-Wx0Kx52hxE7C18hkMEggYlEifqWZtYaRgouJor+WMdPnQyEK13vgEWyVNup7SoeeoLMsr4kf5h6dOW11I15MUA==} peerDependencies: - ajv: '>=8.18.0' + ajv: ^8.0.0 peerDependenciesMeta: ajv: optional: true @@ -3076,7 +3074,7 @@ packages: ajv-formats@3.0.1: resolution: {integrity: sha512-8iUql50EUR+uUcdRQ3HDqa6EVyo3docL8g5WJ3FNcWmu62IbkGUue/pEyLBW8VGKKucTPgqeks4fIU1DA4yowQ==} peerDependencies: - ajv: '>=8.18.0' + ajv: ^8.0.0 peerDependenciesMeta: ajv: optional: true @@ -3084,12 +3082,15 @@ packages: ajv-keywords@3.5.2: resolution: {integrity: sha512-5p6WTN0DdTGVQk6VjcEju19IgaHudalcfabD7yhDGeA6bcQnmL+CpveLJq/3hvfwd1aof6L386Ougkx6RfyMIQ==} peerDependencies: - ajv: '>=6.14.0' + ajv: ^6.9.1 ajv-keywords@5.1.0: resolution: {integrity: sha512-YCS/JNFAUyr5vAuhk1DWm1CBxRHW9LbJ2ozWeemrIqpbsqKjHVxYPyi5GC0rjZIT5JxJ3virVTS8wk4i/Z+krw==} peerDependencies: - ajv: '>=8.18.0' + ajv: ^8.8.2 + + ajv@6.14.0: + resolution: {integrity: sha512-IWrosm/yrn43eiKqkfkHis7QioDleaXQHdDVPKg0FSwwd/DuvyX79TZnFOnYpB7dcsFAMmtFztZuXPDvSePkFw==} ajv@8.18.0: resolution: {integrity: sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==} @@ -5642,6 +5643,9 @@ packages: json-schema-ref-resolver@3.0.0: resolution: {integrity: sha512-hOrZIVL5jyYFjzk7+y7n5JDzGlU8rfWDuYyHwGa2WA8/pcmMHezp2xsVwxrebD/Q9t8Nc5DboieySDpCp4WG4A==} + json-schema-traverse@0.4.1: + resolution: {integrity: sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==} + json-schema-traverse@1.0.0: resolution: {integrity: sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==} @@ -8206,6 +8210,9 @@ packages: peerDependencies: browserslist: '>= 4.21.0' + uri-js@4.4.1: + resolution: {integrity: sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==} + url-loader@4.1.1: resolution: {integrity: sha512-3BTV812+AVHHOJQO8O5MkWgZ5aosP7GnROJwvzLS9hWDj00lZ6Z0wNak423Lp9PBZN05N+Jk/N5Si8jRAlGyWA==} engines: {node: '>= 10.13.0'} @@ -9569,7 +9576,7 @@ snapshots: '@eslint/eslintrc@3.3.1': dependencies: - ajv: 8.18.0 + ajv: 6.14.0 debug: 4.4.3 espree: 10.4.0 globals: 14.0.0 @@ -11211,15 +11218,22 @@ snapshots: optionalDependencies: ajv: 8.18.0 - ajv-keywords@3.5.2(ajv@8.18.0): + ajv-keywords@3.5.2(ajv@6.14.0): dependencies: - ajv: 8.18.0 + ajv: 6.14.0 ajv-keywords@5.1.0(ajv@8.18.0): dependencies: ajv: 8.18.0 fast-deep-equal: 3.1.3 + ajv@6.14.0: + dependencies: + fast-deep-equal: 3.1.3 + fast-json-stable-stringify: 2.1.0 + json-schema-traverse: 0.4.1 + uri-js: 4.4.1 + ajv@8.18.0: dependencies: fast-deep-equal: 3.1.3 @@ -12893,7 +12907,7 @@ snapshots: '@humanwhocodes/module-importer': 1.0.1 '@humanwhocodes/retry': 0.4.3 '@types/estree': 1.0.8 - ajv: 8.18.0 + ajv: 6.14.0 chalk: 4.1.2 cross-spawn: 7.0.6 debug: 4.4.3 @@ -14435,6 +14449,8 @@ snapshots: dependencies: dequal: 2.0.3 + json-schema-traverse@0.4.1: {} + json-schema-traverse@1.0.0: {} json-stable-stringify-without-jsonify@1.0.1: {} @@ -16141,14 +16157,14 @@ snapshots: schema-utils@2.7.1: dependencies: '@types/json-schema': 7.0.15 - ajv: 8.18.0 - ajv-keywords: 3.5.2(ajv@8.18.0) + ajv: 6.14.0 + ajv-keywords: 3.5.2(ajv@6.14.0) schema-utils@3.3.0: dependencies: '@types/json-schema': 7.0.15 - ajv: 8.18.0 - ajv-keywords: 3.5.2(ajv@8.18.0) + ajv: 6.14.0 + ajv-keywords: 3.5.2(ajv@6.14.0) schema-utils@4.3.3: dependencies: @@ -17237,6 +17253,10 @@ snapshots: escalade: 3.2.0 picocolors: 1.1.1 + uri-js@4.4.1: + dependencies: + punycode: 2.3.1 + url-loader@4.1.1(file-loader@6.2.0(webpack@5.104.1))(webpack@5.104.1): dependencies: loader-utils: 2.0.4 From 6c5017aec90681eb58fd89a89bfbf7e709c94bd3 Mon Sep 17 00:00:00 2001 From: ihabadham Date: Sun, 29 Mar 2026 02:46:02 +0200 Subject: [PATCH 06/13] docs: add CodeQL migration instructions for admin --- .github/CODEQL_MIGRATION.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/CODEQL_MIGRATION.md diff --git a/.github/CODEQL_MIGRATION.md b/.github/CODEQL_MIGRATION.md new file mode 100644 index 0000000000..95e80be118 --- /dev/null +++ b/.github/CODEQL_MIGRATION.md @@ -0,0 +1,25 @@ +# CodeQL: Disable Default Setup Before Merging PR #2884 + +PR #2884 adds a CodeQL advanced setup workflow that replaces the current default setup. GitHub does not allow both to run simultaneously — the advanced workflow will fail until the default is disabled. + +## Steps (requires admin access) + +1. Go to https://github.com/shakacode/react_on_rails/settings/security_analysis +2. Find the **"CodeQL analysis"** row +3. Click the **three-dot menu** (⋮) to the right +4. Click **"Disable CodeQL"** +5. Confirm in the popup +6. Merge PR #2884 + +## Or via CLI + +```bash +gh api --method PATCH repos/shakacode/react_on_rails/code-scanning/default-setup -f state=not-configured +``` + +## Notes + +- Existing alerts are NOT deleted — they remain visible until the advanced workflow produces new results. +- After merge, the advanced workflow runs on push/PR to `main` and weekly (Monday 