thibaud-lclr/api-client
1
0
Fork 0
Code Packages Activity Actions

chore: security patch for the dependency chain v2026.4.0 (#6191)

Browse source 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
This commit is contained in:
Mir Arif Hasan 2026-04-28 18:21:43 +06:00 committed by GitHub
parent 96ceb84df9
commit 078d71036b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
15 changed files with 3386 additions and 2491 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
package.json
View file

@ -5,7 +5,7 @@
"author": "Hoppscotch (support@hoppscotch.io)",
"private": true,
"license": "MIT",
"packageManager": "pnpm@10.32.1",
"packageManager": "pnpm@10.33.2",
"scripts": {
"preinstall": "npx only-allow pnpm",
"prepare": "husky",
@ -24,7 +24,7 @@
"./packages/*"
],
"devDependencies": {
"@commitlint/cli": "20.5.0",
"@commitlint/cli": "20.5.2",
"@commitlint/config-conventional": "20.5.0",
"@hoppscotch/ui": "0.2.5",
"@types/node": "24.10.1",
@ -35,32 +35,19 @@
},
"pnpm": {
"overrides": {
"@hono/node-server@>=1.0.0 <1.19.10": "1.19.10",
"@nestjs-modules/mailer>mjml": "5.0.0-alpha.4",
"@xmldom/xmldom": "0.8.13",
"apiconnect-wsdl": "2.0.36",
"body-parser": "2.2.1",
"cross-spawn": "7.0.6",
"dompurify@>=3.0.0 <3.3.3": "3.3.3",
"effect@3.18.4": "3.20.0",
"execa@<2.0.0": "2.0.0",
"flatted@>=3.0.0 <3.4.2": "3.4.2",
"form-data": "4.0.4",
"glob@>=10.2.0 <10.5.0": "10.5.0",
"glob@>=11.0.0 <11.1.0": "11.1.0",
"hono@>=4.0.0 <4.12.7": "4.12.7",
"liquidjs@>=10.0.0 <10.25.0": "10.25.0",
"lodash@>=4.0.0 <4.17.23": "4.17.23",
"mailparser@>=3.0.0 <3.9.3": "3.9.3",
"minimatch@>=3.0.0 <3.1.3": "3.1.5",
"lodash": "4.18.1",
"minimatch@>=4.0.0 <4.2.5": "4.2.5",
"minimatch@>=5.0.0 <10.2.3": "10.2.3",
"path-to-regexp@>=8.0.0 <8.4.0": "8.4.0",
"preview-email@>=3.0.0 <3.1.1": "3.1.1",
"rollup@>=4.0.0 <4.59.0": "4.59.0",
"serialize-javascript@>=7.0.0 <7.0.3": "7.0.3",
"serialize-javascript@<7.0.3": "7.0.3",
"subscriptions-transport-ws>ws": "7.5.10",
"svgo@4.0.0": "4.0.1",
"vue": "3.5.31",
"vue": "3.5.33",
"ws": "8.17.1"
},
"onlyBuiltDependencies": [

18
packages/hoppscotch-agent/package.json
View file

@ -21,27 +21,27 @@
"@tauri-apps/api": "2.1.1",
"@tauri-apps/plugin-shell": "2.3.3",
"@vueuse/core": "14.2.1",
"axios": "1.15.0",
"axios": "1.15.2",
"fp-ts": "2.16.11",
"lodash-es": "4.18.1",
"vue": "3.5.31"
"vue": "3.5.33"
},
"devDependencies": {
"@iconify-json/lucide": "1.2.99",
"@iconify-json/lucide": "1.2.104",
"@tauri-apps/cli": "2.9.3",
"@types/lodash-es": "4.17.12",
"@types/node": "24.10.1",
"@typescript-eslint/eslint-plugin": "8.57.2",
"@typescript-eslint/parser": "8.57.2",
"@vitejs/plugin-vue": "6.0.5",
"@typescript-eslint/eslint-plugin": "8.59.0",
"@typescript-eslint/parser": "8.59.0",
"@vitejs/plugin-vue": "6.0.6",
"@vue/eslint-config-typescript": "14.7.0",
"autoprefixer": "10.4.27",
"autoprefixer": "10.5.0",
"cross-env": "10.1.0",
"eslint": "9.39.2",
"eslint-plugin-prettier": "5.5.5",
"eslint-plugin-vue": "10.8.0",
"eslint-plugin-vue": "10.9.0",
"globals": "16.5.0",
"postcss": "8.5.8",
"postcss": "8.5.10",
"tailwindcss": "3.4.16",
"typescript": "5.9.3",
"unplugin-icons": "22.5.0",

