thibaud-lclr/api-client
1
0
Fork 0
Code Packages Activity Actions

chore: security patches for the dependency chain (#5278)

Browse source
This commit is contained in:
Mir Arif Hasan 2025-07-28 16:23:25 +06:00 committed by GitHub
parent 98fa140b55
commit 37cca6cfc9
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 2694 additions and 2113 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
package.json
View file

@ -5,7 +5,7 @@
"author": "Hoppscotch (support@hoppscotch.io)",
"private": true,
"license": "MIT",
"packageManager": "pnpm@10.2.1",
"packageManager": "pnpm@10.13.1",
"scripts": {
"preinstall": "npx only-allow pnpm",
"prepare": "husky",
@ -35,7 +35,6 @@
},
"pnpm": {
"overrides": {
"cookie": "0.7.2",
"cross-spawn": "7.0.6",
"vue": "3.5.12",
"@nestjs-modules/mailer>mjml": "5.0.0-alpha.4",
@ -53,7 +52,6 @@
"@babel/runtime@<7.26.10": "7.26.10",
"apiconnect-wsdl": "2.0.36",
"@xmldom/xmldom": "0.8.10",
"multer@1.4.5-lts.2": "2.0.1",
"brace-expansion@2.0.1": "2.0.2",
"brace-expansion@1.1.11": "1.1.12"
},

59
packages/hoppscotch-backend/package.json
View file

@ -33,27 +33,26 @@
"@apollo/server": "4.12.1",
"@nestjs-modules/mailer": "2.0.2",
"@nestjs/apollo": "13.1.0",
"@nestjs/common": "11.1.1",
"@nestjs/common": "11.1.5",
"@nestjs/config": "4.0.2",
"@nestjs/core": "11.1.1",
"@nestjs/core": "11.1.5",
"@nestjs/graphql": "13.1.0",
"@nestjs/jwt": "11.0.0",
"@nestjs/passport": "11.0.0",
"@nestjs/platform-express": "11.1.1",
"@nestjs/platform-express": "11.1.5",
"@nestjs/schedule": "6.0.0",
"@nestjs/swagger": "11.2.0",
"@nestjs/terminus": "11.0.0",
"@nestjs/throttler": "6.4.0",
"@prisma/client": "6.8.2",
"argon2": "0.43.0",
"@prisma/client": "6.12.0",
"argon2": "0.43.1",
"bcrypt": "6.0.0",
"class-transformer": "0.5.1",
"class-validator": "0.14.2",
"cookie": "1.0.2",
"cookie-parser": "1.4.7",
"cron": "4.3.0",
"express": "5.1.0",
"express-session": "1.18.1",
"express-session": "1.18.2",
"fp-ts": "2.16.10",
"graphql": "16.11.0",
"graphql-query-complexity": "1.1.0",
@ -61,52 +60,52 @@
"graphql-subscriptions": "3.0.0",
"handlebars": "4.7.8",
"io-ts": "2.2.22",
"luxon": "3.6.1",
"nodemailer": "7.0.3",
"luxon": "3.7.1",
"nodemailer": "7.0.5",
"passport": "0.7.0",
"passport-github2": "0.1.12",
"passport-google-oauth20": "2.0.0",
"passport-jwt": "4.0.1",
"passport-local": "1.0.0",
"passport-microsoft": "2.1.0",
"posthog-node": "4.17.1",
"prisma": "6.8.2",
"posthog-node": "5.6.0",
"prisma": "6.12.0",
"reflect-metadata": "0.2.2",
"rimraf": "6.0.1",
"rxjs": "7.8.2"
},
"devDependencies": {
"@eslint/eslintrc": "3.3.1",
"@eslint/js": "9.27.0",
"@eslint/js": "9.31.0",
"@nestjs/cli": "11.0.7",
"@nestjs/schematics": "11.0.5",
"@nestjs/testing": "11.1.1",
"@nestjs/testing": "11.1.5",
"@relmify/jest-fp-ts": "2.1.1",
"@types/bcrypt": "5.0.2",
"@types/cookie-parser": "1.4.8",
"@types/express": "5.0.2",
"@types/jest": "29.5.14",
"@types/bcrypt": "6.0.0",
"@types/cookie-parser": "1.4.9",
"@types/express": "5.0.3",
"@types/jest": "30.0.0",
"@types/luxon": "3.6.2",
"@types/node": "22.15.19",
"@types/node": "24.1.0",
"@types/nodemailer": "6.4.17",
"@types/passport-github2": "1.2.9",
"@types/passport-google-oauth20": "2.0.16",
"@types/passport-jwt": "4.0.1",
"@types/passport-microsoft": "1.0.3",
"@types/passport-microsoft": "2.1.0",
"@types/supertest": "6.0.3",
"@typescript-eslint/eslint-plugin": "8.32.1",
"@typescript-eslint/parser": "8.32.1",
"@typescript-eslint/eslint-plugin": "8.38.0",
"@typescript-eslint/parser": "8.38.0",
"cross-env": "7.0.3",
"eslint": "9.27.0",
"eslint-config-prettier": "10.1.5",
"eslint-plugin-prettier": "5.4.0",
"globals": "16.1.0",
"jest": "29.7.0",
"jest-mock-extended": "4.0.0-beta1",
"prettier": "3.5.3",
"eslint": "9.31.0",
"eslint-config-prettier": "10.1.8",
"eslint-plugin-prettier": "5.5.3",
"globals": "16.3.0",
"jest": "30.0.5",
"jest-mock-extended": "4.0.0",
"prettier": "3.6.2",
"source-map-support": "0.5.21",
"supertest": "7.1.1",
"ts-jest": "29.3.4",
"supertest": "7.1.4",
"ts-jest": "29.4.0",
"ts-loader": "9.5.2",
"ts-node": "10.9.2",
"tsconfig-paths": "4.2.0",

