thibaud-lclr/api-client
1
0
Fork 0
Code Packages Activity Actions

chore: patch dependency vulnerabilities and harden production image (#6055)

Browse source 
Co-authored-by: James George <25279263+jamesgeorge007@users.noreply.github.com>
This commit is contained in:
Mir Arif Hasan 2026-03-27 19:56:26 +06:00 committed by GitHub
parent 088ea9f4dc
commit e4eee306a7
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
12 changed files with 492 additions and 628 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
package.json
View file

@ -40,6 +40,7 @@
"apiconnect-wsdl": "2.0.36", "apiconnect-wsdl": "2.0.36",
"body-parser": "2.2.1", "body-parser": "2.2.1",
"cross-spawn": "7.0.6", "cross-spawn": "7.0.6",
"effect@3.18.4": "3.20.0",
"execa@<2.0.0": "2.0.0", "execa@<2.0.0": "2.0.0",
"flatted@>=3.0.0 <3.4.2": "3.4.2", "flatted@>=3.0.0 <3.4.2": "3.4.2",
"form-data": "4.0.4", "form-data": "4.0.4",
@ -57,7 +58,7 @@
"serialize-javascript@>=7.0.0 <7.0.3": "7.0.3", "serialize-javascript@>=7.0.0 <7.0.3": "7.0.3",
"subscriptions-transport-ws>ws": "7.5.10", "subscriptions-transport-ws>ws": "7.5.10",
"svgo@4.0.0": "4.0.1", "svgo@4.0.0": "4.0.1",
"vue": "3.5.30", "vue": "3.5.31",
"ws": "8.17.1" "ws": "8.17.1"
}, },
"onlyBuiltDependencies": [ "onlyBuiltDependencies": [

8
packages/hoppscotch-agent/package.json
View file

@ -24,15 +24,15 @@
"axios": "1.13.6", "axios": "1.13.6",
"fp-ts": "2.16.11", "fp-ts": "2.16.11",
"lodash-es": "4.17.23", "lodash-es": "4.17.23",
"vue": "3.5.30" "vue": "3.5.31"
}, },
"devDependencies": { "devDependencies": {
"@iconify-json/lucide": "1.2.98", "@iconify-json/lucide": "1.2.99",
"@tauri-apps/cli": "2.9.3", "@tauri-apps/cli": "2.9.3",
"@types/lodash-es": "4.17.12", "@types/lodash-es": "4.17.12",
"@types/node": "24.10.1", "@types/node": "24.10.1",
"@typescript-eslint/eslint-plugin": "8.57.1", "@typescript-eslint/eslint-plugin": "8.57.2",
"@typescript-eslint/parser": "8.57.1", "@typescript-eslint/parser": "8.57.2",
"@vitejs/plugin-vue": "6.0.5", "@vitejs/plugin-vue": "6.0.5",
"@vue/eslint-config-typescript": "14.7.0", "@vue/eslint-config-typescript": "14.7.0",
"autoprefixer": "10.4.27", "autoprefixer": "10.4.27",

4
packages/hoppscotch-backend/package.json
View file

@ -97,8 +97,8 @@
"@types/passport-jwt": "4.0.1", "@types/passport-jwt": "4.0.1",
"@types/passport-microsoft": "2.1.1", "@types/passport-microsoft": "2.1.1",
"@types/supertest": "7.2.0", "@types/supertest": "7.2.0",
"@typescript-eslint/eslint-plugin": "8.57.1", "@typescript-eslint/eslint-plugin": "8.57.2",
"@typescript-eslint/parser": "8.57.1", "@typescript-eslint/parser": "8.57.2",
"cross-env": "10.1.0", "cross-env": "10.1.0",
"eslint": "10.0.3", "eslint": "10.0.3",
"eslint-config-prettier": "10.1.8", "eslint-config-prettier": "10.1.8",

2
packages/hoppscotch-cli/package.json
View file

@ -70,6 +70,6 @@
"semver": "7.7.4", "semver": "7.7.4",
"tsup": "8.5.1", "tsup": "8.5.1",
"typescript": "5.9.3", "typescript": "5.9.3",
"vitest": "4.1.0" "vitest": "4.1.2"
} }
} }