6am UTC). +- The advanced workflow excludes `tests/fixtures/` and `spec/dummy/` from scanning to eliminate false positives from build artifacts and test apps. +- This file can be deleted after the migration is complete. From c1c03bd19465c00e83caeccf471338b716b6e542 Mon Sep 17 00:00:00 2001 From: ihabadham Date: Sun, 29 Mar 2026 02:47:09 +0200 Subject: [PATCH 07/13] Revert "docs: add CodeQL migration instructions for admin" This reverts commit 6c5017aec90681eb58fd89a89bfbf7e709c94bd3. --- .github/CODEQL_MIGRATION.md | 25 ------------------------- 1 file changed, 25 deletions(-) delete mode 100644 .github/CODEQL_MIGRATION.md diff --git a/.github/CODEQL_MIGRATION.md b/.github/CODEQL_MIGRATION.md deleted file mode 100644 index 95e80be118..0000000000 --- a/.github/CODEQL_MIGRATION.md +++ /dev/null @@ -1,25 +0,0 @@ -# CodeQL: Disable Default Setup Before Merging PR #2884 - -PR #2884 adds a CodeQL advanced setup workflow that replaces the current default setup. GitHub does not allow both to run simultaneously — the advanced workflow will fail until the default is disabled. - -## Steps (requires admin access) - -1. Go to https://github.com/shakacode/react_on_rails/settings/security_analysis -2. Find the **"CodeQL analysis"** row -3. Click the **three-dot menu** (⋮) to the right -4. Click **"Disable CodeQL"** -5. Confirm in the popup -6. Merge PR #2884 - -## Or via CLI - -```bash -gh api --method PATCH repos/shakacode/react_on_rails/code-scanning/default-setup -f state=not-configured -``` - -## Notes - -- Existing alerts are NOT deleted — they remain visible until the advanced workflow produces new results. -- After merge, the advanced workflow runs on push/PR to `main` and weekly (Monday 6am UTC). -- The advanced workflow excludes `tests/fixtures/` and `spec/dummy/` from scanning to eliminate false positives from build artifacts and test apps. -- This file can be deleted after the migration is complete. From 8e911512efbf39793ddeb94c27763d9dc945e762 Mon Sep 17 00:00:00 2001 From: ihabadham Date: Sun, 29 Mar 2026 02:55:35 +0200 Subject: [PATCH 08/13] fix: cap pnpm overrides at major version boundaries pnpm audit --fix generates unbounded override ranges like "brace-expansion@<1.1.13": ">=1.1.13" which can resolve to v2.x where v1.x is expected, breaking API compatibility. Cap all overrides that could cross major versions: - brace-expansion: >=1.1.13 <2 - minimatch: >=3.1.4 <4 - picomatch: >=2.3.2 <3 - svgo: >=2.8.1 <3 - bn.js: >=4.12.3 <5 - path-to-regexp: >=0.1.13 <1 - yaml: >=1.10.3 <2 --- package.json | 16 ++--- pnpm-lock.yaml | 176 ++++++++++++++++++++++++++++++++----------------- 2 files changed, 122 insertions(+), 70 deletions(-) diff --git a/package.json b/package.json index 716a5b2403..b6fe237203 100644 --- a/package.json +++ b/package.json @@ -130,29 +130,29 @@ "lodash@>=4.0.0 <=4.17.22": ">=4.17.23", "qs@>=6.7.0 <=6.14.1": ">=6.14.2", "bn.js@>=5.0.0 <5.2.3": ">=5.2.3", - "bn.js@<4.12.3": ">=4.12.3", - "minimatch@<3.1.3": ">=3.1.3", + "bn.js@<4.12.3": ">=4.12.3 <5", + "minimatch@<3.1.3": ">=3.1.3 <4", "minimatch@>=9.0.0 <9.0.6": ">=9.0.6", "basic-ftp@<5.2.0": ">=5.2.0", "minimatch@>=9.0.0 <9.0.7": ">=9.0.7", - "minimatch@<3.1.4": ">=3.1.4", + "minimatch@<3.1.4": ">=3.1.4 <4", "serialize-javascript@<=7.0.2": ">=7.0.3", "@tootallnate/once@<3.0.1": ">=3.0.1", "svgo@=4.0.0": ">=4.0.1", - "svgo@>=2.1.0 <2.8.1": ">=2.8.1", + "svgo@>=2.1.0 <2.8.1": ">=2.8.1 <3", "immutable@>=5.0.0 <5.1.5": ">=5.1.5", "flatted@<3.4.0": ">=3.4.0", "flatted@<=3.4.1": ">=3.4.2", "smol-toml@<1.6.1": ">=1.6.1", "handlebars@>=4.0.0 <=4.7.8": ">=4.7.9", "serialize-javascript@<7.0.5": ">=7.0.5", - "path-to-regexp@<0.1.13": ">=0.1.13", - "brace-expansion@<1.1.13": ">=1.1.13", + "path-to-regexp@<0.1.13": ">=0.1.13 <1", + "brace-expansion@<1.1.13": ">=1.1.13 <2", "brace-expansion@>=2.0.0 <2.0.3": ">=2.0.3", "handlebars@>=4.0.0 <4.7.9": ">=4.7.9", - "picomatch@<2.3.2": ">=2.3.2", + "picomatch@<2.3.2": ">=2.3.2 <3", "picomatch@>=4.0.0 <4.0.4": ">=4.0.4", - "yaml@>=1.0.0 <1.10.3": ">=1.10.3" + "yaml@>=1.0.0 <1.10.3": ">=1.10.3 <2" } } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 394bd2d7df..610ff09cc8 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -14,29 +14,29 @@ overrides: lodash@>=4.0.0 <=4.17.22: '>=4.17.23' qs@>=6.7.0 <=6.14.1: '>=6.14.2' bn.js@>=5.0.0 <5.2.3: '>=5.2.3' - bn.js@<4.12.3: '>=4.12.3' - minimatch@<3.1.3: '>=3.1.3' + bn.js@<4.12.3: '>=4.12.3 <5' + minimatch@<3.1.3: '>=3.1.3 <4' minimatch@>=9.0.0 <9.0.6: '>=9.0.6' basic-ftp@<5.2.0: '>=5.2.0' minimatch@>=9.0.0 <9.0.7: '>=9.0.7' - minimatch@<3.1.4: '>=3.1.4' + minimatch@<3.1.4: '>=3.1.4 <4' serialize-javascript@<=7.0.2: '>=7.0.3' '@tootallnate/once@<3.0.1': '>=3.0.1' svgo@=4.0.0: '>=4.0.1' - svgo@>=2.1.0 <2.8.1: '>=2.8.1' + svgo@>=2.1.0 <2.8.1: '>=2.8.1 <3' immutable@>=5.0.0 <5.1.5: '>=5.1.5' flatted@<3.4.0: '>=3.4.0' flatted@<=3.4.1: '>=3.4.2' smol-toml@<1.6.1: '>=1.6.1' handlebars@>=4.0.0 <=4.7.8: '>=4.7.9' serialize-javascript@<7.0.5: '>=7.0.5' - path-to-regexp@<0.1.13: '>=0.1.13' - brace-expansion@<1.1.13: '>=1.1.13' + path-to-regexp@<0.1.13: '>=0.1.13 <1' + brace-expansion@<1.1.13: '>=1.1.13 <2' brace-expansion@>=2.0.0 <2.0.3: '>=2.0.3' handlebars@>=4.0.0 <4.7.9: '>=4.7.9' - picomatch@<2.3.2: '>=2.3.2' + picomatch@<2.3.2: '>=2.3.2 <3' picomatch@>=4.0.0 <4.0.4: '>=4.0.4' - yaml@>=1.0.0 <1.10.3: '>=1.10.3' + yaml@>=1.0.0 <1.10.3: '>=1.10.3 <2' importers: @@ -3341,6 +3341,9 @@ packages: peerDependencies: '@babel/core': ^7.0.0 + balanced-match@1.0.2: + resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==} + balanced-match@2.0.0: resolution: {integrity: sha512-1ugUSr8BHXRnK23KfuYS+gVMC3LB8QGH9W1iGtDPsNWoQbgtXSExkBu2aDR4epiGWZOjZsj6lDl/N/AqqTC3UA==} @@ -3411,8 +3414,8 @@ packages: resolution: {integrity: sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==} engines: {node: '>=8'} - bn.js@5.2.2: - resolution: {integrity: sha512-v2YAxEmKaBLahNwE1mjp4WON6huMNeuDvagFZW+ASCuA/ku0bXR9hSMw0XpiqMoA3+rmnyck/tPRSFQkoC9Cuw==} + bn.js@4.12.3: + resolution: {integrity: sha512-fGTi3gxV/23FTYdAoUtLYp6qySe2KE3teyZitipKNRuVYcBkoP/bB3guXN/XVKUe9mxCHXnc9C4ocyz8OmgN0g==} bn.js@5.2.3: resolution: {integrity: sha512-EAcmnPkxpntVL+DS7bO1zhcZNvCkxqtkd0ZY53h06GNQ3DEkkGZ/gKgmDv6DdZQGj9BgfSPKtJJ7Dp1GPP8f7w==} @@ -3427,6 +3430,9 @@ packages: boolbase@1.0.0: resolution: {integrity: sha512-JZOSA7Mo9sNGB8+UjSgzdLtokWAky1zbztM3WRLCbZ70/3cTANmQmOdR7y2g+J0e2WXywy1yS468tY+IruqEww==} + brace-expansion@1.1.13: + resolution: {integrity: sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==} + brace-expansion@5.0.5: resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==} engines: {node: 18 || 20 || >=22} @@ -3687,6 +3693,10 @@ packages: resolution: {integrity: sha512-NOKm8xhkzAjzFx8B2v5OAHT+u5pRQc2UCa2Vq9jYL/31o2wi9mxBA7LIFs3sV5VSC49z6pEhfbMULvShKj26WA==} engines: {node: '>= 6'} + commander@7.2.0: + resolution: {integrity: sha512-QrWXB+ZQSVPmIWIhtEO9H+gwHaMGYiF5ChvoJ+K9ZGHG/sVsa6yiesAD1GC/x46sET00Xlwo1u49RVVVzvcSkw==} + engines: {node: '>= 10'} + commander@8.3.0: resolution: {integrity: sha512-OkTL9umf+He2DZkUq8f8J9of7yL6RJKI24dVITBmNfZBmri9zYZQrKkuXiKhyfPSu8tUhnVBB1iKXevvnlR4Ww==} engines: {node: '>= 12'} @@ -3712,6 +3722,9 @@ packages: resolution: {integrity: sha512-9mAqGPHLakhCLeNyxPkK4xVo746zQ/czLH1Ky+vkitMnWfWZps8r0qXuwhwizagCRttsL4lfG4pIOvaWLpAP0w==} engines: {node: '>= 0.8.0'} + concat-map@0.0.1: + resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==} + confusing-browser-globals@1.0.11: resolution: {integrity: sha512-JsPKdmh8ZkmnHxDk55FZ1TqVLvEQTvoByJZRN9jzI0UjxK/QgAmsphz7PGtqgPieQZ/CQcHWXCR7ATDNhGe+YA==} @@ -3902,6 +3915,10 @@ packages: css-select@5.2.2: resolution: {integrity: sha512-TizTzUddG/xYLA3NXodFM0fSbNizXjOKhqiQQwvhlspadZokn1KDy0NZFS0wuEubIYAV5/c1/lAr0TaaFXEXzw==} + css-tree@1.1.3: + resolution: {integrity: sha512-tRpdppF7TRazZrjJ6v3stzv93qxRcSsFmW6cX0Zm2NVKpxE1WV1HblnghVv9TreireHkqI/VDEsfolRF1p6y7Q==} + engines: {node: '>=8.0.0'} + css-tree@2.2.1: resolution: {integrity: sha512-OA0mILzGc1kCOCSJerOeqDxDQ4HOh+G8NbOJFOTgOCzpw7fCBubk0fEyxp8AgOL/jvLgYA/uV0cMbe43ElF1JA==} engines: {node: ^10 || ^12.20.0 || ^14.13.0 || >=15.0.0, npm: '>=7.0.0'} @@ -3958,6 +3975,10 @@ packages: peerDependencies: postcss: ^8.4.32 + csso@4.2.0: + resolution: {integrity: sha512-wvlcdIbf6pwKEk7vHj8/Bkc0B4ylXZruLvOgs9doS5eOsOpuodOV2zJChSpkp+pRpYQLQMeF04nr3Z68Sta9jA==} + engines: {node: '>=8.0.0'} + csso@5.0.5: resolution: {integrity: sha512-0LrrStPOdJj+SPCCrGhzryycLjwcgUSHBtxNA8aIDxf0GLsRh1cKYhB00Gd1lDOS4yGH69+SNn13+TWbVHETFQ==} engines: {node: ^10 || ^12.20.0 || ^14.13.0 || >=15.0.0, npm: '>=7.0.0'} @@ -5886,6 +5907,9 @@ packages: md5.js@1.3.5: resolution: {integrity: sha512-xitP+WxNPcTTOgnTJcrhM0xvdPepipPSf3I8EIpGKeFLjt3PlJLIDG3u8EX53ZIubkb+5U2+3rELYpEhHhzdkg==} + mdn-data@2.0.14: + resolution: {integrity: sha512-dn6wd0uw5GsdswPFfsgMp5NSB0/aDe6fK94YJV/AJDYXL6HVLWBsxeq7js7Ad+mU2K9LAlwpk6kN2D5mwCPVow==} + mdn-data@2.0.28: resolution: {integrity: sha512-aylIc7Z9y4yzHYAJNuESG3hfhC+0Ibp/MAMiaOZgNv4pmEdFyfZhhhny4MNiAfWdBQ1RQ2mfDWmM1x8SvGyp8g==} @@ -5979,9 +6003,8 @@ packages: resolution: {integrity: sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==} engines: {node: 18 || 20 || >=22} - minimatch@9.0.5: - resolution: {integrity: sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==} - engines: {node: '>=16 || 14 >=14.17'} + minimatch@3.1.5: + resolution: {integrity: sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==} minimist@1.2.8: resolution: {integrity: sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==} @@ -6310,8 +6333,8 @@ packages: path-parse@1.0.7: resolution: {integrity: sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==} - path-to-regexp@8.4.0: - resolution: {integrity: sha512-PuseHIvAnz3bjrM2rGJtSgo1zjgxapTLZ7x2pjhzWwlp4SJQgK3f3iZIQwkpEnBaKz6seKBADpM4B4ySkuYypg==} + path-to-regexp@0.2.5: + resolution: {integrity: sha512-l6qtdDPIkmAmzEO6egquYDfqQGPMRNGjYtrU13HAXb3YSRrt7HSb1sJY0pKp6o2bAa86tSB6iwaW2JbthPKr7Q==} path-type@4.0.0: resolution: {integrity: sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==} @@ -6330,9 +6353,9 @@ packages: picocolors@1.1.1: resolution: {integrity: sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==} - picomatch@4.0.3: - resolution: {integrity: sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==} - engines: {node: '>=12'} + picomatch@2.3.2: + resolution: {integrity: sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==} + engines: {node: '>=8.6'} picomatch@4.0.4: resolution: {integrity: sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==} @@ -7285,10 +7308,6 @@ packages: engines: {node: '>=14.0.0'} hasBin: true - sax@1.4.4: - resolution: {integrity: sha512-1n3r/tGXO6b6VXMdFT54SHzT9ytu9yr7TaELowdYpMqY/Ao7EnlQGmAQ1+RatX7Tkkdm6hONI2owqNx2aZj5Sw==} - engines: {node: '>=11.0.0'} - sax@1.6.0: resolution: {integrity: sha512-6R3J5M4AcbtLUdZmRv2SygeVaM7IhrLXu9BmnOGmmACak8fiUtOsYNWUS4uK7upbmHIBbLBeFeI//477BKLBzA==} engines: {node: '>=11.0.0'} @@ -7616,6 +7635,10 @@ packages: resolution: {integrity: sha512-o3yWv49B/o4QZk5ZcsALc6t0+eCelPc44zZsLtCQnZPDwFpDYSWcDnrv2TtMmMbQ7uKo3J0HTURCqckw23czNQ==} engines: {node: '>=12.0.0'} + stable@0.1.8: + resolution: {integrity: sha512-ji9qxRnOVfcuLDySj9qzhGSEFVobyt1kIOSkj1qZzYLzq7Tos/oUUWvotUPQLlrsidqsK6tBH89Bc9kL5zHA6w==} + deprecated: 'Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility' + stack-utils@2.0.6: resolution: {integrity: sha512-XlkWvfIm6RmsWtNJx+uqtKLS8eqFbxUg0ZzLXqY0caEy9l7hruX8IpiDnjsLavoBgqCCR71TqWO8MaXYheJ3RQ==} engines: {node: '>=10'} @@ -7826,9 +7849,9 @@ packages: svg-tags@1.0.0: resolution: {integrity: sha512-ovssysQTa+luh7A5Weu3Rta6FJlFBBbInjOh722LIt6klpU2/HtdUbszju/G4devcvk8PGt7FCLv5wftu3THUA==} - svgo@4.0.0: - resolution: {integrity: sha512-VvrHQ+9uniE+Mvx3+C9IEe/lWasXCU0nXMY2kZeLrHNICuRiC8uMPyM14UEaMOFA5mhyQqEkB02VoQ16n3DLaw==} - engines: {node: '>=16'} + svgo@2.8.2: + resolution: {integrity: sha512-TyzE4NVGLUFy+H/Uy4N6c3G0HEeprsVfge6Lmq+0FdQQ/zqoVYB62IsBZORsiL+o96s6ff/V6/3UQo/C0cgCAA==} + engines: {node: '>=10.13.0'} hasBin: true svgo@4.0.1: @@ -8548,6 +8571,10 @@ packages: yallist@3.1.1: resolution: {integrity: sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==} + yaml@1.10.3: + resolution: {integrity: sha512-vIYeF1u3CjlhAFekPPAk2h/Kv4T3mAkMox5OymRiJQB0spDP10LHvt+K7G9Ny6NuuMAb25/6n1qyUjAcGNf/AA==} + engines: {node: '>= 6'} + yaml@2.8.3: resolution: {integrity: sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==} engines: {node: '>= 14.6'} @@ -9562,7 +9589,7 @@ snapshots: dependencies: '@eslint/object-schema': 2.1.7 debug: 4.4.3 - minimatch: 9.0.5 + minimatch: 3.1.5 transitivePeerDependencies: - supports-color @@ -9583,7 +9610,7 @@ snapshots: ignore: 5.3.2 import-fresh: 3.3.1 js-yaml: 4.1.1 - minimatch: 9.0.5 + minimatch: 3.1.5 strip-json-comments: 3.1.1 transitivePeerDependencies: - supports-color @@ -11274,7 +11301,7 @@ snapshots: anymatch@3.1.3: dependencies: normalize-path: 3.0.0 - picomatch: 4.0.3 + picomatch: 2.3.2 arg@5.0.2: {} @@ -11365,7 +11392,7 @@ snapshots: asn1.js@4.10.1: dependencies: - bn.js: 5.2.2 + bn.js: 4.12.3 inherits: 2.0.4 minimalistic-assert: 1.0.1 @@ -11557,6 +11584,8 @@ snapshots: babel-plugin-jest-hoist: 29.6.3 babel-preset-current-node-syntax: 1.2.0(@babel/core@7.28.5) + balanced-match@1.0.2: {} + balanced-match@2.0.0: {} balanced-match@4.0.4: {} @@ -11612,7 +11641,7 @@ snapshots: binary-extensions@2.3.0: {} - bn.js@5.2.2: {} + bn.js@4.12.3: {} bn.js@5.2.3: {} @@ -11640,6 +11669,11 @@ snapshots: boolbase@1.0.0: {} + brace-expansion@1.1.13: + dependencies: + balanced-match: 1.0.2 + concat-map: 0.0.1 + brace-expansion@5.0.5: dependencies: balanced-match: 4.0.4 @@ -11927,6 +11961,8 @@ snapshots: commander@4.1.1: {} + commander@7.2.0: {} + commander@8.3.0: {} common-tags@1.8.2: {} @@ -11961,6 +11997,8 @@ snapshots: transitivePeerDependencies: - supports-color + concat-map@0.0.1: {} + confusing-browser-globals@1.0.11: {} connect-history-api-fallback@2.0.0: {} @@ -12001,7 +12039,7 @@ snapshots: import-fresh: 3.3.1 parse-json: 5.2.0 path-type: 4.0.0 - yaml: 2.8.3 + yaml: 1.10.3 cosmiconfig@8.3.6(typescript@5.9.3): dependencies: @@ -12023,7 +12061,7 @@ snapshots: create-ecdh@4.0.4: dependencies: - bn.js: 5.2.2 + bn.js: 4.12.3 elliptic: 6.6.1 create-hash@1.2.0: @@ -12175,6 +12213,11 @@ snapshots: domutils: 3.2.2 nth-check: 2.1.1 + css-tree@1.1.3: + dependencies: + mdn-data: 2.0.14 + source-map: 0.6.1 + css-tree@2.2.1: dependencies: mdn-data: 2.0.28 @@ -12271,7 +12314,7 @@ snapshots: cssnano-preset-default: 