thibaud-lclr/api-client
1
0
Fork 0
Code Packages Activity Actions

chore: security patch for the dependency chain (#5487)

Browse source 
v2025.10.0

---------

Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
This commit is contained in:
Mir Arif Hasan 2025-10-22 19:18:20 +06:00 committed by GitHub
parent cd084ebbb3
commit 53e8b28459
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
17 changed files with 2744 additions and 2458 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
package.json
View file

@ -24,14 +24,14 @@
"./packages/*"
],
"devDependencies": {
"@commitlint/cli": "19.8.1",
"@commitlint/config-conventional": "19.8.1",
"@commitlint/cli": "20.1.0",
"@commitlint/config-conventional": "20.0.0",
"@hoppscotch/ui": "0.2.5",
"@types/node": "24.5.2",
"cross-env": "10.0.0",
"@types/node": "24.9.1",
"cross-env": "10.1.0",
"http-server": "14.1.1",
"husky": "9.1.7",
"lint-staged": "16.2.1"
"lint-staged": "16.2.5"
},
"pnpm": {
"overrides": {
@ -39,6 +39,7 @@
"apiconnect-wsdl": "2.0.36",
"cross-spawn": "7.0.6",
"execa@0.10.0": "2.0.0",
"nodemailer@<7.0.7": "7.0.7",
"sha.js@2.4.11": "2.4.12",
"subscriptions-transport-ws>ws": "7.5.10",
"vue": "3.5.22",

6
packages/codemirror-lang-graphql/package.json
View file

@ -24,8 +24,8 @@
"devDependencies": {
"@lezer/generator": "1.8.0",
"@rollup/plugin-typescript": "12.1.4",
"mocha": "11.7.2",
"rollup": "4.52.2",
"typescript": "5.9.2"
"mocha": "11.7.4",
"rollup": "4.52.5",
"typescript": "5.9.3"
}
}

4
packages/hoppscotch-agent/package.json
View file

@ -23,12 +23,12 @@
"@iconify-json/lucide": "1.2.68",
"@tauri-apps/cli": "^2.0.3",
"@types/lodash-es": "4.17.12",
"@types/node": "24.3.0",
"@types/node": "24.9.1",
"@vitejs/plugin-vue": "5.1.4",
"autoprefixer": "10.4.21",
"postcss": "8.5.6",
"tailwindcss": "3.4.16",
"typescript": "5.9.2",
"typescript": "5.9.3",
"unplugin-icons": "22.2.0",
"unplugin-vue-components": "29.0.0",
"vite": "6.3.6",