16
packages/hoppscotch-common/package.json
View file

@ -111,14 +111,14 @@
"util": "0.12.5", "util": "0.12.5",
"uuid": "13.0.0", "uuid": "13.0.0",
"verzod": "0.4.0", "verzod": "0.4.0",
"vue": "3.5.30", "vue": "3.5.31",
"vue-i18n": "11.3.0", "vue-i18n": "11.3.0",
"vue-json-pretty": "2.6.0", "vue-json-pretty": "2.6.0",
"vue-pdf-embed": "2.1.4", "vue-pdf-embed": "2.1.4",
"vue-router": "4.6.4", "vue-router": "4.6.4",
"vue-tippy": "6.7.1", "vue-tippy": "6.7.1",
"vuedraggable-es": "4.1.1", "vuedraggable-es": "4.1.1",
"wonka": "6.3.5", "wonka": "6.3.6",
"workbox-window": "7.4.0", "workbox-window": "7.4.0",
"xml-formatter": "3.7.0", "xml-formatter": "3.7.0",
"yargs-parser": "22.0.0", "yargs-parser": "22.0.0",
@ -137,7 +137,7 @@
"@graphql-codegen/typescript-urql-graphcache": "3.1.1", "@graphql-codegen/typescript-urql-graphcache": "3.1.1",
"@graphql-codegen/urql-introspection": "3.0.1", "@graphql-codegen/urql-introspection": "3.0.1",
"@graphql-typed-document-node/core": "3.2.0", "@graphql-typed-document-node/core": "3.2.0",
"@iconify-json/lucide": "1.2.98", "@iconify-json/lucide": "1.2.99",
"@import-meta-env/cli": "0.7.4", "@import-meta-env/cli": "0.7.4",
"@intlify/unplugin-vue-i18n": "11.0.7", "@intlify/unplugin-vue-i18n": "11.0.7",
"@relmify/jest-fp-ts": "2.1.1", "@relmify/jest-fp-ts": "2.1.1",
@ -151,12 +151,12 @@
"@types/qs": "6.15.0", "@types/qs": "6.15.0",
"@types/splitpanes": "2.2.6", "@types/splitpanes": "2.2.6",
"@types/yargs-parser": "21.0.3", "@types/yargs-parser": "21.0.3",
"@typescript-eslint/eslint-plugin": "8.57.1", "@typescript-eslint/eslint-plugin": "8.57.2",
"@typescript-eslint/parser": "8.57.1", "@typescript-eslint/parser": "8.57.2",
"@vitejs/plugin-vue": "6.0.5", "@vitejs/plugin-vue": "6.0.5",
"@vue/compiler-sfc": "3.5.30", "@vue/compiler-sfc": "3.5.31",
"@vue/eslint-config-typescript": "14.7.0", "@vue/eslint-config-typescript": "14.7.0",
"@vue/runtime-core": "3.5.30", "@vue/runtime-core": "3.5.31",
"autoprefixer": "10.4.27", "autoprefixer": "10.4.27",
"cross-env": "10.1.0", "cross-env": "10.1.0",
"dotenv": "17.3.1", "dotenv": "17.3.1",
@ -187,7 +187,7 @@
"vite-plugin-pages-sitemap": "1.7.1", "vite-plugin-pages-sitemap": "1.7.1",
"vite-plugin-pwa": "1.2.0", "vite-plugin-pwa": "1.2.0",
"vite-plugin-vue-layouts": "0.11.0", "vite-plugin-vue-layouts": "0.11.0",
"vitest": "4.1.0", "vitest": "4.1.2",
"vue-tsc": "1.8.8" "vue-tsc": "1.8.8"
} }
} }

8
packages/hoppscotch-desktop/package.json
View file

@ -37,7 +37,7 @@
"@tauri-apps/plugin-updater": "2.9.0", "@tauri-apps/plugin-updater": "2.9.0",
"fp-ts": "2.16.11", "fp-ts": "2.16.11",
"rxjs": "7.8.2", "rxjs": "7.8.2",
"vue": "3.5.30", "vue": "3.5.31",
"vue-router": "4.6.4", "vue-router": "4.6.4",
"vue-tippy": "6.7.1", "vue-tippy": "6.7.1",
"zod": "3.25.32" "zod": "3.25.32"
@ -45,11 +45,11 @@
"devDependencies": { "devDependencies": {
"@eslint/eslintrc": "3.3.5", "@eslint/eslintrc": "3.3.5",
"@eslint/js": "9.39.2", "@eslint/js": "9.39.2",
"@iconify-json/lucide": "1.2.98", "@iconify-json/lucide": "1.2.99",
"@rushstack/eslint-patch": "1.16.1", "@rushstack/eslint-patch": "1.16.1",
"@tauri-apps/cli": "2.9.3", "@tauri-apps/cli": "2.9.3",
"@typescript-eslint/eslint-plugin": "8.57.1", "@typescript-eslint/eslint-plugin": "8.57.2",
"@typescript-eslint/parser": "8.57.1", "@typescript-eslint/parser": "8.57.2",
"@vitejs/plugin-vue": "6.0.5", "@vitejs/plugin-vue": "6.0.5",
"@vue/eslint-config-typescript": "14.7.0", "@vue/eslint-config-typescript": "14.7.0",
"autoprefixer": "10.4.27", "autoprefixer": "10.4.27",