66
packages/hoppscotch-backend/package.json
View file

@ -33,38 +33,38 @@
"dependencies": {
"@apollo/server": "5.5.0",
"@as-integrations/express5": "1.1.2",
"@nestjs-modules/mailer": "2.0.2",
"@nestjs/apollo": "13.2.4",
"@nestjs/common": "11.1.17",
"@nestjs/config": "4.0.3",
"@nestjs/core": "11.1.18",
"@nestjs/graphql": "13.2.4",
"@nestjs-modules/mailer": "2.3.4",
"@nestjs/apollo": "13.3.0",
"@nestjs/common": "11.1.19",
"@nestjs/config": "4.0.4",
"@nestjs/core": "11.1.19",
"@nestjs/graphql": "13.3.0",
"@nestjs/jwt": "11.0.2",
"@nestjs/passport": "11.0.0",
"@nestjs/platform-express": "11.1.17",
"@nestjs/schedule": "6.1.1",
"@nestjs/swagger": "11.2.6",
"@nestjs/platform-express": "11.1.19",
"@nestjs/schedule": "6.1.3",
"@nestjs/swagger": "11.4.2",
"@nestjs/terminus": "11.1.1",
"@nestjs/throttler": "6.5.0",
"@prisma/adapter-pg": "7.5.0",
"@prisma/client": "7.5.0",
"@prisma/adapter-pg": "7.8.0",
"@prisma/client": "7.8.0",
"argon2": "0.44.0",
"bcrypt": "6.0.0",
"class-transformer": "0.5.1",
"class-validator": "0.15.1",
"cookie": "1.1.1",
"cookie-parser": "1.4.7",
"dotenv": "17.3.1",
"dotenv": "17.4.2",
"express": "5.2.1",
"fp-ts": "2.16.11",
"graphql": "16.13.1",
"graphql": "16.13.2",
"graphql-query-complexity": "1.1.0",
"graphql-redis-subscriptions": "2.7.0",
"graphql-subscriptions": "3.0.0",
"handlebars": "4.7.9",
"io-ts": "2.2.22",
"morgan": "1.10.1",
"nodemailer": "8.0.5",
"nodemailer": "8.0.7",
"passport": "0.7.0",
"passport-github2": "0.1.12",
"passport-google-oauth20": "2.0.0",
@ -72,8 +72,8 @@
"passport-local": "1.0.0",
"passport-microsoft": "2.1.0",
"pg": "8.20.0",
"posthog-node": "5.28.4",
"prisma": "7.5.0",
"posthog-node": "5.30.6",
"prisma": "7.8.0",
"reflect-metadata": "0.2.2",
"rimraf": "6.1.3",
"rxjs": "7.8.2"
@ -81,35 +81,35 @@
"devDependencies": {
"@eslint/eslintrc": "3.3.5",
"@eslint/js": "10.0.1",
"@nestjs/cli": "11.0.16",
"@nestjs/schematics": "11.0.9",
"@nestjs/testing": "11.1.17",
"@nestjs/cli": "11.0.21",
"@nestjs/schematics": "11.1.0",
"@nestjs/testing": "11.1.19",
"@relmify/jest-fp-ts": "2.1.1",
"@types/bcrypt": "6.0.0",
"@types/cookie-parser": "1.4.10",
"@types/express": "5.0.6",
"@types/jest": "30.0.0",
"@types/node": "25.5.0",
"@types/nodemailer": "7.0.11",
"@types/node": "25.6.0",
"@types/nodemailer": "8.0.0",
"@types/passport-github2": "1.2.9",
"@types/passport-google-oauth20": "2.0.17",
"@types/passport-jwt": "4.0.1",
"@types/passport-microsoft": "2.1.1",
"@types/supertest": "7.2.0",
"@typescript-eslint/eslint-plugin": "8.57.2",
"@typescript-eslint/parser": "8.57.2",
"@typescript-eslint/eslint-plugin": "8.59.1",
"@typescript-eslint/parser": "8.59.1",
"cross-env": "10.1.0",
"eslint": "10.0.3",
"eslint": "10.2.1",
"eslint-config-prettier": "10.1.8",
"eslint-plugin-prettier": "5.5.5",
"globals": "17.4.0",
"globals": "17.5.0",
"jest": "30.3.0",
"jest-mock-extended": "4.0.0",
"prettier": "3.8.1",
"jest-mock-extended": "4.0.1",
"prettier": "3.8.3",
"source-map-support": "0.5.21",
"supertest": "7.2.2",
"ts-jest": "29.4.6",
"ts-loader": "9.5.4",
"ts-jest": "29.4.9",
"ts-loader": "9.5.7",
"ts-node": "10.9.2",
"tsconfig-paths": "4.2.0",
"typescript": "5.9.3"
@ -124,6 +124,14 @@
"../jest.setup.js"
],
"preset": "ts-jest",
"transform": {
"^.+\\.(t|j)s$": [
"ts-jest",
{
"diagnostics": false
}
]
},
"clearMocks": true,
"collectCoverage": true,
"coverageDirectory": "coverage",

