chore: security patches for the dependency chain (#5278)

2025-07-28 16:23:25 +06:00 · 2025-07-28 16:23:25 +06:00 · 37cca6cfc9
commit 37cca6cfc9
parent 98fa140b55
8 changed files with 2694 additions and 2113 deletions
--- a/package.json
+++ b/package.json
@ -5,7 +5,7 @@
  "author": "Hoppscotch (support@hoppscotch.io)",
  "private": true,
  "license": "MIT",
-  "packageManager": "pnpm@10.2.1",
+  "packageManager": "pnpm@10.13.1",
  "scripts": {
    "preinstall": "npx only-allow pnpm",
    "prepare": "husky",
@ -35,7 +35,6 @@
  },
  "pnpm": {
    "overrides": {
-      "cookie": "0.7.2",
      "cross-spawn": "7.0.6",
      "vue": "3.5.12",
      "@nestjs-modules/mailer>mjml": "5.0.0-alpha.4",
@ -53,7 +52,6 @@
      "@babel/runtime@<7.26.10": "7.26.10",
      "apiconnect-wsdl": "2.0.36",
      "@xmldom/xmldom": "0.8.10",
-      "multer@1.4.5-lts.2": "2.0.1",
      "brace-expansion@2.0.1": "2.0.2",
      "brace-expansion@1.1.11": "1.1.12"
    },
--- a/packages/hoppscotch-backend/package.json
+++ b/packages/hoppscotch-backend/package.json
@ -33,27 +33,26 @@
    "@apollo/server": "4.12.1",
    "@nestjs-modules/mailer": "2.0.2",
    "@nestjs/apollo": "13.1.0",
-    "@nestjs/common": "11.1.1",
+    "@nestjs/common": "11.1.5",
    "@nestjs/config": "4.0.2",
-    "@nestjs/core": "11.1.1",
+    "@nestjs/core": "11.1.5",
    "@nestjs/graphql": "13.1.0",
    "@nestjs/jwt": "11.0.0",
    "@nestjs/passport": "11.0.0",
-    "@nestjs/platform-express": "11.1.1",
+    "@nestjs/platform-express": "11.1.5",
    "@nestjs/schedule": "6.0.0",
    "@nestjs/swagger": "11.2.0",
    "@nestjs/terminus": "11.0.0",
    "@nestjs/throttler": "6.4.0",
-    "@prisma/client": "6.8.2",
-    "argon2": "0.43.0",
+    "@prisma/client": "6.12.0",
+    "argon2": "0.43.1",
    "bcrypt": "6.0.0",
    "class-transformer": "0.5.1",
    "class-validator": "0.14.2",
    "cookie": "1.0.2",
    "cookie-parser": "1.4.7",
-    "cron": "4.3.0",
    "express": "5.1.0",
-    "express-session": "1.18.1",
+    "express-session": "1.18.2",
    "fp-ts": "2.16.10",
    "graphql": "16.11.0",
    "graphql-query-complexity": "1.1.0",
@ -61,52 +60,52 @@
    "graphql-subscriptions": "3.0.0",
    "handlebars": "4.7.8",
    "io-ts": "2.2.22",
-    "luxon": "3.6.1",
-    "nodemailer": "7.0.3",
+    "luxon": "3.7.1",
+    "nodemailer": "7.0.5",
    "passport": "0.7.0",
    "passport-github2": "0.1.12",
    "passport-google-oauth20": "2.0.0",
    "passport-jwt": "4.0.1",
    "passport-local": "1.0.0",
    "passport-microsoft": "2.1.0",
-    "posthog-node": "4.17.1",