39
packages/hoppscotch-backend/package.json
View file

@ -31,20 +31,21 @@
},
"dependencies": {
"@apollo/server": "4.12.1",
"@as-integrations/express5": "1.1.2",
"@nestjs-modules/mailer": "2.0.2",
"@nestjs/apollo": "13.1.0",
"@nestjs/apollo": "13.2.1",
"@nestjs/common": "11.1.6",
"@nestjs/config": "4.0.2",
"@nestjs/core": "11.1.6",
"@nestjs/graphql": "13.1.0",
"@nestjs/jwt": "11.0.0",
"@nestjs/graphql": "13.2.0",
"@nestjs/jwt": "11.0.1",
"@nestjs/passport": "11.0.0",
"@nestjs/platform-express": "11.1.6",
"@nestjs/schedule": "6.0.1",
"@nestjs/swagger": "11.2.0",
"@nestjs/swagger": "11.2.1",
"@nestjs/terminus": "11.0.0",
"@nestjs/throttler": "6.4.0",
"@prisma/client": "6.16.2",
"@prisma/client": "6.17.1",
"argon2": "0.44.0",
"bcrypt": "6.0.0",
"class-transformer": "0.5.1",
@ -61,54 +62,54 @@
"handlebars": "4.7.8",
"io-ts": "2.2.22",
"morgan": "1.10.1",
"nodemailer": "7.0.6",
"nodemailer": "7.0.9",
"passport": "0.7.0",
"passport-github2": "0.1.12",
"passport-google-oauth20": "2.0.0",
"passport-jwt": "4.0.1",
"passport-local": "1.0.0",
"passport-microsoft": "2.1.0",
"posthog-node": "5.8.8",
"prisma": "6.16.2",
"posthog-node": "5.10.0",
"prisma": "6.17.1",
"reflect-metadata": "0.2.2",
"rimraf": "6.0.1",
"rxjs": "7.8.2"
},
"devDependencies": {
"@eslint/eslintrc": "3.3.1",
"@eslint/js": "9.36.0",
"@eslint/js": "9.37.0",
"@nestjs/cli": "11.0.10",
"@nestjs/schematics": "11.0.7",
"@nestjs/schematics": "11.0.9",
"@nestjs/testing": "11.1.6",
"@relmify/jest-fp-ts": "2.1.1",
"@types/bcrypt": "6.0.0",
"@types/cookie-parser": "1.4.9",
"@types/express": "5.0.3",
"@types/jest": "30.0.0",
"@types/node": "24.5.2",
"@types/nodemailer": "7.0.1",
"@types/node": "24.9.1",
"@types/nodemailer": "7.0.2",
"@types/passport-github2": "1.2.9",
"@types/passport-google-oauth20": "2.0.16",
"@types/passport-jwt": "4.0.1",
"@types/passport-microsoft": "2.1.0",
"@types/supertest": "6.0.3",
"@typescript-eslint/eslint-plugin": "8.44.1",
"@typescript-eslint/parser": "8.44.1",
"cross-env": "10.0.0",
"eslint": "9.36.0",
"@typescript-eslint/eslint-plugin": "8.46.1",
"@typescript-eslint/parser": "8.46.1",
"cross-env": "10.1.0",
"eslint": "9.37.0",
"eslint-config-prettier": "10.1.8",
"eslint-plugin-prettier": "5.5.4",
"globals": "16.4.0",
"jest": "30.1.3",
"jest": "30.2.0",
"jest-mock-extended": "4.0.0",
"prettier": "3.6.2",
"source-map-support": "0.5.21",
"supertest": "7.1.4",
"ts-jest": "29.4.4",
"ts-jest": "29.4.5",
"ts-loader": "9.5.4",
"ts-node": "10.9.2",
"tsconfig-paths": "4.2.0",
"typescript": "5.9.2"
"typescript": "5.9.3"
},
"jest": {
"moduleFileExtensions": [

4
packages/hoppscotch-cli/package.json
View file

@ -64,9 +64,9 @@
"fp-ts": "2.16.11",
"prettier": "3.6.2",
"qs": "6.11.2",
"semver": "7.7.2",
"semver": "7.7.3",
"tsup": "8.5.0",
"typescript": "5.9.2",
"typescript": "5.9.3",
"vitest": "3.2.4"
}
}