17
packages/hoppscotch-backend/src/posthog/posthog.service.ts
View file

@ -1,9 +1,8 @@
import { Injectable } from '@nestjs/common';
import { PostHog } from 'posthog-node';
import { CronExpression, SchedulerRegistry } from '@nestjs/schedule';
import { Cron, CronExpression } from '@nestjs/schedule';
import { ConfigService } from '@nestjs/config';
import { PrismaService } from 'src/prisma/prisma.service';
import { CronJob } from 'cron';
import { POSTHOG_CLIENT_NOT_INITIALIZED } from 'src/errors';
import { throwErr } from 'src/utils';
@ -15,7 +14,6 @@ export class PostHogService {
constructor(
private readonly configService: ConfigService,
private readonly prisma: PrismaService,
private readonly schedulerRegistry: SchedulerRegistry,
) {}
async onModuleInit() {
@ -24,19 +22,14 @@ export class PostHogService {
this.postHogClient = new PostHog(this.POSTHOG_API_KEY, {
host: 'https://eu.posthog.com',
});
// Schedule the cron job only if analytics collection is allowed
this.scheduleCronJob();
}
}
private scheduleCronJob() {
const job = new CronJob(CronExpression.EVERY_WEEK, async () => {
@Cron(CronExpression.EVERY_WEEK)
async handleCron() {
if (this.configService.get('INFRA.ALLOW_ANALYTICS_COLLECTION') === 'true') {
await this.capture();
});
this.schedulerRegistry.addCronJob('captureAnalytics', job);
job.start();
}
}
async capture() {

1
packages/hoppscotch-selfhost-desktop/package.json
View file

@ -62,6 +62,7 @@
"@vue/eslint-config-typescript": "11.0.3",
"autoprefixer": "10.4.16",
"cross-env": "7.0.3",
"dotenv": "17.2.1",
"eslint": "8.47.0",
"eslint-plugin-prettier": "4.2.1",
"eslint-plugin-vue": "9.17.0",

1
packages/hoppscotch-selfhost-web/package.json
View file

@ -69,6 +69,7 @@
"@vue/eslint-config-typescript": "13.0.0",
"autoprefixer": "10.4.20",
"cross-env": "7.0.3",
"dotenv": "17.2.1",
"eslint": "8.57.0",
"eslint-plugin-prettier": "5.2.1",
"eslint-plugin-vue": "9.29.0",

1
packages/hoppscotch-sh-admin/package.json
View file

@ -59,6 +59,7 @@
"@types/lodash-es": "4.17.12",
"@vitejs/plugin-vue": "5.1.4",
"@vue/compiler-sfc": "3.5.12",
"autoprefixer": "10.4.21",
"dotenv": "16.4.5",
"graphql-tag": "2.12.6",
"hoppscotch-backend": "workspace:^",