7
packages/hoppscotch-backend/src/auth/stateless-state-store.ts
View file

@ -188,7 +188,12 @@ export class StatelessStateStore {
// Clear the nonce cookie regardless of outcome
if (req.res) {
req.res.clearCookie(this.cookieName, { path: '/' });
req.res.clearCookie(this.cookieName, {
path: '/',
httpOnly: true,
sameSite: 'lax',
secure: this.secureCookies,
});
}
if (!cookieNonce) {

6
packages/hoppscotch-backend/src/mailer/helper.ts
View file

@ -1,8 +1,10 @@
import { TransportType } from '@nestjs-modules/mailer/dist/interfaces/mailer-options.interface';
import type { MailerOptions } from '@nestjs-modules/mailer';
import type SMTPConnection from 'nodemailer/lib/smtp-connection';
import { MAILER_SMTP_URL_UNDEFINED } from 'src/errors';
import { throwErr } from 'src/utils';
type TransportType = NonNullable<MailerOptions['transport']>;
export enum SMTPAuthType {
LOGIN = 'login',
OAUTH2 = 'oauth2',
@ -72,7 +74,7 @@ export function getTransportOption(env): TransportType {
host: env.INFRA.MAILER_SMTP_HOST,
port: +env.INFRA.MAILER_SMTP_PORT,
secure: env.INFRA.MAILER_SMTP_SECURE === 'true',
auth,
...(auth && { auth }),
ignoreTLS: env.INFRA.MAILER_SMTP_IGNORE_TLS === 'true',
tls: {
rejectUnauthorized: env.INFRA.MAILER_TLS_REJECT_UNAUTHORIZED === 'true',

2
packages/hoppscotch-backend/src/mailer/mailer.module.ts
View file

@ -1,6 +1,6 @@
import { Global, Module } from '@nestjs/common';
import { MailerModule as NestMailerModule } from '@nestjs-modules/mailer';
import { HandlebarsAdapter } from '@nestjs-modules/mailer/dist/adapters/handlebars.adapter';
import { HandlebarsAdapter } from '@nestjs-modules/mailer/adapters/handlebars.adapter';
import { MailerService } from './mailer.service';
import { loadInfraConfiguration } from 'src/infra-config/helper';
import { getMailerAddressFrom, getTransportOption } from './helper';

9
packages/hoppscotch-cli/package.json
View file

@ -42,7 +42,7 @@
"private": false,
"dependencies": {
"aws4fetch": "1.0.20",
"axios": "1.15.0",
"axios": "1.15.2",
"axios-cookiejar-support": "6.0.5",
"chalk": "5.6.2",
"commander": "14.0.3",
@ -51,7 +51,7 @@
"jsonc-parser": "3.3.1",
"lodash-es": "4.18.1",
"papaparse": "5.5.3",
"qs": "6.15.0",
"qs": "6.15.1",
"tough-cookie": "6.0.1",
"verzod": "0.4.0",
"xmlbuilder2": "4.0.3",
@ -65,11 +65,10 @@
"@types/papaparse": "5.5.2",
"@types/qs": "6.15.0",
"fp-ts": "2.16.11",
"prettier": "3.8.1",
"qs": "6.11.2",
"prettier": "3.8.3",
"semver": "7.7.4",
"tsup": "8.5.1",
"typescript": "5.9.3",
"vitest": "4.1.2"
"vitest": "4.1.5"
}
}