28
packages/hoppscotch-common/package.json
View file

@ -21,7 +21,7 @@
"do-lintfix": "pnpm run lintfix"
},
"dependencies": {
"@apidevtools/swagger-parser": "12.0.0",
"@apidevtools/swagger-parser": "12.1.0",
"@codemirror/autocomplete": "6.18.6",
"@codemirror/commands": "6.8.1",
"@codemirror/lang-javascript": "6.2.4",
@ -34,7 +34,7 @@
"@codemirror/search": "6.5.11",
"@codemirror/state": "6.5.2",
"@codemirror/view": "6.38.1",
"@guolao/vue-monaco-editor": "1.5.5",
"@guolao/vue-monaco-editor": "1.6.0",
"@hoppscotch/codemirror-lang-graphql": "workspace:^",
"@hoppscotch/data": "workspace:^",
"@hoppscotch/httpsnippet": "3.0.9",
@ -51,7 +51,7 @@
"@tauri-apps/plugin-store": "2.2.0",
"@types/hawk": "9.0.6",
"@types/markdown-it": "14.1.2",
"@unhead/vue": "2.0.17",
"@unhead/vue": "2.0.19",
"@urql/core": "6.0.1",
"@urql/devtools": "2.0.3",
"@urql/exchange-auth": "3.0.0",
@ -77,7 +77,7 @@
"jsonc-parser": "3.3.1",
"jsonpath-plus": "10.3.0",
"lodash-es": "4.17.21",
"lossless-json": "4.2.0",
"lossless-json": "4.3.0",
"markdown-it": "14.1.0",
"minisearch": "7.2.0",
"monaco-editor": "0.52.2",
@ -98,7 +98,7 @@
"splitpanes": "3.1.5",
"stream-browserify": "3.0.0",
"subscriptions-transport-ws": "0.11.0",
"superjson": "2.2.2",
"superjson": "2.2.3",
"tern": "0.24.3",
"timers": "0.1.1",
"tippy.js": "6.3.7",
@ -110,7 +110,7 @@
"vue-i18n": "11.1.12",
"vue-json-pretty": "2.5.0",
"vue-pdf-embed": "2.1.3",
"vue-router": "4.5.1",
"vue-router": "4.6.3",
"vue-tippy": "6.7.1",
"vuedraggable-es": "4.1.1",
"wonka": "6.3.5",
@ -133,7 +133,7 @@
"@iconify-json/lucide": "1.2.68",
"@intlify/unplugin-vue-i18n": "6.0.8",
"@relmify/jest-fp-ts": "2.1.1",
"@rushstack/eslint-patch": "1.12.0",
"@rushstack/eslint-patch": "1.14.0",
"@types/har-format": "1.2.16",
"@types/js-yaml": "4.0.9",
"@types/lodash-es": "4.17.12",
@ -144,18 +144,18 @@
"@types/splitpanes": "2.2.6",
"@types/uuid": "10.0.0",
"@types/yargs-parser": "21.0.3",
"@typescript-eslint/eslint-plugin": "8.44.1",
"@typescript-eslint/parser": "8.44.1",
"@typescript-eslint/eslint-plugin": "8.46.2",
"@typescript-eslint/parser": "8.46.2",
"@vitejs/plugin-vue": "5.1.4",
"@vue/compiler-sfc": "3.5.22",
"@vue/eslint-config-typescript": "13.0.0",
"@vue/runtime-core": "3.5.22",
"autoprefixer": "10.4.21",
"cross-env": "10.0.0",
"dotenv": "17.2.2",
"cross-env": "10.1.0",
"dotenv": "17.2.3",
"eslint": "8.57.0",
"eslint-plugin-prettier": "5.5.4",
"eslint-plugin-vue": "10.5.0",
"eslint-plugin-vue": "10.5.1",
"glob": "11.0.3",
"jsdom": "26.1.0",
"npm-run-all": "4.1.5",
@ -166,7 +166,7 @@
"rollup-plugin-polyfill-node": "0.13.0",
"sass": "1.93.2",
"tailwindcss": "3.4.16",
"typescript": "5.9.2",
"typescript": "5.9.3",
"unplugin-fonts": "1.4.0",
"unplugin-icons": "22.2.0",
"unplugin-vue-components": "29.0.0",
@ -176,7 +176,7 @@
"vite-plugin-html-config": "2.0.2",
"vite-plugin-pages": "0.33.1",
"vite-plugin-pages-sitemap": "1.7.1",
"vite-plugin-pwa": "1.0.3",
"vite-plugin-pwa": "1.1.0",
"vite-plugin-vue-layouts": "0.11.0",
"vitest": "3.2.4",
"vue-tsc": "1.8.8"

2
packages/hoppscotch-data/package.json
View file

@ -37,7 +37,7 @@
"devDependencies": {
"@types/lodash": "4.17.20",
"@types/uuid": "10.0.0",
"typescript": "5.9.2",
"typescript": "5.9.3",
"vite": "6.3.6"
},
"dependencies": {