-    "prisma": "6.8.2",
+    "posthog-node": "5.6.0",
+    "prisma": "6.12.0",
    "reflect-metadata": "0.2.2",
    "rimraf": "6.0.1",
    "rxjs": "7.8.2"
  },
  "devDependencies": {
    "@eslint/eslintrc": "3.3.1",
-    "@eslint/js": "9.27.0",
+    "@eslint/js": "9.31.0",
    "@nestjs/cli": "11.0.7",
    "@nestjs/schematics": "11.0.5",
-    "@nestjs/testing": "11.1.1",
+    "@nestjs/testing": "11.1.5",
    "@relmify/jest-fp-ts": "2.1.1",
-    "@types/bcrypt": "5.0.2",
-    "@types/cookie-parser": "1.4.8",
-    "@types/express": "5.0.2",
-    "@types/jest": "29.5.14",
+    "@types/bcrypt": "6.0.0",
+    "@types/cookie-parser": "1.4.9",
+    "@types/express": "5.0.3",
+    "@types/jest": "30.0.0",
    "@types/luxon": "3.6.2",
-    "@types/node": "22.15.19",
+    "@types/node": "24.1.0",
    "@types/nodemailer": "6.4.17",
    "@types/passport-github2": "1.2.9",
    "@types/passport-google-oauth20": "2.0.16",
    "@types/passport-jwt": "4.0.1",
-    "@types/passport-microsoft": "1.0.3",
+    "@types/passport-microsoft": "2.1.0",
    "@types/supertest": "6.0.3",
-    "@typescript-eslint/eslint-plugin": "8.32.1",
-    "@typescript-eslint/parser": "8.32.1",
+    "@typescript-eslint/eslint-plugin": "8.38.0",
+    "@typescript-eslint/parser": "8.38.0",
    "cross-env": "7.0.3",
-    "eslint": "9.27.0",
-    "eslint-config-prettier": "10.1.5",
-    "eslint-plugin-prettier": "5.4.0",
-    "globals": "16.1.0",
-    "jest": "29.7.0",
-    "jest-mock-extended": "4.0.0-beta1",
-    "prettier": "3.5.3",
+    "eslint": "9.31.0",
+    "eslint-config-prettier": "10.1.8",
+    "eslint-plugin-prettier": "5.5.3",
+    "globals": "16.3.0",
+    "jest": "30.0.5",
+    "jest-mock-extended": "4.0.0",
+    "prettier": "3.6.2",
    "source-map-support": "0.5.21",
-    "supertest": "7.1.1",
-    "ts-jest": "29.3.4",
+    "supertest": "7.1.4",
+    "ts-jest": "29.4.0",
    "ts-loader": "9.5.2",
    "ts-node": "10.9.2",
    "tsconfig-paths": "4.2.0",
--- a/packages/hoppscotch-backend/src/posthog/posthog.service.ts
+++ b/packages/hoppscotch-backend/src/posthog/posthog.service.ts
@ -1,9 +1,8 @@
 import { Injectable } from '@nestjs/common';
 import { PostHog } from 'posthog-node';
-import { CronExpression, SchedulerRegistry } from '@nestjs/schedule';
+import { Cron, CronExpression } from '@nestjs/schedule';
 import { ConfigService } from '@nestjs/config';
 import { PrismaService } from 'src/prisma/prisma.service';
-import { CronJob } from 'cron';
 import { POSTHOG_CLIENT_NOT_INITIALIZED } from 'src/errors';
 import { throwErr } from 'src/utils';