4591
pnpm-lock.yaml
View file

File diff suppressed because it is too large Load diff

117
prod.Dockerfile
View file

@ -1,55 +1,53 @@
# This step is used to build a custom build of Caddy to prevent
# vulnerable packages on the dependency chain
FROM alpine:3.22.0 AS caddy_builder
RUN apk add curl go git
RUN mkdir -p /tmp/caddy-build
RUN curl -L -o /tmp/caddy-build/src.tar.gz https://github.com/caddyserver/caddy/releases/download/v2.9.1/caddy_2.9.1_src.tar.gz
FROM alpine:3.22.1 AS caddy_builder
RUN apk add --no-cache curl go git && \
mkdir -p /tmp/caddy-build && \
curl -L -o /tmp/caddy-build/src.tar.gz https://github.com/caddyserver/caddy/releases/download/v2.10.0/caddy_2.10.0_src.tar.gz
# Checksum verification of caddy source
RUN expected="1cfd6127f9ed8dc908d84d7d14579d3ce5114e8671aa8f786745cb3fe60923e0" && \
RUN expected="62ba008d9e9fd354e8b28be11de59c6a213f9153f2e9de451417c0b4eb13d9f3" && \
actual=$(sha256sum /tmp/caddy-build/src.tar.gz | cut -d' ' -f1) && \
[ "$actual" = "$expected" ] && \
echo "✅ Caddy Source Checksum OK" || \
(echo "❌ Caddy Source Checksum failed!" && exit 1)
WORKDIR /tmp/caddy-build
RUN tar xvf /tmp/caddy-build/src.tar.gz
# Patch to resolve CVE-2024-45339 on glog
RUN go get github.com/golang/glog@v1.2.4
# Patch to resolve CVE-2025-2714 on go-jose
RUN go get github.com/go-jose/go-jose/v3@v3.0.4
# Patch to resolve CVE-2025-22869 on crypto
RUN go get golang.org/x/crypto@v0.35.0
RUN tar xvf /tmp/caddy-build/src.tar.gz && \
# Patch to resolve CVE-2025-22872 on net
RUN go get golang.org/x/net@v0.38.0
go get golang.org/x/net@v0.38.0 && \
# Patch to resolve GHSA-vrw8-fxc6-2r93 on chi
RUN go get github.com/go-chi/chi/v5@v5.2.2
RUN go mod vendor
go get github.com/go-chi/chi/v5@v5.2.2 && \
# Patch to resolve GHSA-2x5j-vhc8-9cwm on circl
go get github.com/cloudflare/circl@v1.6.1 && \
# Clean up any existing vendor directory and regenerate with updated deps
rm -rf vendor && \
go mod tidy && \
go mod vendor
WORKDIR /tmp/caddy-build/cmd/caddy
# Build using the updated vendored dependencies
RUN go build
FROM alpine:3.19.7 AS base_builder
RUN apk add nodejs curl
# Shared Node.js base with optimized NPM installation
FROM alpine:3.19.7 AS node_base
RUN apk add --no-cache nodejs curl tini && \
# Install NPM from source, as Alpine version is old and has dependency vulnerabilities
# TODO: Find a better method which is resistant to supply chain attacks
RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh"
sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh" && \
npm install -g pnpm@10.13.1 @import-meta-env/cli
WORKDIR /usr/src/app
ENV HOPP_ALLOW_RUNTIME_ENV=true
FROM node_base AS base_builder
# Required by @hoppscotch/js-sandbox to build `isolated-vm`
RUN apk add python3 make g++ zlib-dev brotli-dev c-ares-dev nghttp2-dev openssl-dev icu-dev
RUN npm install -g pnpm@10.12.3
WORKDIR /usr/src/app
ENV HOPP_ALLOW_RUNTIME_ENV=true
COPY pnpm-lock.yaml .
RUN pnpm fetch
@ -66,18 +64,9 @@ RUN pnpm --filter=hoppscotch-backend deploy /dist/backend --prod --legacy
WORKDIR /dist/backend
RUN pnpm exec prisma generate
FROM alpine:3.19.7 AS backend
RUN apk add nodejs curl
# Install NPM from source, as Alpine version is old and has dependency vulnerabilities
# TODO: Find a better method which is resistant to supply chain attacks
RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh"
FROM node_base AS backend
# Install caddy
COPY --from=caddy_builder /tmp/caddy-build/cmd/caddy/caddy /usr/bin/caddy
RUN npm install -g pnpm@10.12.3
COPY --from=base_builder /usr/src/app/packages/hoppscotch-backend/backend.Caddyfile /etc/caddy/backend.Caddyfile
COPY --from=backend_builder /dist/backend /dist/backend
COPY --from=base_builder /usr/src/app/packages/hoppscotch-backend/prod_run.mjs /dist/backend
@ -85,8 +74,6 @@ COPY --from=base_builder /usr/src/app/packages/hoppscotch-backend/prod_run.mjs /
# Remove the env file to avoid backend copying it in and using it
ENV PRODUCTION="true"
ENV PORT=8080
ENV APP_PORT=${PORT}