56
packages/hoppscotch-common/package.json
View file

@ -44,8 +44,8 @@
"@hoppscotch/ui": "0.2.5",
"@hoppscotch/vue-toasted": "0.1.0",
"@lezer/highlight": "1.2.1",
"@noble/curves": "2.0.1",
"@scure/base": "2.0.0",
"@noble/curves": "2.2.0",
"@scure/base": "2.2.0",
"@shopify/lang-jsonc": "1.0.1",
"@tauri-apps/api": "2.1.1",
"@tauri-apps/plugin-store": "2.4.1",
@ -59,16 +59,16 @@
"@vueuse/core": "14.2.1",
"acorn-walk": "8.3.5",
"aws4fetch": "1.0.20",
"axios": "1.15.0",
"axios": "1.15.2",
"buffer": "6.0.3",
"cookie-es": "2.0.0",
"dioc": "3.0.2",
"dompurify": "3.3.3",
"dompurify": "3.4.1",
"esprima": "4.0.1",
"events": "3.3.0",
"fp-ts": "2.16.11",
"globalthis": "1.0.4",
"graphql": "16.13.1",
"graphql": "16.13.2",
"graphql-language-service-interface": "2.10.2",
"graphql-tag": "2.12.6",
"hawk": "9.0.2",
@ -90,9 +90,9 @@
"path": "0.12.7",
"postman-collection": "5.3.0",
"process": "0.11.10",
"qs": "6.15.0",
"qs": "6.15.1",
"quicktype-core": "23.2.6",
"rollup": "4.59.0",
"rollup": "4.60.2",
"rxjs": "7.8.2",
"set-cookie-parser": "2.7.2",
"set-cookie-parser-es": "1.0.5",
@ -111,8 +111,8 @@
"util": "0.12.5",
"uuid": "13.0.0",
"verzod": "0.4.0",
"vue": "3.5.31",
"vue-i18n": "11.3.0",
"vue": "3.5.33",
"vue-i18n": "11.4.0",
"vue-json-pretty": "2.6.0",
"vue-pdf-embed": "2.1.4",
"vue-router": "4.6.4",
@ -129,17 +129,17 @@
"@esbuild-plugins/node-modules-polyfill": "0.2.2",
"@eslint/eslintrc": "3.3.5",
"@eslint/js": "9.39.2",
"@graphql-codegen/add": "6.0.0",
"@graphql-codegen/cli": "6.2.1",
"@graphql-codegen/typed-document-node": "6.1.7",
"@graphql-codegen/typescript": "5.0.9",
"@graphql-codegen/typescript-operations": "5.0.9",
"@graphql-codegen/add": "6.0.1",
"@graphql-codegen/cli": "6.3.1",
"@graphql-codegen/typed-document-node": "6.1.8",
"@graphql-codegen/typescript": "5.0.10",
"@graphql-codegen/typescript-operations": "5.1.0",
"@graphql-codegen/typescript-urql-graphcache": "3.1.1",
"@graphql-codegen/urql-introspection": "3.0.1",
"@graphql-typed-document-node/core": "3.2.0",
"@iconify-json/lucide": "1.2.99",
"@iconify-json/lucide": "1.2.104",
"@import-meta-env/cli": "0.7.4",
"@intlify/unplugin-vue-i18n": "11.0.7",
"@intlify/unplugin-vue-i18n": "11.1.2",
"@relmify/jest-fp-ts": "2.1.1",
"@rushstack/eslint-patch": "1.16.1",
"@types/har-format": "1.2.16",
@ -151,28 +151,28 @@
"@types/qs": "6.15.0",
"@types/splitpanes": "2.2.6",
"@types/yargs-parser": "21.0.3",
"@typescript-eslint/eslint-plugin": "8.57.2",
"@typescript-eslint/parser": "8.57.2",
"@vitejs/plugin-vue": "6.0.5",
"@vue/compiler-sfc": "3.5.31",
"@typescript-eslint/eslint-plugin": "8.59.0",
"@typescript-eslint/parser": "8.59.0",
"@vitejs/plugin-vue": "6.0.6",
"@vue/compiler-sfc": "3.5.33",
"@vue/eslint-config-typescript": "14.7.0",
"@vue/runtime-core": "3.5.31",
"autoprefixer": "10.4.27",
"@vue/runtime-core": "3.5.33",
"autoprefixer": "10.5.0",
"cross-env": "10.1.0",
"dotenv": "17.3.1",
"dotenv": "17.4.2",
"eslint": "9.39.2",
"eslint-plugin-prettier": "5.5.5",
"eslint-plugin-vue": "10.8.0",
"eslint-plugin-vue": "10.9.0",
"glob": "13.0.6",
"globals": "16.5.0",
"jsdom": "27.4.0",
"npm-run-all": "4.1.5",
"openapi-types": "12.1.3",
"postcss": "8.5.8",
"prettier": "3.8.1",
"postcss": "8.5.10",
"prettier": "3.8.3",
"prettier-plugin-tailwindcss": "0.7.2",
"rollup-plugin-polyfill-node": "0.13.0",
"sass": "1.98.0",
"sass": "1.99.0",
"tailwindcss": "3.4.16",
"tsup": "8.5.1",
"typescript": "5.9.3",
@ -187,7 +187,7 @@
"vite-plugin-pages-sitemap": "1.7.1",
"vite-plugin-pwa": "1.2.0",
"vite-plugin-vue-layouts": "0.11.0",
"vitest": "4.1.2",
"vitest": "4.1.5",
"vue-tsc": "1.8.8"
}
}