6
packages/hoppscotch-js-sandbox/package.json
View file

@ -67,8 +67,8 @@
"@types/jest": "30.0.0", "@types/jest": "30.0.0",
"@types/lodash": "4.17.24", "@types/lodash": "4.17.24",
"@types/node": "24.10.1", "@types/node": "24.10.1",
"@typescript-eslint/eslint-plugin": "8.57.1", "@typescript-eslint/eslint-plugin": "8.57.2",
"@typescript-eslint/parser": "8.57.1", "@typescript-eslint/parser": "8.57.2",
"eslint": "9.39.2", "eslint": "9.39.2",
"eslint-config-prettier": "10.1.8", "eslint-config-prettier": "10.1.8",
"eslint-plugin-prettier": "5.5.5", "eslint-plugin-prettier": "5.5.5",
@ -77,7 +77,7 @@
"prettier": "3.8.1", "prettier": "3.8.1",
"typescript": "5.9.3", "typescript": "5.9.3",
"vite": "7.3.1", "vite": "7.3.1",
"vitest": "4.1.0" "vitest": "4.1.2"
}, },
"peerDependencies": { "peerDependencies": {
"isolated-vm": "6.1.2" "isolated-vm": "6.1.2"

4
packages/hoppscotch-kernel/package.json
View file

@ -41,8 +41,8 @@
"devDependencies": { "devDependencies": {
"@eslint/js": "9.39.2", "@eslint/js": "9.39.2",
"@types/node": "24.9.1", "@types/node": "24.9.1",
"@typescript-eslint/eslint-plugin": "8.57.1", "@typescript-eslint/eslint-plugin": "8.57.2",
"@typescript-eslint/parser": "8.57.1", "@typescript-eslint/parser": "8.57.2",
"eslint": "9.39.2", "eslint": "9.39.2",
"eslint-plugin-prettier": "5.5.5", "eslint-plugin-prettier": "5.5.5",
"globals": "16.5.0", "globals": "16.5.0",

8
packages/hoppscotch-selfhost-web/package.json
View file

@ -46,7 +46,7 @@
"stream-browserify": "3.0.0", "stream-browserify": "3.0.0",
"util": "0.12.5", "util": "0.12.5",
"verzod": "0.4.0", "verzod": "0.4.0",
"vue": "3.5.30", "vue": "3.5.31",
"workbox-window": "7.4.0", "workbox-window": "7.4.0",
"zod": "3.25.32" "zod": "3.25.32"
}, },
@ -61,11 +61,11 @@
"@graphql-codegen/typescript-urql-graphcache": "3.1.1", "@graphql-codegen/typescript-urql-graphcache": "3.1.1",
"@graphql-codegen/urql-introspection": "3.0.1", "@graphql-codegen/urql-introspection": "3.0.1",
"@graphql-typed-document-node/core": "3.2.0", "@graphql-typed-document-node/core": "3.2.0",
"@iconify-json/lucide": "1.2.98", "@iconify-json/lucide": "1.2.99",
"@intlify/unplugin-vue-i18n": "11.0.7", "@intlify/unplugin-vue-i18n": "11.0.7",
"@rushstack/eslint-patch": "1.16.1", "@rushstack/eslint-patch": "1.16.1",
"@typescript-eslint/eslint-plugin": "8.57.1", "@typescript-eslint/eslint-plugin": "8.57.2",
"@typescript-eslint/parser": "8.57.1", "@typescript-eslint/parser": "8.57.2",
"@vitejs/plugin-legacy": "7.2.1", "@vitejs/plugin-legacy": "7.2.1",
"@vitejs/plugin-vue": "6.0.5", "@vitejs/plugin-vue": "6.0.5",
"@vue/eslint-config-typescript": "14.7.0", "@vue/eslint-config-typescript": "14.7.0",