@ -15,7 +14,6 @@ export class PostHogService {
  constructor(
    private readonly configService: ConfigService,
    private readonly prisma: PrismaService,
-    private readonly schedulerRegistry: SchedulerRegistry,
  ) {}

  async onModuleInit() {
@ -24,19 +22,14 @@ export class PostHogService {
      this.postHogClient = new PostHog(this.POSTHOG_API_KEY, {
        host: 'https://eu.posthog.com',
      });
-
-      // Schedule the cron job only if analytics collection is allowed
-      this.scheduleCronJob();
    }
  }

-  private scheduleCronJob() {
-    const job = new CronJob(CronExpression.EVERY_WEEK, async () => {
+  @Cron(CronExpression.EVERY_WEEK)
+  async handleCron() {
+    if (this.configService.get('INFRA.ALLOW_ANALYTICS_COLLECTION') === 'true') {
      await this.capture();
-    });
-
-    this.schedulerRegistry.addCronJob('captureAnalytics', job);
-    job.start();
+    }
  }

  async capture() {
--- a/packages/hoppscotch-selfhost-desktop/package.json
+++ b/packages/hoppscotch-selfhost-desktop/package.json
@ -62,6 +62,7 @@
    "@vue/eslint-config-typescript": "11.0.3",
    "autoprefixer": "10.4.16",
    "cross-env": "7.0.3",
+    "dotenv": "17.2.1",
    "eslint": "8.47.0",
    "eslint-plugin-prettier": "4.2.1",
    "eslint-plugin-vue": "9.17.0",
--- a/packages/hoppscotch-selfhost-web/package.json
+++ b/packages/hoppscotch-selfhost-web/package.json
@ -69,6 +69,7 @@
    "@vue/eslint-config-typescript": "13.0.0",
    "autoprefixer": "10.4.20",
    "cross-env": "7.0.3",
+    "dotenv": "17.2.1",
    "eslint": "8.57.0",
    "eslint-plugin-prettier": "5.2.1",
    "eslint-plugin-vue": "9.29.0",
--- a/packages/hoppscotch-sh-admin/package.json
+++ b/packages/hoppscotch-sh-admin/package.json
@ -59,6 +59,7 @@
    "@types/lodash-es": "4.17.12",
    "@vitejs/plugin-vue": "5.1.4",
    "@vue/compiler-sfc": "3.5.12",
+    "autoprefixer": "10.4.21",
    "dotenv": "16.4.5",
    "graphql-tag": "2.12.6",
    "hoppscotch-backend": "workspace:^",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
--- a/prod.Dockerfile
+++ b/prod.Dockerfile
@ -1,55 +1,53 @@
 # This step is used to build a custom build of Caddy to prevent
 # vulnerable packages on the dependency chain
-FROM alpine:3.22.0 AS caddy_builder
-RUN apk add curl go git
-
-RUN mkdir -p /tmp/caddy-build
-
-RUN curl -L -o /tmp/caddy-build/src.tar.gz https://github.com/caddyserver/caddy/releases/download/v2.9.1/caddy_2.9.1_src.tar.gz
+FROM alpine:3.22.1 AS caddy_builder
+RUN apk add --no-cache curl go git && \
+  mkdir -p /tmp/caddy-build && \
+  curl -L -o /tmp/caddy-build/src.tar.gz https://github.com/caddyserver/caddy/releases/download/v2.10.0/caddy_2.10.0_src.tar.gz

 # Checksum verification of caddy source
-RUN expected="1cfd6127f9ed8dc908d84d7d14579d3ce5114e8671aa8f786745cb3fe60923e0" && \
+RUN expected="62ba008d9e9fd354e8b28be11de59c6a213f9153f2e9de451417c0b4eb13d9f3" && \
  actual=$(sha256sum /tmp/caddy-build/src.tar.gz | cut -d' ' -f1) && \
  [ "$actual" = "$expected" ] && \
  echo "✅ Caddy Source Checksum OK" || \
  (echo "❌ Caddy Source Checksum failed!" && exit 1)

 WORKDIR /tmp/caddy-build
-RUN tar xvf /tmp/caddy-build/src.tar.gz
-
-# Patch to resolve CVE-2024-45339 on glog
-RUN go get github.com/golang/glog@v1.2.4
-# Patch to resolve CVE-2025-2714 on go-jose
-RUN go get github.com/go-jose/go-jose/v3@v3.0.4
-# Patch to resolve CVE-2025-22869 on crypto
-RUN go get golang.org/x/crypto@v0.35.0
-# Patch to resolve CVE-2025-22872 on net
-RUN go get golang.org/x/net@v0.38.0
-# Patch to resolve GHSA-vrw8-fxc6-2r93 on chi
-RUN go get github.com/go-chi/chi/v5@v5.2.2
-
-RUN go mod vendor
+RUN tar xvf /tmp/caddy-build/src.tar.gz && \
+  # Patch to resolve CVE-2025-22872 on net
+  go get golang.org/x/net@v0.38.0 && \
+  # Patch to resolve GHSA-vrw8-fxc6-2r93 on chi
+  go get github.com/go-chi/chi/v5@v5.2.2 && \
+  # Patch to resolve GHSA-2x5j-vhc8-9cwm on circl
+  go get github.com/cloudflare/circl@v1.6.1 && \
+  # Clean up any existing vendor directory and regenerate with updated deps
+  rm -rf vendor && \
+  go mod tidy && \
+  go mod vendor