5.2.14(postcss@8.5.6) lilconfig: 2.1.0 postcss: 8.5.6 - yaml: 2.8.3 + yaml: 1.10.3 cssnano@7.1.2(postcss@8.5.6): dependencies: @@ -12279,6 +12322,10 @@ snapshots: lilconfig: 3.1.3 postcss: 8.5.6 + csso@4.2.0: + dependencies: + css-tree: 1.1.3 + csso@5.0.5: dependencies: css-tree: 2.2.1 @@ -12422,7 +12469,7 @@ snapshots: diffie-hellman@5.0.3: dependencies: - bn.js: 5.2.2 + bn.js: 4.12.3 miller-rabin: 4.0.1 randombytes: 2.1.0 @@ -12517,7 +12564,7 @@ snapshots: elliptic@6.6.1: dependencies: - bn.js: 5.2.2 + bn.js: 4.12.3 brorand: 1.1.0 hash.js: 1.1.7 hmac-drbg: 1.0.1 @@ -12788,7 +12835,7 @@ snapshots: hasown: 2.0.2 is-core-module: 2.16.1 is-glob: 4.0.3 - minimatch: 9.0.5 + minimatch: 3.1.5 object.fromentries: 2.0.8 object.groupby: 1.0.3 object.values: 1.2.1 @@ -12827,7 +12874,7 @@ snapshots: hasown: 2.0.2 jsx-ast-utils: 3.3.5 language-tags: 1.0.9 - minimatch: 9.0.5 + minimatch: 3.1.5 object.fromentries: 2.0.8 safe-regex-test: 1.1.0 string.prototype.includes: 2.0.1 @@ -12858,7 +12905,7 @@ snapshots: estraverse: 5.3.0 hasown: 2.0.2 jsx-ast-utils: 3.3.5 - minimatch: 9.0.5 + minimatch: 3.1.5 object.entries: 1.1.9 object.fromentries: 2.0.8 object.values: 1.2.1 @@ -12926,7 +12973,7 @@ snapshots: is-glob: 4.0.3 json-stable-stringify-without-jsonify: 1.0.1 lodash.merge: 4.6.2 - minimatch: 9.0.5 + minimatch: 3.1.5 natural-compare: 1.4.0 optionator: 0.9.4 optionalDependencies: @@ -13053,7 +13100,7 @@ snapshots: methods: 1.1.2 on-finished: 2.4.1 parseurl: 1.3.3 - path-to-regexp: 8.4.0 + path-to-regexp: 0.2.5 proxy-addr: 2.0.7 qs: 6.15.0 range-parser: 1.2.1 @@ -13405,7 +13452,7 @@ snapshots: fs.realpath: 1.0.0 inflight: 1.0.6 inherits: 2.0.4 - minimatch: 9.0.5 + minimatch: 3.1.5 once: 1.4.0 path-is-absolute: 1.0.1 @@ -14253,7 +14300,7 @@ snapshots: chalk: 4.1.2 ci-info: 3.9.0 graceful-fs: 4.2.11 - picomatch: 4.0.3 + picomatch: 2.3.2 jest-util@30.2.0: dependencies: @@ -14694,6 +14741,8 @@ snapshots: inherits: 2.0.4 safe-buffer: 5.2.1 + mdn-data@2.0.14: {} + mdn-data@2.0.28: {} mdn-data@2.12.2: {} @@ -14732,11 +14781,11 @@ snapshots: micromatch@4.0.8: dependencies: braces: 3.0.3 - picomatch: 4.0.3 + picomatch: 2.3.2 miller-rabin@4.0.1: dependencies: - bn.js: 5.2.2 + bn.js: 4.12.3 brorand: 1.1.0 mime-db@1.52.0: {} @@ -14779,9 +14828,9 @@ snapshots: dependencies: brace-expansion: 5.0.5 - minimatch@9.0.5: + minimatch@3.1.5: dependencies: - brace-expansion: 5.0.5 + brace-expansion: 1.1.13 minimist@1.2.8: {} @@ -15153,7 +15202,7 @@ snapshots: path-parse@1.0.7: {} - path-to-regexp@8.4.0: {} + path-to-regexp@0.2.5: {} path-type@4.0.0: {} @@ -15174,7 +15223,7 @@ snapshots: picocolors@1.1.1: {} - picomatch@4.0.3: {} + picomatch@2.3.2: {} picomatch@4.0.4: {} @@ -15607,7 +15656,7 @@ snapshots: dependencies: postcss: 8.5.6 postcss-value-parser: 4.2.0 - svgo: 4.0.0 + svgo: 2.8.2 postcss-svgo@7.1.0(postcss@8.5.6): dependencies: @@ -15721,7 +15770,7 @@ snapshots: public-encrypt@4.0.3: dependencies: - bn.js: 5.2.2 + bn.js: 4.12.3 browserify-rsa: 4.1.1 create-hash: 1.2.0 parse-asn1: 5.1.9 @@ -15916,7 +15965,7 @@ snapshots: readdirp@3.6.0: dependencies: - picomatch: 4.0.3 + picomatch: 2.3.2 readdirp@4.1.2: {} @@ -16136,8 +16185,6 @@ snapshots: optionalDependencies: '@parcel/watcher': 2.5.6 - sax@1.4.4: {} - sax@1.6.0: {} saxes@5.0.1: @@ -16505,6 +16552,8 @@ snapshots: stable-hash-x@0.2.0: {} + stable@0.1.8: {} + stack-utils@2.0.6: dependencies: escape-string-regexp: 2.0.0 @@ -16788,15 +16837,15 @@ snapshots: svg-tags@1.0.0: {} - svgo@4.0.0: + svgo@2.8.2: dependencies: - commander: 11.1.0 - css-select: 5.2.2 - css-tree: 3.1.0 - css-what: 6.2.2 - csso: 5.0.5 + commander: 7.2.0 + css-select: 4.3.0 + css-tree: 1.1.3 + csso: 4.2.0 picocolors: 1.1.1 - sax: 1.4.4 + sax: 1.6.0 + stable: 0.1.8 svgo@4.0.1: dependencies: @@ -16978,7 +17027,7 @@ snapshots: dependencies: '@istanbuljs/schema': 0.1.3 glob: 7.2.3 - minimatch: 9.0.5 + minimatch: 3.1.5 text-decoder@1.2.3: dependencies: @@ -17794,7 +17843,10 @@ snapshots: yallist@3.1.1: {} - yaml@2.8.3: {} + yaml@1.10.3: {} + + yaml@2.8.3: + optional: true yargs-parser@15.0.3: dependencies: From 5fa898191a5671a79deea22ca646737cf8cd541d Mon Sep 17 00:00:00 2001 From: ihabadham Date: Sun, 29 Mar 2026 03:25:16 +0200 Subject: [PATCH 09/13] chore: document pnpm overrides and ajv exclusion rationale --- package.