6
packages/hoppscotch-sh-admin/package.json
View file

@ -39,7 +39,7 @@
"ts-node-dev": "2.0.0", "ts-node-dev": "2.0.0",
"unplugin-icons": "22.5.0", "unplugin-icons": "22.5.0",
"unplugin-vue-components": "30.0.0", "unplugin-vue-components": "30.0.0",
"vue": "3.5.30", "vue": "3.5.31",
"vue-i18n": "11.3.0", "vue-i18n": "11.3.0",
"vue-router": "4.6.4", "vue-router": "4.6.4",
"vue-tippy": "6.7.1" "vue-tippy": "6.7.1"
@ -53,12 +53,12 @@
"@graphql-codegen/typescript-document-nodes": "5.0.9", "@graphql-codegen/typescript-document-nodes": "5.0.9",
"@graphql-codegen/typescript-operations": "5.0.9", "@graphql-codegen/typescript-operations": "5.0.9",
"@graphql-codegen/urql-introspection": "3.0.1", "@graphql-codegen/urql-introspection": "3.0.1",
"@iconify-json/lucide": "1.2.98", "@iconify-json/lucide": "1.2.99",
"@import-meta-env/cli": "0.7.4", "@import-meta-env/cli": "0.7.4",
"@import-meta-env/unplugin": "0.6.3", "@import-meta-env/unplugin": "0.6.3",
"@types/lodash-es": "4.17.12", "@types/lodash-es": "4.17.12",
"@vitejs/plugin-vue": "6.0.5", "@vitejs/plugin-vue": "6.0.5",
"@vue/compiler-sfc": "3.5.30", "@vue/compiler-sfc": "3.5.31",
"autoprefixer": "10.4.27", "autoprefixer": "10.4.27",
"dotenv": "17.3.1", "dotenv": "17.3.1",
"graphql-tag": "2.12.6", "graphql-tag": "2.12.6",

1041
pnpm-lock.yaml
View file

File diff suppressed because it is too large Load diff

14
prod.Dockerfile
View file

@ -68,7 +68,7 @@ RUN CGO_ENABLED=0 GOOS=linux go build -o webapp-server .
FROM alpine:3.23.3 AS node_base FROM alpine:3.23.3 AS node_base
# Install dependencies # Install dependencies
RUN apk upgrade --no-cache && \ RUN apk upgrade --no-cache && \
apk add --no-cache nodejs curl bash tini ca-certificates git openssh-client apk add --no-cache nodejs curl bash tini ca-certificates
# Set working directory for NPM installation # Set working directory for NPM installation
RUN mkdir -p /tmp/npm-install RUN mkdir -p /tmp/npm-install
WORKDIR /tmp/npm-install WORKDIR /tmp/npm-install
@ -104,11 +104,21 @@ RUN mkdir -p /tmp/serialize-fix && \
cp -r node_modules/serialize-javascript /usr/lib/node_modules/@import-meta-env/cli/node_modules/ && \ cp -r node_modules/serialize-javascript /usr/lib/node_modules/@import-meta-env/cli/node_modules/ && \
rm -rf /tmp/serialize-fix rm -rf /tmp/serialize-fix
# Fix CVE: upgrade picomatch in npm and pnpm (ships 4.0.3, fix requires >=4.0.4)
RUN mkdir -p /tmp/picomatch-fix && \
cd /tmp/picomatch-fix && \
npm install picomatch@4.0.4 && \
rm -rf /usr/lib/node_modules/npm/node_modules/tinyglobby/node_modules/picomatch && \
cp -r node_modules/picomatch /usr/lib/node_modules/npm/node_modules/tinyglobby/node_modules/ && \
rm -rf /usr/lib/node_modules/pnpm/dist/node_modules/picomatch && \
cp -r node_modules/picomatch /usr/lib/node_modules/pnpm/dist/node_modules/ && \
rm -rf /tmp/picomatch-fix
FROM node_base AS base_builder FROM node_base AS base_builder
# Required by @hoppscotch/js-sandbox to build `isolated-vm` # Required by @hoppscotch/js-sandbox to build `isolated-vm`
RUN apk add --no-cache python3 make g++ zlib-dev brotli-dev c-ares-dev nghttp2-dev openssl-dev icu-dev ada-dev simdjson-dev simdutf-dev sqlite-dev zstd-dev RUN apk add --no-cache python3 make g++ git openssh-client zlib-dev brotli-dev c-ares-dev nghttp2-dev openssl-dev icu-dev ada-dev simdjson-dev simdutf-dev sqlite-dev zstd-dev
WORKDIR /usr/src/app WORKDIR /usr/src/app
ENV HOPP_ALLOW_RUNTIME_ENV=true ENV HOPP_ALLOW_RUNTIME_ENV=true