 WORKDIR /tmp/caddy-build/cmd/caddy
+# Build using the updated vendored dependencies
 RUN go build



-FROM alpine:3.19.7 AS base_builder
-RUN apk add nodejs curl
+# Shared Node.js base with optimized NPM installation
+FROM alpine:3.19.7 AS node_base
+RUN apk add --no-cache nodejs curl tini && \
+  # Install NPM from source, as Alpine version is old and has dependency vulnerabilities
+  # TODO: Find a better method which is resistant to supply chain attacks
+  sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh" && \
+  npm install -g pnpm@10.13.1 @import-meta-env/cli

-# Install NPM from source, as Alpine version is old and has dependency vulnerabilities
-# TODO: Find a better method which is resistant to supply chain attacks
-RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh"

-WORKDIR /usr/src/app
-
-ENV HOPP_ALLOW_RUNTIME_ENV=true

+FROM node_base AS base_builder
 # Required by @hoppscotch/js-sandbox to build `isolated-vm`
 RUN apk add python3 make g++ zlib-dev brotli-dev c-ares-dev nghttp2-dev openssl-dev icu-dev

-RUN npm install -g pnpm@10.12.3
+WORKDIR /usr/src/app
+ENV HOPP_ALLOW_RUNTIME_ENV=true
+
 COPY pnpm-lock.yaml .
 RUN pnpm fetch

@ -66,18 +64,9 @@ RUN pnpm --filter=hoppscotch-backend deploy /dist/backend --prod --legacy
 WORKDIR /dist/backend
 RUN pnpm exec prisma generate

-FROM alpine:3.19.7 AS backend
-RUN apk add nodejs curl
-
-# Install NPM from source, as Alpine version is old and has dependency vulnerabilities
-# TODO: Find a better method which is resistant to supply chain attacks
-RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh"
-
+FROM node_base AS backend
 # Install caddy
 COPY --from=caddy_builder /tmp/caddy-build/cmd/caddy/caddy /usr/bin/caddy
-
-RUN npm install -g pnpm@10.12.3
-
 COPY --from=base_builder  /usr/src/app/packages/hoppscotch-backend/backend.Caddyfile /etc/caddy/backend.Caddyfile
 COPY --from=backend_builder /dist/backend /dist/backend
 COPY --from=base_builder /usr/src/app/packages/hoppscotch-backend/prod_run.mjs /dist/backend
@ -85,8 +74,6 @@ COPY --from=base_builder /usr/src/app/packages/hoppscotch-backend/prod_run.mjs /
 # Remove the env file to avoid backend copying it in and using it
 ENV PRODUCTION="true"
 ENV PORT=8080
-ENV APP_PORT=${PORT}
-ENV DB_URL=${DATABASE_URL}

 WORKDIR /dist/backend

@ -109,13 +96,7 @@ RUN cargo build --release



-FROM alpine:3.19.7 AS app
-RUN apk add nodejs curl
-
-# Install NPM from source, as Alpine version is old and has dependency vulnerabilities
-# TODO: Find a better method which is resistant to supply chain attacks
-RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh"
-
+FROM node_base AS app
 # Install caddy
 COPY --from=caddy_builder /tmp/caddy-build/cmd/caddy/caddy /usr/bin/caddy

@ -126,20 +107,14 @@ COPY --from=fe_builder /usr/src/app/packages/hoppscotch-selfhost-web/prod_run.mj
 COPY --from=fe_builder /usr/src/app/packages/hoppscotch-selfhost-web/selfhost-web.Caddyfile /etc/caddy/selfhost-web.Caddyfile
 COPY --from=fe_builder /usr/src/app/packages/hoppscotch-selfhost-web/dist/ /site/selfhost-web