8
packages/hoppscotch-desktop/package.json
View file

@ -36,13 +36,13 @@
"fp-ts": "2.16.11",
"rxjs": "7.8.2",
"vue": "3.5.22",
"vue-router": "4.5.1",
"vue-router": "4.6.3",
"vue-tippy": "6.7.1",
"zod": "3.25.32"
},
"devDependencies": {
"@iconify-json/lucide": "1.2.68",
"@rushstack/eslint-patch": "1.12.0",
"@rushstack/eslint-patch": "1.14.0",
"@tauri-apps/cli": "^2",
"@typescript-eslint/eslint-plugin": "8.44.1",
"@typescript-eslint/parser": "8.44.1",
@ -51,11 +51,11 @@
"autoprefixer": "10.4.21",
"eslint": "8.57.0",
"eslint-plugin-prettier": "5.5.4",
"eslint-plugin-vue": "10.5.0",
"eslint-plugin-vue": "10.5.1",
"postcss": "8.5.6",
"sass": "1.93.2",
"tailwindcss": "3.4.16",
"typescript": "5.9.2",
"typescript": "5.9.3",
"unplugin-icons": "22.2.0",
"unplugin-vue-components": "29.0.0",
"vite": "6.3.5",

4
packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-appload/package.json
View file

@ -26,8 +26,8 @@
},
"devDependencies": {
"@rollup/plugin-typescript": "^11.1.6",
"rollup": "^4.52.2",
"rollup": "^4.52.5",
"tslib": "^2.6.2",
"typescript": "5.9.2"
"typescript": "5.9.3"
}
}

4
packages/hoppscotch-desktop/plugin-workspace/tauri-plugin-relay/package.json
View file

@ -26,8 +26,8 @@
},
"devDependencies": {
"@rollup/plugin-typescript": "^11.1.6",
"rollup": "^4.52.2",
"rollup": "^4.52.5",
"tslib": "^2.6.2",
"typescript": "5.9.2"
"typescript": "5.9.3"
}
}

4
packages/hoppscotch-js-sandbox/package.json
View file

@ -63,7 +63,7 @@
"@relmify/jest-fp-ts": "2.1.1",
"@types/jest": "30.0.0",
"@types/lodash": "4.17.20",
"@types/node": "24.3.0",
"@types/node": "24.9.1",
"@typescript-eslint/eslint-plugin": "8.44.1",
"@typescript-eslint/parser": "8.44.1",
"eslint": "8.57.0",
@ -71,7 +71,7 @@
"eslint-plugin-prettier": "5.5.4",
"io-ts": "2.2.22",
"prettier": "3.6.2",
"typescript": "5.9.2",
"typescript": "5.9.3",
"vite": "6.3.6",
"vitest": "3.2.4"
},

18
packages/hoppscotch-kernel/package.json
View file

@ -35,8 +35,8 @@
},
"homepage": "https://github.com/hoppscotch/hoppscotch#readme",
"devDependencies": {
"@types/node": "24.3.0",
"typescript": "5.9.2",
"@types/node": "24.9.1",
"typescript": "5.9.3",
"vite": "6.3.5"
},
"peerDependencies": {
@ -48,15 +48,15 @@
}
},
"dependencies": {
"axios": "1.12.2",
"fp-ts": "2.16.11",
"aws4fetch": "1.0.20",
"zod": "3.25.32",
"superjson": "2.2.2",
"@tauri-apps/plugin-shell": "2.2.1",
"@hoppscotch/plugin-relay": "github:CuriousCorrelation/tauri-plugin-relay#5d59b97fe331ca62e8be0454ff3f4e5f6185ae70",
"@tauri-apps/plugin-dialog": "2.0.1",
"@tauri-apps/plugin-fs": "2.0.2",
"@tauri-apps/plugin-shell": "2.2.1",
"@tauri-apps/plugin-store": "2.2.0",
"@hoppscotch/plugin-relay": "github:CuriousCorrelation/tauri-plugin-relay#5d59b97fe331ca62e8be0454ff3f4e5f6185ae70"
"aws4fetch": "1.0.20",
"axios": "1.12.2",
"fp-ts": "2.16.11",
"superjson": "2.2.3",
"zod": "3.25.32"
}
}