20
packages/hoppscotch-desktop/package.json
View file

@ -23,7 +23,7 @@
},
"dependencies": {
"@fontsource-variable/inter": "5.2.8",
"@fontsource-variable/material-symbols-rounded": "5.2.38",
"@fontsource-variable/material-symbols-rounded": "5.2.43",
"@fontsource-variable/roboto-mono": "5.2.8",
"@hoppscotch/common": "workspace:^",
"@hoppscotch/kernel": "workspace:^",
@ -37,7 +37,7 @@
"@tauri-apps/plugin-updater": "2.9.0",
"fp-ts": "2.16.11",
"rxjs": "7.8.2",
"vue": "3.5.31",
"vue": "3.5.33",
"vue-router": "4.6.4",
"vue-tippy": "6.7.1",
"zod": "3.25.32"
@ -45,20 +45,20 @@
"devDependencies": {
"@eslint/eslintrc": "3.3.5",
"@eslint/js": "9.39.2",
"@iconify-json/lucide": "1.2.99",
"@iconify-json/lucide": "1.2.104",
"@rushstack/eslint-patch": "1.16.1",
"@tauri-apps/cli": "2.9.3",
"@typescript-eslint/eslint-plugin": "8.57.2",
"@typescript-eslint/parser": "8.57.2",
"@vitejs/plugin-vue": "6.0.5",
"@typescript-eslint/eslint-plugin": "8.59.0",
"@typescript-eslint/parser": "8.59.0",
"@vitejs/plugin-vue": "6.0.6",
"@vue/eslint-config-typescript": "14.7.0",
"autoprefixer": "10.4.27",
"autoprefixer": "10.5.0",
"eslint": "9.39.2",
"eslint-plugin-prettier": "5.5.5",
"eslint-plugin-vue": "10.8.0",
"eslint-plugin-vue": "10.9.0",
"globals": "16.5.0",
"postcss": "8.5.8",
"sass": "1.98.0",
"postcss": "8.5.10",
"sass": "1.99.0",
"tailwindcss": "3.4.16",
"typescript": "5.9.3",
"unplugin-icons": "22.5.0",

8
packages/hoppscotch-js-sandbox/package.json
View file

@ -67,17 +67,17 @@
"@types/jest": "30.0.0",
"@types/lodash": "4.17.24",
"@types/node": "24.10.1",
"@typescript-eslint/eslint-plugin": "8.57.2",
"@typescript-eslint/parser": "8.57.2",
"@typescript-eslint/eslint-plugin": "8.59.0",
"@typescript-eslint/parser": "8.59.0",
"eslint": "9.39.2",
"eslint-config-prettier": "10.1.8",
"eslint-plugin-prettier": "5.5.5",
"globals": "16.5.0",
"io-ts": "2.2.22",
"prettier": "3.8.1",
"prettier": "3.8.3",
"typescript": "5.9.3",
"vite": "7.3.2",
"vitest": "4.1.2"
"vitest": "4.1.5"
},
"peerDependencies": {
"isolated-vm": "6.1.2"

6
packages/hoppscotch-kernel/package.json
View file

@ -41,8 +41,8 @@
"devDependencies": {
"@eslint/js": "9.39.2",
"@types/node": "24.9.1",
"@typescript-eslint/eslint-plugin": "8.57.2",
"@typescript-eslint/parser": "8.57.2",
"@typescript-eslint/eslint-plugin": "8.59.0",
"@typescript-eslint/parser": "8.59.0",
"eslint": "9.39.2",
"eslint-plugin-prettier": "5.5.5",
"globals": "16.5.0",
@ -64,7 +64,7 @@
"@tauri-apps/plugin-shell": "2.3.3",
"@tauri-apps/plugin-store": "2.4.1",
"aws4fetch": "1.0.20",
"axios": "1.15.0",
"axios": "1.15.2",
"fp-ts": "2.16.11",
"superjson": "2.2.6",
"zod": "3.25.32"