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/package.json b/package.json index b6fe237203..d3a16a7ddd 100644 --- a/package.json +++ b/package.json @@ -120,6 +120,12 @@ "homepage": "https://github.com/shakacode/react_on_rails#readme", "packageManager": "pnpm@9.14.2", "pnpm": { + "// for overrides": [ + "Generated via pnpm audit --fix, with manual caps added to prevent major version jumps.", + "These force patched versions of transitive dev dependencies. Remove when upstream packages update.", + "ajv overrides were intentionally excluded: ajv v8 breaks webpack's schema-utils/ajv-keywords.", + "The 2 moderate ajv alerts (ReDoS in $data option) are tolerable — ajv only validates our own config files." + ], "overrides": { "react": "$react", "react-dom": "$react-dom", From 78759c3e8c16fa0a4c159227d0ba5739800e1c71 Mon Sep 17 00:00:00 2001 From: ihabadham Date: Sun, 29 Mar 2026 03:40:25 +0200 Subject: [PATCH 10/13] chore: address review feedback on security audit PR - Consolidate redundant pnpm overrides (remove 5 subsumed entries that were auto-generated by pnpm audit --fix for different CVEs covering the same version ranges) - Cap minimatch 9.x override at <10 to prevent major version jump - Add category parameter to CodeQL analyze step (matches official GitHub template, provides cleaner labels in Security tab) - Add actions: read permission to CodeQL workflow (required if repo ever becomes private, harmless on public repos) - Add execjs-compatible-dummy to CodeQL paths-ignore exclusions --- .github/codeql/codeql-config.yml | 1 + .github/workflows/codeql.yml | 3 +++ package.json | 13 ++++--------- pnpm-lock.yaml | 31 +++++++++++++------------------ 4 files changed, 21 insertions(+), 27 deletions(-) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index 730f80603a..1c875b5e21 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -5,4 +5,5 @@ paths-ignore: - 'packages/react-on-rails-pro-node-renderer/tests/fixtures/**' - 'react_on_rails_pro/spec/dummy/**' + - 'react_on_rails_pro/spec/execjs-compatible-dummy/**' - 'react_on_rails/spec/dummy/**' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e5a81e3420..03251b0572 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -15,6 +15,7 @@ jobs: permissions: security-events: write contents: read + actions: read strategy: fail-fast: false matrix: @@ -34,3 +35,5 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v4 + with: + category: '/language:${{ matrix.language }}' diff --git a/package.json b/package.json index d3a16a7ddd..3aa2b659b3 100644 --- a/package.json +++ b/package.json @@ -137,25 +137,20 @@ "qs@>=6.7.0 <=6.14.1": ">=6.14.2", "bn.js@>=5.0.0 <5.2.3": ">=5.2.3", "bn.js@<4.12.3": ">=4.12.3 <5", - "minimatch@<3.1.3": ">=3.1.3 <4", - "minimatch@>=9.0.0 <9.0.6": ">=9.0.6", - "basic-ftp@<5.2.0": ">=5.2.0", - "minimatch@>=9.0.0 <9.0.7": ">=9.0.7", "minimatch@<3.1.4": ">=3.1.4 <4", - "serialize-javascript@<=7.0.2": ">=7.0.3", + "minimatch@>=9.0.0 <9.0.7": ">=9.0.7 <10", + "basic-ftp@<5.2.0": ">=5.2.0", + "serialize-javascript@<7.0.5": ">=7.0.5", "@tootallnate/once@<3.0.1": ">=3.0.1", "svgo@=4.0.0": ">=4.0.1", "svgo@>=2.1.0 <2.8.1": ">=2.8.1 <3", "immutable@>=5.0.0 <5.1.5": ">=5.1.5", - "flatted@<3.4.0": ">=3.4.0", "flatted@<=3.4.1": ">=3.4.2", "smol-toml@<1.6.1": ">=1.6.1", - "handlebars@>=4.0.0 <=4.7.8": ">=4.7.9", - "serialize-javascript@<7.0.5": ">=7.0.5", + "handlebars@>=4.0.0 <4.7.9": ">=4.7.9", "path-to-regexp@<0.1.13": ">=0.1.13 <1", "brace-expansion@<1.1.13": ">=1.1.13 <2", "brace-expansion@>=2.0.0 <2.0.3": ">=2.0.3", - "handlebars@>=4.0.0 <4.7.9": ">=4.7.9", "picomatch@<2.3.2": ">=2.3.2 <3", "picomatch@>=4.0.0 <4.0.4": ">=4.0.4", "yaml@>=1.0.0 <1.10.3": ">=1.10.3 <2" diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 610ff09cc8..7ba75867ed 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -15,25 +15,20 @@ overrides: qs@>=6.7.0 <=6.14.1: '>=6.14.2' bn.js@>=5.0.0 <5.2.3: '>=5.2.3' bn.js@<4.12.3: '>=4.12.3 <5' - minimatch@<3.1.3: '>=3.1.3 <4' - minimatch@>=9.0.0 <9.0.6: '>=9.0.6' - basic-ftp@<5.2.0: '>=5.2.0' - minimatch@>=9.0.0 <9.0.7: '>=9.0.7' minimatch@<3.1.4: '>=3.1.4 <4' - serialize-javascript@<=7.0.2: '>=7.0.3' + minimatch@>=9.0.0 <9.0.7: '>=9.0.7 <10' + basic-ftp@<5.2.0: '>=5.2.0' + serialize-javascript@<7.0.5: '>=7.0.5' '@tootallnate/once@<3.0.1': '>=3.0.1' svgo@=4.0.0: '>=4.0.1' svgo@>=2.1.0 <2.8.1: '>=2.8.1 <3' immutable@>=5.0.0 <5.1.5: '>=5.1.5' - flatted@<3.4.0: '>=3.4.0' flatted@<=3.4.1: '>=3.4.2' smol-toml@<1.6.1: '>=1.6.1' - handlebars@>=4.0.0 <=4.7.8: '>=4.7.9' - serialize-javascript@<7.0.5: '>=7.0.5' + handlebars@>=4.0.0 <4.7.9: '>=4.7.9' path-to-regexp@<0.1.13: '>=0.1.13 <1' brace-expansion@<1.1.13: '>=1.1.13 <2' brace-expansion@>=2.0.0 <2.0.3: '>=2.0.3' - handlebars@>=4.0.0 <4.7.9: '>=4.7.9' picomatch@<2.3.2: '>=2.3.2 <3' picomatch@>=4.0.0 <4.0.4: '>=4.0.4' yaml@>=1.0.0 <1.10.3: '>=1.10.3 <2' @@ -5999,13 +5994,13 @@ packages: minimalistic-crypto-utils@1.0.1: resolution: {integrity: sha512-JIYlbt6g8i5jKfJ3xz7rF0LXmv2TkDxBLUkiBeZ7bAx4GnnNMr8xFpGnOxn6GhTEHx3SjRrZEoU+j04prX1ktg==} - minimatch@10.2.4: - resolution: {integrity: sha512-oRjTw/97aTBN0RHbYCdtF1MQfvusSIBQM0IZEgzl6426+8jSC0nF1a/GmnVLpfB9yyr6g6FTqWqiZVbxrtaCIg==} - engines: {node: 18 || 20 || >=22} - minimatch@3.1.5: resolution: {integrity: sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==} + minimatch@9.0.9: + resolution: {integrity: sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==} + engines: {node: '>=16 || 14 >=14.17'} + minimist@1.2.8: resolution: {integrity: sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==} @@ -10971,7 +10966,7 @@ snapshots: '@typescript-eslint/types': 8.48.0 '@typescript-eslint/visitor-keys': 8.48.0 debug: 4.4.3 - minimatch: 10.2.4 + minimatch: 9.0.9 semver: 7.7.4 tinyglobby: 0.2.15 ts-api-utils: 2.1.0(typescript@5.9.3) @@ -14824,14 +14819,14 @@ snapshots: minimalistic-crypto-utils@1.0.1: {} - minimatch@10.2.4: - dependencies: - brace-expansion: 5.0.5 - minimatch@3.1.5: dependencies: brace-expansion: 1.1.13 + minimatch@9.0.9: + dependencies: + brace-expansion: 5.0.5 + minimist@1.2.8: {} mitt@3.0.1: {} From 4df7e19e7d4643c2d377ef775eee2938072e11a7 Mon Sep 17 00:00:00 2001 From: ihabadham Date: Sun, 29 Mar 2026 04:00:17 +0200 Subject: [PATCH 11/13] fix: cap brace-expansion 2.x override at <3 to prevent v5 resolution --- package.json | 2 +- pnpm-lock.yaml | 19 ++++++------------- 2 files changed, 7 insertions(+), 14 deletions(-) diff --git a/package.json b/package.json index 3aa2b659b3..31cab6c4d7 100644 --- a/package.json +++ b/package.json @@ -150,7 +150,7 @@ "handlebars@>=4.0.0 <4.7.9": ">=4.7.9", "path-to-regexp@<0.1.13": ">=0.1.13 <1", "brace-expansion@<1.1.13": ">=1.1.13 <2", - "brace-expansion@>=2.0.0 <2.0.3": ">=2.0.3", + "brace-expansion@>=2.0.0 <2.0.3": ">=2.0.3 <3", "picomatch@<2.3.2": ">=2.3.2 <3", "picomatch@>=4.0.0 <4.0.4": ">=4.0.4", "yaml@>=1.0.0 <1.10.3": ">=1.10.3 <2" diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 7ba75867ed..625cd6dec2 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -28,7 +28,7 @@ overrides: handlebars@>=4.0.0 <4.7.9: '>=4.7.9' path-to-regexp@<0.1.13: '>=0.1.13 <1' brace-expansion@<1.1.13: '>=1.1.13 <2' - brace-expansion@>=2.0.0 <2.0.3: '>=2.0.3' + brace-expansion@>=2.0.0 <2.0.3: '>=2.0.3 <3' picomatch@<2.3.2: '>=2.3.2 <3' picomatch@>=4.0.0 <4.0.4: '>=4.0.4' yaml@>=1.0.0 <1.10.3: '>=1.10.3 <2' @@ -3342,10 +3342,6 @@ packages: balanced-match@2.0.0: resolution: {integrity: sha512-1ugUSr8BHXRnK23KfuYS+gVMC3LB8QGH9W1iGtDPsNWoQbgtXSExkBu2aDR4epiGWZOjZsj6lDl/N/AqqTC3UA==} - balanced-match@4.0.4: - resolution: {integrity: sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==} - engines: {node: 18 || 20 || >=22} - bare-events@2.8.2: resolution: {integrity: sha512-riJjyv1/mHLIPX4RwiK+oW9/4c3TEUeORHKefKAKnZ5kyslbN+HXowtbaVEqt4IMUB7OXlfixcs6gsFeo/jhiQ==} peerDependencies: @@ -3428,9 +3424,8 @@ packages: brace-expansion@1.1.13: resolution: {integrity: sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==} - brace-expansion@5.0.5: - resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==} - engines: {node: 18 || 20 || >=22} + brace-expansion@2.0.3: + resolution: {integrity: sha512-MCV/fYJEbqx68aE58kv2cA/kiky1G8vux3OR6/jbS+jIMe/6fJWa0DTzJU7dqijOWYwHi1t29FlfYI9uytqlpA==} braces@3.0.3: resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==} @@ -11583,8 +11578,6 @@ snapshots: balanced-match@2.0.0: {} - balanced-match@4.0.4: {} - bare-events@2.8.2: {} bare-fs@4.5.2: @@ -11669,9 +11662,9 @@ snapshots: balanced-match: 1.0.2 concat-map: 0.0.1 - brace-expansion@5.0.5: + brace-expansion@2.0.3: dependencies: - balanced-match: 4.0.4 + balanced-match: 1.0.2 braces@3.0.3: dependencies: @@ -14825,7 +14818,7 @@ snapshots: minimatch@9.0.9: dependencies: - brace-expansion: 5.0.5 + brace-expansion: 2.0.3 minimist@1.2.8: {} From d3d3be4c69d459b584ce9db2ec9f1f02672b3eb7 Mon Sep 17 00:00:00 2001 From: ihabadham Date: Sun, 29 Mar 2026 04:22:25 +0200 Subject: [PATCH 12/13] chore: cap all pnpm overrides at major version boundaries pnpm overrides replace the parent's constraint entirely, so an uncapped ">=4.17.23" would resolve to 5.x if published. Cap every override at the next major for consistency and to prevent future surprises. Most of these are currently harmless (no new major exists) but this matches the intent documented in the comment block. --- package.json | 24 ++++++++++++------------ pnpm-lock.yaml | 26 +++++++++++++------------- 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/package.json b/package.json index 31cab6c4d7..23f6b14daf 100644 --- a/package.json +++ b/package.json @@ -133,26 +133,26 @@ "app>react-dom": "^18.3.1", "sentry-testkit>body-parser": "npm:empty-npm-package@1.0.0", "sentry-testkit>express": "npm:empty-npm-package@1.0.0", - "lodash@>=4.0.0 <=4.17.22": ">=4.17.23", - "qs@>=6.7.0 <=6.14.1": ">=6.14.2", - "bn.js@>=5.0.0 <5.2.3": ">=5.2.3", + "lodash@>=4.0.0 <=4.17.22": ">=4.17.23 <5", + "qs@>=6.7.0 <=6.14.1": ">=6.14.2 <7", + "bn.js@>=5.0.0 <5.2.3": ">=5.2.3 <6", "bn.js@<4.12.3": ">=4.12.3 <5", "minimatch@<3.1.4": ">=3.1.4 <4", "minimatch@>=9.0.0 <9.0.7": ">=9.0.7 <10", - "basic-ftp@<5.2.0": ">=5.2.0", - "serialize-javascript@<7.0.5": ">=7.0.5", - "@tootallnate/once@<3.0.1": ">=3.0.1", - "svgo@=4.0.0": ">=4.0.1", + "basic-ftp@<5.2.0": ">=5.2.0 <6", + "serialize-javascript@<7.0.5": ">=7.0.5 <8", + "@tootallnate/once@<3.0.1": ">=3.0.1 <4", + "svgo@=4.0.0": ">=4.0.1 <5", "svgo@>=2.1.0 <2.8.1": ">=2.8.1 <3", - "immutable@>=5.0.0 <5.1.5": ">=5.1.5", - "flatted@<=3.4.1": ">=3.4.2", - "smol-toml@<1.6.1": ">=1.6.1", - "handlebars@>=4.0.0 <4.7.9": ">=4.7.9", + "immutable@>=5.0.0 <5.1.5": ">=5.1.5 <6", + "flatted@<=3.4.1": ">=3.4.2 <4", + "smol-toml@<1.6.1": ">=1.6.1 <2", + "handlebars@>=4.0.0 <4.7.9": ">=4.7.9 <5", "path-to-regexp@<0.1.13": ">=0.1.13 <1", "brace-expansion@<1.1.13": ">=1.1.13 <2", "brace-expansion@>=2.0.0 <2.0.3": ">=2.0.3 <3", "picomatch@<2.3.2": ">=2.3.2 <3", - "picomatch@>=4.0.0 <4.0.4": ">=4.0.4", + "picomatch@>=4.0.0 <4.0.4": ">=4.0.4 <5", "yaml@>=1.0.0 <1.10.3": ">=1.10.3 <2" } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 625cd6dec2..9917019304 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -11,26 +11,26 @@ overrides: app>react-dom: ^18.3.1 sentry-testkit>body-parser: npm:empty-npm-package@1.0.0 sentry-testkit>express: npm:empty-npm-package@1.0.0 - lodash@>=4.0.0 <=4.17.22: '>=4.17.23' - qs@>=6.7.0 <=6.14.1: '>=6.14.2' - bn.js@>=5.0.0 <5.2.3: '>=5.2.3' + lodash@>=4.0.0 <=4.17.22: '>=4.17.23 <5' + qs@>=6.7.0 <=6.14.1: '>=6.14.2 <7' + bn.js@>=5.0.0 <5.2.3: '>=5.2.3 <6' bn.js@<4.12.3: '>=4.12.3 <5' minimatch@<3.1.4: '>=3.1.4 <4' minimatch@>=9.0.0 <9.0.7: '>=9.0.7 <10' - basic-ftp@<5.2.0: '>=5.2.0' - serialize-javascript@<7.0.5: '>=7.0.5' - '@tootallnate/once@<3.0.1': '>=3.0.1' - svgo@=4.0.0: '>=4.0.1' + basic-ftp@<5.2.0: '>=5.2.0 <6' + serialize-javascript@<7.0.5: '>=7.0.5 <8' + '@tootallnate/once@<3.0.1': '>=3.0.1 <4' + svgo@=4.0.0: '>=4.0.1 <5' svgo@>=2.1.0 <2.8.1: '>=2.8.1 <3' - immutable@>=5.0.0 <5.1.5: '>=5.1.5' - flatted@<=3.4.1: '>=3.4.2' - smol-toml@<1.6.1: '>=1.6.1' - handlebars@>=4.0.0 <4.7.9: '>=4.7.9' + immutable@>=5.0.0 <5.1.5: '>=5.1.5 <6' + flatted@<=3.4.1: '>=3.4.2 <4' + smol-toml@<1.6.1: '>=1.6.1 <2' + handlebars@>=4.0.0 <4.7.9: '>=4.7.9 <5' path-to-regexp@<0.1.13: '>=0.1.13 <1' brace-expansion@<1.1.13: '>=1.1.13 <2' brace-expansion@>=2.0.0 <2.0.3: '>=2.0.3 <3' picomatch@<2.3.2: '>=2.3.2 <3' - picomatch@>=4.0.0 <4.0.4: '>=4.0.4' + picomatch@>=4.0.0 <4.0.4: '>=4.0.4 <5' yaml@>=1.0.0 <1.10.3: '>=1.10.3 <2' importers: @@ -4684,7 +4684,7 @@ packages: resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==} engines: {node: '>=12.0.0'} peerDependencies: - picomatch: '>=4.0.4' + picomatch: '>=4.0.4 <5' peerDependenciesMeta: picomatch: optional: true From 6d551e929d635316a6b7df1bc06ff248634934b8 Mon Sep 17 00:00:00 2001 From: ihabadham Date: Sun, 29 Mar 2026 04:33:04 +0200 Subject: [PATCH 13/13] fix: tighten path-to-regexp override to <0.2 for Express 4 compatibility Express 4.22.1 (pulled by webpack-dev-server) declares path-to-regexp ~0.1.12. The previous cap of <1 allowed resolution to 0.2.5 which is outside Express 4's router contract. --- package.json | 2 +- pnpm-lock.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package.json b/package.json index 23f6b14daf..ae1dca556e 100644 --- a/package.json +++ b/package.json @@ -148,7 +148,7 @@ "flatted@<=3.4.1": ">=3.4.2 <4", "smol-toml@<1.6.1": ">=1.6.1 <2", "handlebars@>=4.0.0 <4.7.9": ">=4.7.9 <5", - "path-to-regexp@<0.1.13": ">=0.1.13 <1", + "path-to-regexp@<0.1.13": ">=0.1.13 <0.2", "brace-expansion@<1.1.13": ">=1.1.13 <2", "brace-expansion@>=2.0.0 <2.0.3": ">=2.0.3 <3", "picomatch@<2.3.2": ">=2.3.2 <3", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 9917019304..159ea43de9 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -26,7 +26,7 @@ overrides: flatted@<=3.4.1: '>=3.4.2 <4' smol-toml@<1.6.1: '>=1.6.1 <2' handlebars@>=4.0.0 <4.7.9: '>=4.7.9 <5' - path-to-regexp@<0.1.13: '>=0.1.13 <1' + path-to-regexp@<0.1.13: '>=0.1.13 <0.2' brace-expansion@<1.1.13: '>=1.1.13 <2' brace-expansion@>=2.0.0 <2.0.3: '>=2.0.3 <3' picomatch@<2.3.2: '>=2.3.2 <3' @@ -6323,8 +6323,8 @@ packages: path-parse@1.0.7: resolution: {integrity: sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==} - path-to-regexp@0.2.5: - resolution: {integrity: sha512-l6qtdDPIkmAmzEO6egquYDfqQGPMRNGjYtrU13HAXb3YSRrt7HSb1sJY0pKp6o2bAa86tSB6iwaW2JbthPKr7Q==} + path-to-regexp@0.1.13: + resolution: {integrity: sha512-A/AGNMFN3c8bOlvV9RreMdrv7jsmF9XIfDeCd87+I8RNg6s78BhJxMu69NEMHBSJFxKidViTEdruRwEk/WIKqA==} path-type@4.0.0: resolution: {integrity: sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==} @@ -13088,7 +13088,7 @@ snapshots: methods: 1.1.2 on-finished: 2.4.1 parseurl: 1.3.3 - path-to-regexp: 0.2.5 + path-to-regexp: 0.1.13 proxy-addr: 2.0.7 qs: 6.15.0 range-parser: 1.2.1 @@ -15190,7 +15190,7 @@ snapshots: path-parse@1.0.7: {} - path-to-regexp@0.2.5: {} + path-to-regexp@0.1.13: {} path-type@4.0.0: {}