14
packages/hoppscotch-selfhost-desktop/package.json
View file

@ -52,24 +52,24 @@
"@graphql-typed-document-node/core": "3.2.0",
"@iconify-json/lucide": "1.2.68",
"@intlify/unplugin-vue-i18n": "6.0.4",
"@rushstack/eslint-patch": "1.3.3",
"@rushstack/eslint-patch": "1.14.0",
"@types/lodash-es": "4.17.10",
"@types/node": "18.18.8",
"@types/node": "24.9.1",
"@typescript-eslint/eslint-plugin": "8.44.1",
"@typescript-eslint/parser": "8.44.1",
"@vitejs/plugin-legacy": "2.3.0",
"@vitejs/plugin-vue": "4.3.1",
"@vue/eslint-config-typescript": "11.0.3",
"autoprefixer": "10.4.16",
"cross-env": "7.0.3",
"dotenv": "17.2.2",
"cross-env": "10.1.0",
"dotenv": "17.2.3",
"eslint": "8.47.0",
"eslint-plugin-prettier": "4.2.1",
"eslint-plugin-vue": "10.5.0",
"eslint-plugin-vue": "10.5.1",
"npm-run-all": "4.1.5",
"postcss": "8.4.32",
"tailwindcss": "3.3.6",
"typescript": "5.8.3",
"typescript": "5.9.3",
"unplugin-fonts": "1.1.1",
"unplugin-icons": "0.14.9",
"unplugin-vue-components": "0.21.0",
@ -78,7 +78,7 @@
"vite-plugin-inspect": "0.7.38",
"vite-plugin-pages": "0.26.0",
"vite-plugin-pages-sitemap": "1.6.1",
"vite-plugin-pwa": "0.13.1",
"vite-plugin-pwa": "1.1.0",
"vite-plugin-static-copy": "0.12.0",
"vite-plugin-vue-layouts": "0.7.0",
"vue-tsc": "1.8.8"

14
packages/hoppscotch-selfhost-web/package.json
View file

@ -60,23 +60,23 @@
"@graphql-typed-document-node/core": "3.2.0",
"@iconify-json/lucide": "1.2.68",
"@intlify/unplugin-vue-i18n": "6.0.8",
"@rushstack/eslint-patch": "1.12.0",
"@rushstack/eslint-patch": "1.14.0",
"@typescript-eslint/eslint-plugin": "8.44.1",
"@typescript-eslint/parser": "8.44.1",
"@vitejs/plugin-legacy": "5.4.2",
"@vitejs/plugin-vue": "5.1.4",
"@vue/eslint-config-typescript": "13.0.0",
"autoprefixer": "10.4.21",
"cross-env": "10.0.0",
"dotenv": "17.2.2",
"cross-env": "10.1.0",
"dotenv": "17.2.3",
"eslint": "8.57.0",
"eslint-plugin-prettier": "5.5.4",
"eslint-plugin-vue": "10.5.0",
"eslint-plugin-vue": "10.5.1",
"npm-run-all": "4.1.5",
"postcss": "8.5.6",
"prettier-plugin-tailwindcss": "0.6.14",
"tailwindcss": "3.4.16",
"typescript": "5.9.2",
"typescript": "5.9.3",
"unplugin-fonts": "1.4.0",
"unplugin-icons": "22.2.0",
"unplugin-vue-components": "29.0.0",
@ -86,8 +86,8 @@
"vite-plugin-inspect": "11.3.3",
"vite-plugin-pages": "0.33.1",
"vite-plugin-pages-sitemap": "1.7.1",
"vite-plugin-pwa": "1.0.3",
"vite-plugin-static-copy": "3.1.2",
"vite-plugin-pwa": "1.1.0",
"vite-plugin-static-copy": "3.1.4",
"vite-plugin-vue-layouts": "0.11.0",
"vue-tsc": "2.1.6"
}

6
packages/hoppscotch-sh-admin/package.json
View file

@ -41,7 +41,7 @@
"unplugin-vue-components": "29.0.0",
"vue": "3.5.22",
"vue-i18n": "11.1.12",
"vue-router": "4.5.1",
"vue-router": "4.6.3",
"vue-tippy": "6.7.1"
},
"devDependencies": {
@ -60,13 +60,13 @@
"@vitejs/plugin-vue": "5.1.4",
"@vue/compiler-sfc": "3.5.22",
"autoprefixer": "10.4.21",
"dotenv": "17.2.2",
"dotenv": "17.2.3",
"graphql-tag": "2.12.6",
"hoppscotch-backend": "workspace:^",
"npm-run-all": "4.1.5",
"sass": "1.93.2",
"ts-node": "10.9.2",
"typescript": "5.9.2",
"typescript": "5.9.3",
"unplugin-fonts": "1.4.0",
"vite": "6.3.5",
"vite-plugin-pages": "0.33.1",