34
packages/hoppscotch-selfhost-web/package.json
View file

@ -24,7 +24,7 @@
},
"dependencies": {
"@fontsource-variable/inter": "5.2.8",
"@fontsource-variable/material-symbols-rounded": "5.2.38",
"@fontsource-variable/material-symbols-rounded": "5.2.43",
"@fontsource-variable/roboto-mono": "5.2.8",
"@hoppscotch/common": "workspace:^",
"@hoppscotch/data": "workspace:^",
@ -37,7 +37,7 @@
"@tauri-apps/plugin-fs": "2.0.2",
"@tauri-apps/plugin-shell": "2.3.3",
"@vueuse/core": "14.2.1",
"axios": "1.15.0",
"axios": "1.15.2",
"buffer": "6.0.3",
"dioc": "3.0.2",
"fp-ts": "2.16.11",
@ -46,38 +46,38 @@
"stream-browserify": "3.0.0",
"util": "0.12.5",
"verzod": "0.4.0",
"vue": "3.5.31",
"vue": "3.5.33",
"workbox-window": "7.4.0",
"zod": "3.25.32"
},
"devDependencies": {
"@eslint/eslintrc": "3.3.5",
"@eslint/js": "9.39.2",
"@graphql-codegen/add": "6.0.0",
"@graphql-codegen/cli": "6.2.1",
"@graphql-codegen/typed-document-node": "6.1.7",
"@graphql-codegen/typescript": "5.0.9",
"@graphql-codegen/typescript-operations": "5.0.9",
"@graphql-codegen/add": "6.0.1",
"@graphql-codegen/cli": "6.3.1",
"@graphql-codegen/typed-document-node": "6.1.8",
"@graphql-codegen/typescript": "5.0.10",
"@graphql-codegen/typescript-operations": "5.1.0",
"@graphql-codegen/typescript-urql-graphcache": "3.1.1",
"@graphql-codegen/urql-introspection": "3.0.1",
"@graphql-typed-document-node/core": "3.2.0",
"@iconify-json/lucide": "1.2.99",
"@intlify/unplugin-vue-i18n": "11.0.7",
"@iconify-json/lucide": "1.2.104",
"@intlify/unplugin-vue-i18n": "11.1.2",
"@rushstack/eslint-patch": "1.16.1",
"@typescript-eslint/eslint-plugin": "8.57.2",
"@typescript-eslint/parser": "8.57.2",
"@typescript-eslint/eslint-plugin": "8.59.0",
"@typescript-eslint/parser": "8.59.0",
"@vitejs/plugin-legacy": "7.2.1",
"@vitejs/plugin-vue": "6.0.5",
"@vitejs/plugin-vue": "6.0.6",
"@vue/eslint-config-typescript": "14.7.0",
"autoprefixer": "10.4.27",
"autoprefixer": "10.5.0",
"cross-env": "10.1.0",
"dotenv": "17.3.1",
"dotenv": "17.4.2",
"eslint": "9.39.2",
"eslint-plugin-prettier": "5.5.5",
"eslint-plugin-vue": "10.8.0",
"eslint-plugin-vue": "10.9.0",
"globals": "16.5.0",
"npm-run-all": "4.1.5",
"postcss": "8.5.8",
"postcss": "8.5.10",
"prettier-plugin-tailwindcss": "0.7.2",
"tailwindcss": "3.4.16",
"typescript": "5.9.3",