ENV DB_URL=${DATABASE_URL}
WORKDIR /dist/backend
@ -109,13 +96,7 @@ RUN cargo build --release
FROM alpine:3.19.7 AS app
RUN apk add nodejs curl
# Install NPM from source, as Alpine version is old and has dependency vulnerabilities
# TODO: Find a better method which is resistant to supply chain attacks
RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh"
FROM node_base AS app
# Install caddy
COPY --from=caddy_builder /tmp/caddy-build/cmd/caddy/caddy /usr/bin/caddy
@ -126,20 +107,14 @@ COPY --from=fe_builder /usr/src/app/packages/hoppscotch-selfhost-web/prod_run.mj
COPY --from=fe_builder /usr/src/app/packages/hoppscotch-selfhost-web/selfhost-web.Caddyfile /etc/caddy/selfhost-web.Caddyfile
COPY --from=fe_builder /usr/src/app/packages/hoppscotch-selfhost-web/dist/ /site/selfhost-web
RUN npm install -g @import-meta-env/cli
WORKDIR /site
# Run both webapp-server and Caddy after env processing (NOTE: env processing is required by both)
CMD ["/bin/sh", "-c", "node /site/prod_run.mjs && (webapp-server & caddy run --config /etc/caddy/selfhost-web.Caddyfile --adapter caddyfile)"]
EXPOSE 80
EXPOSE 3000
EXPOSE 3200
WORKDIR /site
# Run both webapp-server and Caddy after env processing (NOTE: env processing is required by both)
CMD ["/bin/sh", "-c", "node /site/prod_run.mjs && (webapp-server & caddy run --config /etc/caddy/selfhost-web.Caddyfile --adapter caddyfile)"]
FROM base_builder AS sh_admin_builder
@ -149,16 +124,7 @@ RUN pnpm run build --outDir dist-multiport-setup
RUN pnpm run build --outDir dist-subpath-access --base /admin/
FROM alpine:3.19.7 AS sh_admin
RUN apk add nodejs curl
# Install NPM from source, as Alpine version is old and has dependency vulnerabilities
# TODO: Find a better method which is resistant to supply chain attacks
RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh"
FROM node_base AS sh_admin
# Install caddy
COPY --from=caddy_builder /tmp/caddy-build/cmd/caddy/caddy /usr/bin/caddy
@ -168,41 +134,27 @@ COPY --from=sh_admin_builder /usr/src/app/packages/hoppscotch-sh-admin/sh-admin-
COPY --from=sh_admin_builder /usr/src/app/packages/hoppscotch-sh-admin/dist-multiport-setup /site/sh-admin-multiport-setup
COPY --from=sh_admin_builder /usr/src/app/packages/hoppscotch-sh-admin/dist-subpath-access /site/sh-admin-subpath-access
RUN npm install -g @import-meta-env/cli
WORKDIR /site
CMD ["node","/site/prod_run.mjs"]
EXPOSE 80
EXPOSE 3100
WORKDIR /site
CMD ["node","/site/prod_run.mjs"]
FROM alpine:3.19.7 AS aio
RUN apk add nodejs curl
# Install NPM from source, as Alpine version is old and has dependency vulnerabilities
# TODO: Find a better method which is resistant to supply chain attacks
RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh"
FROM node_base AS aio
# Caddy install
COPY --from=caddy_builder /tmp/caddy-build/cmd/caddy/caddy /usr/bin/caddy
ENV PRODUCTION="true"
ENV PORT=8080
ENV APP_PORT=${PORT}
ENV DB_URL=${DATABASE_URL}
# Open Containers Initiative (OCI) labels - useful for bots like Renovate
LABEL org.opencontainers.image.source="https://github.com/hoppscotch/hoppscotch" \
org.opencontainers.image.url="https://docs.hoppscotch.io" \
org.opencontainers.image.licenses="MIT"
RUN apk add tini
RUN npm install -g pnpm@10.12.3
# Copy necessary files
# Backend files
COPY --from=base_builder /usr/src/app/packages/hoppscotch-backend/backend.Caddyfile /etc/caddy/backend.Caddyfile
@ -222,14 +174,11 @@ COPY --from=sh_admin_builder /usr/src/app/packages/hoppscotch-sh-admin/dist-subp
COPY aio-multiport-setup.Caddyfile /etc/caddy/aio-multiport-setup.Caddyfile
COPY aio-subpath-access.Caddyfile /etc/caddy/aio-subpath-access.Caddyfile
RUN npm install -g @import-meta-env/cli
ENTRYPOINT [ "tini", "--" ]
COPY --chmod=755 healthcheck.sh /
HEALTHCHECK --interval=2s CMD /bin/sh /healthcheck.sh
WORKDIR /dist/backend
CMD ["node", "/usr/src/app/aio_run.mjs"]
# NOTE: Although these ports are exposed, the HOPP_ALTERNATE_AIO_PORT variable can be used to assign a user-specified port