5001
pnpm-lock.yaml
View file

File diff suppressed because it is too large Load diff

35
prod.Dockerfile
View file

@ -1,6 +1,6 @@
# This step is used to build a custom build of Caddy to prevent
# vulnerable packages on the dependency chain
FROM alpine:3.22.1 AS caddy_builder
FROM alpine:3.22.2 AS caddy_builder
RUN apk add --no-cache curl git && \
mkdir -p /tmp/caddy-build && \
curl -L -o /tmp/caddy-build/src.tar.gz https://github.com/caddyserver/caddy/releases/download/v2.10.2/caddy_2.10.2_src.tar.gz
@ -12,9 +12,9 @@ RUN expected="a9efa00c161922dd24650fd0bee2f4f8bb2fb69ff3e63dcc44f0694da64bb0cf"
echo "✅ Caddy Source Checksum OK" || \
(echo "❌ Caddy Source Checksum failed!" && exit 1)
# Install Go 1.25.1 from GitHub releases to fix CVE-2025-47907
# Install Go 1.25.3 from GitHub releases to fix CVE-2025-47907
ARG TARGETARCH
ENV GOLANG_VERSION=1.25.1
ENV GOLANG_VERSION=1.25.3
# Download and install Go from the official tarball
RUN case "${TARGETARCH}" in amd64) GOARCH=amd64 ;; arm64) GOARCH=arm64 ;; *) echo "Unsupported arch: ${TARGETARCH}" && exit 1 ;; esac && \
curl -fsSL "https://go.dev/dl/go${GOLANG_VERSION}.linux-${GOARCH}.tar.gz" -o go.tar.gz && \
@ -27,6 +27,8 @@ ENV PATH="/usr/local/go/bin:${PATH}" \
WORKDIR /tmp/caddy-build
RUN tar xvf /tmp/caddy-build/src.tar.gz && \
# Patch to resolve CVE on quic-go
go get github.com/quic-go/quic-go@v0.55.0 && \
# Clean up any existing vendor directory and regenerate with updated deps
rm -rf vendor && \
go mod tidy && \
@ -39,12 +41,27 @@ RUN go build
# Shared Node.js base with optimized NPM installation
FROM alpine:3.22.1 AS node_base
RUN apk add --no-cache nodejs npm curl tini bash && \
# apk provides an outdated npm; immediately upgrade to a pinned version to avoid vulnerabilities
# TODO: Find a better method which is resistant to supply chain attacks
npm install -g npm@11.6.0 && \
npm install -g pnpm@10.17.1 @import-meta-env/cli
FROM alpine:3.22.2 AS node_base
# Install dependencies
RUN apk add --no-cache nodejs curl bash tini ca-certificates \
&& mkdir -p /tmp/npm-install
# Set working directory for NPM installation
WORKDIR /tmp/npm-install
# Download NPM tarball
RUN curl -fsSL https://registry.npmjs.org/npm/-/npm-11.6.2.tgz -o npm.tgz
# Verify checksum
RUN expected="585f95094ee5cb2788ee11d90f2a518a7c9ef6e083fa141d0b63ca3383675a20" \
&& actual=$(sha256sum npm.tgz | cut -d' ' -f1) \
&& [ "$actual" = "$expected" ] \
&& echo "✅ NPM Tarball Checksum OK" \
|| (echo "❌ NPM Tarball Checksum failed!" && exit 1)
# Install NPM from verified tarball and global packages
RUN tar -xzf npm.tgz && \
cd package && \
node bin/npm-cli.js install -g npm@11.6.2 && \
cd / && \
rm -rf /tmp/npm-install && \
npm install -g pnpm@10.18.3 @import-meta-env/cli