42
packages/hoppscotch-sh-admin/package.json
View file

@ -14,56 +14,56 @@
},
"dependencies": {
"@fontsource-variable/inter": "5.2.8",
"@fontsource-variable/material-symbols-rounded": "5.2.38",
"@fontsource-variable/material-symbols-rounded": "5.2.43",
"@fontsource-variable/roboto-mono": "5.2.8",
"@graphql-typed-document-node/core": "3.2.0",
"@hoppscotch/ui": "0.2.5",
"@hoppscotch/vue-toasted": "0.1.0",
"@intlify/unplugin-vue-i18n": "11.0.7",
"@intlify/unplugin-vue-i18n": "11.1.2",
"@types/cors": "2.8.19",
"@urql/exchange-auth": "3.0.0",
"@urql/vue": "2.0.0",
"@urql/vue": "2.1.0",
"@vueuse/core": "14.2.1",
"axios": "1.15.0",
"axios": "1.15.2",
"cors": "2.8.6",
"date-fns": "4.1.0",
"fp-ts": "2.16.11",
"graphql": "16.13.1",
"graphql": "16.13.2",
"io-ts": "2.2.22",
"lodash-es": "4.18.1",
"postcss": "8.5.8",
"postcss": "8.5.10",
"prettier-plugin-tailwindcss": "0.7.1",
"rxjs": "7.8.2",
"tailwindcss": "3.4.16",
"tippy.js": "6.3.7",
"ts-node-dev": "2.0.0",
"unplugin-vue-components": "30.0.0",
"vue": "3.5.31",
"vue-i18n": "11.3.0",
"vue": "3.5.33",
"vue-i18n": "11.4.0",
"vue-router": "4.6.4",
"vue-tippy": "6.7.1"
},
"devDependencies": {
"@graphql-codegen/cli": "6.2.1",
"@graphql-codegen/client-preset": "5.2.4",
"@graphql-codegen/introspection": "5.0.1",
"@graphql-codegen/typed-document-node": "6.1.7",
"@graphql-codegen/typescript": "5.0.9",
"@graphql-codegen/typescript-document-nodes": "5.0.9",
"@graphql-codegen/typescript-operations": "5.0.9",
"@graphql-codegen/cli": "6.3.1",
"@graphql-codegen/client-preset": "5.3.0",
"@graphql-codegen/introspection": "5.0.2",
"@graphql-codegen/typed-document-node": "6.1.8",
"@graphql-codegen/typescript": "5.0.10",
"@graphql-codegen/typescript-document-nodes": "5.0.10",
"@graphql-codegen/typescript-operations": "5.1.0",
"@graphql-codegen/urql-introspection": "3.0.1",
"@iconify-json/lucide": "1.2.99",
"@iconify-json/lucide": "1.2.104",
"@import-meta-env/cli": "0.7.4",
"@import-meta-env/unplugin": "0.6.3",
"@types/lodash-es": "4.17.12",
"@vitejs/plugin-vue": "6.0.5",
"@vue/compiler-sfc": "3.5.31",
"autoprefixer": "10.4.27",
"dotenv": "17.3.1",
"@vitejs/plugin-vue": "6.0.6",
"@vue/compiler-sfc": "3.5.33",
"autoprefixer": "10.5.0",
"dotenv": "17.4.2",
"graphql-tag": "2.12.6",
"hoppscotch-backend": "workspace:^",
"npm-run-all": "4.1.5",
"sass": "1.98.0",
"sass": "1.99.0",
"ts-node": "10.9.2",
"typescript": "5.9.3",
"unplugin-fonts": "1.4.0",