-
-RUN npm install -g @import-meta-env/cli
+WORKDIR /site
+# Run both webapp-server and Caddy after env processing (NOTE: env processing is required by both)
+CMD ["/bin/sh", "-c", "node /site/prod_run.mjs && (webapp-server & caddy run --config /etc/caddy/selfhost-web.Caddyfile --adapter caddyfile)"]

 EXPOSE 80
 EXPOSE 3000
 EXPOSE 3200

-WORKDIR /site
-
-# Run both webapp-server and Caddy after env processing (NOTE: env processing is required by both)
-CMD ["/bin/sh", "-c", "node /site/prod_run.mjs && (webapp-server & caddy run --config /etc/caddy/selfhost-web.Caddyfile --adapter caddyfile)"]
-
-
-


 FROM base_builder AS sh_admin_builder
@ -149,16 +124,7 @@ RUN pnpm run build --outDir dist-multiport-setup
 RUN pnpm run build --outDir dist-subpath-access --base /admin/


-
-
-
-FROM alpine:3.19.7 AS sh_admin
-RUN apk add nodejs curl
-
-# Install NPM from source, as Alpine version is old and has dependency vulnerabilities
-# TODO: Find a better method which is resistant to supply chain attacks
-RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh"
-
+FROM node_base AS sh_admin
 # Install caddy
 COPY --from=caddy_builder /tmp/caddy-build/cmd/caddy/caddy /usr/bin/caddy

@ -168,41 +134,27 @@ COPY --from=sh_admin_builder /usr/src/app/packages/hoppscotch-sh-admin/sh-admin-
 COPY --from=sh_admin_builder /usr/src/app/packages/hoppscotch-sh-admin/dist-multiport-setup /site/sh-admin-multiport-setup
 COPY --from=sh_admin_builder /usr/src/app/packages/hoppscotch-sh-admin/dist-subpath-access /site/sh-admin-subpath-access

-
-RUN npm install -g @import-meta-env/cli
+WORKDIR /site
+CMD ["node","/site/prod_run.mjs"]

 EXPOSE 80
 EXPOSE 3100

-WORKDIR /site

-CMD ["node","/site/prod_run.mjs"]

-FROM alpine:3.19.7 AS aio
-
-RUN apk add nodejs curl
-
-# Install NPM from source, as Alpine version is old and has dependency vulnerabilities
-# TODO: Find a better method which is resistant to supply chain attacks
-RUN sh -c "curl -qL https://www.npmjs.com/install.sh | env npm_install=11.4.2 sh"
+FROM node_base AS aio

 # Caddy install
 COPY --from=caddy_builder /tmp/caddy-build/cmd/caddy/caddy /usr/bin/caddy

 ENV PRODUCTION="true"
 ENV PORT=8080
-ENV APP_PORT=${PORT}
-ENV DB_URL=${DATABASE_URL}

 # Open Containers Initiative (OCI) labels - useful for bots like Renovate
 LABEL org.opencontainers.image.source="https://github.com/hoppscotch/hoppscotch" \
  org.opencontainers.image.url="https://docs.hoppscotch.io" \
  org.opencontainers.image.licenses="MIT"

-RUN apk add tini
-
-RUN npm install -g pnpm@10.12.3
-
 # Copy necessary files
 # Backend files
 COPY --from=base_builder /usr/src/app/packages/hoppscotch-backend/backend.Caddyfile /etc/caddy/backend.Caddyfile
@ -222,14 +174,11 @@ COPY --from=sh_admin_builder /usr/src/app/packages/hoppscotch-sh-admin/dist-subp
 COPY aio-multiport-setup.Caddyfile /etc/caddy/aio-multiport-setup.Caddyfile
 COPY aio-subpath-access.Caddyfile /etc/caddy/aio-subpath-access.Caddyfile

-RUN npm install -g @import-meta-env/cli
-
 ENTRYPOINT [ "tini", "--" ]
 COPY --chmod=755 healthcheck.sh /
 HEALTHCHECK --interval=2s CMD /bin/sh /healthcheck.sh

 WORKDIR /dist/backend
-
 CMD ["node", "/usr/src/app/aio_run.mjs"]

 # NOTE: Although these ports are exposed, the HOPP_ALTERNATE_AIO_PORT variable can be used to assign a user-specified port