5535
pnpm-lock.yaml
View file

File diff suppressed because it is too large Load diff

43
prod.Dockerfile
View file

@ -1,18 +1,18 @@
# Base Go builder with Go lang installation
# This stage is used to build both Caddy and the webapp server,
# preventing vulnerable packages on the dependency chain
FROM alpine:3.23.3 AS go_builder
FROM alpine:3.23.4 AS go_builder
RUN apk add --no-cache curl git openssh-client
ARG TARGETARCH
ENV GOLANG_VERSION=1.26.1
ENV GOLANG_VERSION=1.26.2
# Download Go tarball
RUN case "${TARGETARCH}" in amd64) GOARCH=amd64 ;; arm64) GOARCH=arm64 ;; *) echo "Unsupported arch: ${TARGETARCH}" && exit 1 ;; esac && \
curl -fsSL "https://go.dev/dl/go${GOLANG_VERSION}.linux-${GOARCH}.tar.gz" -o go.tar.gz
# Checksum verification of Go tarball
RUN case "${TARGETARCH}" in \
amd64) expected="031f088e5d955bab8657ede27ad4e3bc5b7c1ba281f05f245bcc304f327c987a" ;; \
arm64) expected="a290581cfe4fe28ddd737dde3095f3dbeb7f2e4065cab4eae44dfc53b760c2f7" ;; \
amd64) expected="990e6b4bbba816dc3ee129eaeaf4b42f17c2800b88a2166c265ac1a200262282" ;; \
arm64) expected="c958a1fe1b361391db163a485e21f5f228142d6f8b584f6bef89b26f66dc5b23" ;; \
esac && \
actual=$(sha256sum go.tar.gz | cut -d' ' -f1) && \
[ "$actual" = "$expected" ] && \
@ -39,10 +39,21 @@ RUN expected="40cb9dc5e0b005bba635e830ba2354450248831fca3b58f5c49892a4747d0e76"
(echo "❌ Caddy Source Checksum failed!" && exit 1)
WORKDIR /tmp/caddy-build
RUN tar -xzf /tmp/caddy-build/src.tar.gz && \
# Fix CVE: upgrade google.golang.org/grpc to 1.79.3 (CVSS 9.1)
# Fix CVE-2026-33186: upgrade google.golang.org/grpc to 1.79.3 (CRITICAL - gRPC-Go authorization bypass)
go get google.golang.org/grpc@v1.79.3 && \
# Fix CVE: upgrade github.com/smallstep/certificates to 0.30.0 (CVSS 10)
# Fix CVE-2026-30836 + CVE-2026-40097: upgrade github.com/smallstep/certificates to 0.30.0 (CRITICAL - unauthenticated cert issuance via SCEP)
go get github.com/smallstep/certificates@v0.30.0 && \
# Fix CVE-2026-33816 + GHSA-j88v-2chj-qfwx: upgrade github.com/jackc/pgx/v5 to 5.9.2 (CRITICAL - memory-safety + SQL injection)
go get github.com/jackc/pgx/v5@v5.9.2 && \
# Fix CVE-2026-34986: upgrade go-jose v3 and v4 (HIGH - DoS via crafted JWE)
go get github.com/go-jose/go-jose/v3@v3.0.5 && \
go get github.com/go-jose/go-jose/v4@v4.1.4 && \
# Fix CVE-2026-39883: upgrade go.opentelemetry.io/otel/sdk to 1.43.0 (HIGH - PATH hijacking)
go get go.opentelemetry.io/otel/sdk@v1.43.0 && \
# Fix CVE-2026-39882: upgrade OpenTelemetry OTLP exporters (MEDIUM)
go get go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp@v0.19.0 && \
go get go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp@v1.43.0 && \
go get go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v1.43.0 && \
# Clean up any existing vendor directory and regenerate with updated deps
rm -rf vendor && \
go mod tidy && \
@ -65,7 +76,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -o webapp-server .
# Shared Node.js base with optimized NPM installation
FROM alpine:3.23.3 AS node_base
FROM alpine:3.23.4 AS node_base
# Install dependencies
RUN apk upgrade --no-cache && \
apk add --no-cache nodejs curl bash tini ca-certificates
@ -73,9 +84,9 @@ RUN apk upgrade --no-cache && \
RUN mkdir -p /tmp/npm-install
WORKDIR /tmp/npm-install
# Download NPM tarball
RUN curl -fsSL https://registry.npmjs.org/npm/-/npm-11.11.1.tgz -o npm.tgz
RUN curl -fsSL https://registry.npmjs.org/npm/-/npm-11.13.0.tgz -o npm.tgz
# Verify checksum
RUN expected="a3b2dbeb2544809a75f186cbae27adc5ceb5adc1ee696e17dfed689d7f46fcf2" \
RUN expected="a4ffa1de3bf1c7f9d5e3dd24fe2921970bdb1589d647f4083eaaaab3be974b7e" \
&& actual=$(sha256sum npm.tgz | cut -d' ' -f1) \
&& [ "$actual" = "$expected" ] \
&& echo "✅ NPM Tarball Checksum OK" \
@ -83,10 +94,10 @@ RUN expected="a3b2dbeb2544809a75f186cbae27adc5ceb5adc1ee696e17dfed689d7f46fcf2"
# Install NPM from verified tarball and global packages
RUN tar -xzf npm.tgz && \
cd package && \
node bin/npm-cli.js install -g npm@11.11.1 && \
node bin/npm-cli.js install -g npm@11.13.0 && \
cd / && \
rm -rf /tmp/npm-install
RUN npm install -g pnpm@10.32.1 @import-meta-env/cli@0.7.4
RUN npm install -g pnpm@10.33.2 @import-meta-env/cli@0.7.4
# Fix CVE-2025-64756 by replacing vulnerable glob in @import-meta-env/cli (ships glob@11.0.2, fix requires >=11.1.0)
RUN mkdir -p /tmp/glob-fix && \
@ -104,16 +115,6 @@ RUN mkdir -p /tmp/serialize-fix && \
cp -r node_modules/serialize-javascript /usr/lib/node_modules/@import-meta-env/cli/node_modules/ && \
rm -rf /tmp/serialize-fix
# Fix CVE: upgrade picomatch in npm and pnpm (ships 4.0.3, fix requires >=4.0.4)
RUN mkdir -p /tmp/picomatch-fix && \
cd /tmp/picomatch-fix && \
npm install picomatch@4.0.4 && \
rm -rf /usr/lib/node_modules/npm/node_modules/tinyglobby/node_modules/picomatch && \
cp -r node_modules/picomatch /usr/lib/node_modules/npm/node_modules/tinyglobby/node_modules/ && \
rm -rf /usr/lib/node_modules/pnpm/dist/node_modules/picomatch && \
cp -r node_modules/picomatch /usr/lib/node_modules/pnpm/dist/node_modules/ && \
rm -rf /tmp/picomatch-fix
FROM node_base AS base_builder