chore: Update dependencies and fix security vulnerabilities#149
Closed
runbgp wants to merge 28 commits into
Closed
chore: Update dependencies and fix security vulnerabilities#149runbgp wants to merge 28 commits into
runbgp wants to merge 28 commits into
Conversation
Bumps [@rollup/plugin-node-resolve](https://github.com/rollup/plugins/tree/HEAD/packages/node-resolve) from 16.0.0 to 16.0.1. - [Changelog](https://github.com/rollup/plugins/blob/master/packages/node-resolve/CHANGELOG.md) - [Commits](https://github.com/rollup/plugins/commits/node-resolve-v16.0.1/packages/node-resolve) --- updated-dependencies: - dependency-name: "@rollup/plugin-node-resolve" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [globals](https://github.com/sindresorhus/globals) from 16.0.0 to 16.2.0. - [Release notes](https://github.com/sindresorhus/globals/releases) - [Commits](sindresorhus/globals@v16.0.0...v16.2.0) --- updated-dependencies: - dependency-name: globals dependency-version: 16.2.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [eslint](https://github.com/eslint/eslint) from 9.22.0 to 9.29.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](eslint/eslint@v9.22.0...v9.29.0) --- updated-dependencies: - dependency-name: eslint dependency-version: 9.29.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) from 9.22.0 to 9.29.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint/eslint/commits/v9.29.0/packages/js) --- updated-dependencies: - dependency-name: "@eslint/js" dependency-version: 9.29.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [@rollup/plugin-commonjs](https://github.com/rollup/plugins/tree/HEAD/packages/commonjs) from 28.0.3 to 28.0.6. - [Changelog](https://github.com/rollup/plugins/blob/master/packages/commonjs/CHANGELOG.md) - [Commits](https://github.com/rollup/plugins/commits/commonjs-v28.0.6/packages/commonjs) --- updated-dependencies: - dependency-name: "@rollup/plugin-commonjs" dependency-version: 28.0.6 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [rollup](https://github.com/rollup/rollup) from 4.35.0 to 4.44.0. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.35.0...v4.44.0) --- updated-dependencies: - dependency-name: rollup dependency-version: 4.44.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.11 to 1.1.12. - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 1.1.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [globals](https://github.com/sindresorhus/globals) from 16.2.0 to 16.3.0. - [Release notes](https://github.com/sindresorhus/globals/releases) - [Commits](sindresorhus/globals@v16.2.0...v16.3.0) --- updated-dependencies: - dependency-name: globals dependency-version: 16.3.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) from 9.29.0 to 9.33.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint/eslint/commits/v9.33.0/packages/js) --- updated-dependencies: - dependency-name: "@eslint/js" dependency-version: 9.33.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [eslint](https://github.com/eslint/eslint) from 9.29.0 to 9.33.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](eslint/eslint@v9.29.0...v9.33.0) --- updated-dependencies: - dependency-name: eslint dependency-version: 9.33.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [rollup](https://github.com/rollup/rollup) from 4.44.0 to 4.46.4. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.44.0...v4.46.4) --- updated-dependencies: - dependency-name: rollup dependency-version: 4.46.4 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [eslint](https://github.com/eslint/eslint) from 9.33.0 to 9.34.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](eslint/eslint@v9.33.0...v9.34.0) --- updated-dependencies: - dependency-name: eslint dependency-version: 9.34.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [rollup](https://github.com/rollup/rollup) from 4.46.4 to 4.48.0. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.46.4...v4.48.0) --- updated-dependencies: - dependency-name: rollup dependency-version: 4.48.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Includes recent Dependabot dependency updates - Bump rollup from 4.46.4 to 4.48.0 - Bump eslint from 9.33.0 to 9.34.0 - Bump @eslint/js from 9.29.0 to 9.33.0
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.1.1. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) from 9.34.0 to 9.38.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](https://github.com/eslint/eslint/commits/v9.38.0/packages/js) --- updated-dependencies: - dependency-name: "@eslint/js" dependency-version: 9.38.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [rollup](https://github.com/rollup/rollup) from 4.48.0 to 4.52.5. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.48.0...v4.52.5) --- updated-dependencies: - dependency-name: rollup dependency-version: 4.52.5 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [on-headers](https://github.com/jshttp/on-headers) to 1.1.0 and updates ancestor dependency [serve](https://github.com/vercel/serve). These dependencies need to be updated together. Updates `on-headers` from 1.0.2 to 1.1.0 - [Release notes](https://github.com/jshttp/on-headers/releases) - [Changelog](https://github.com/jshttp/on-headers/blob/master/HISTORY.md) - [Commits](jshttp/on-headers@v1.0.2...v1.1.0) Updates `serve` from 14.2.4 to 14.2.5 - [Release notes](https://github.com/vercel/serve/releases) - [Commits](vercel/serve@14.2.4...v14.2.5) --- updated-dependencies: - dependency-name: on-headers dependency-version: 1.1.0 dependency-type: indirect - dependency-name: serve dependency-version: 14.2.5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [eslint](https://github.com/eslint/eslint) from 9.34.0 to 9.38.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Commits](eslint/eslint@v9.34.0...v9.38.0) --- updated-dependencies: - dependency-name: eslint dependency-version: 9.38.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [globals](https://github.com/sindresorhus/globals) from 16.3.0 to 16.4.0. - [Release notes](https://github.com/sindresorhus/globals/releases) - [Commits](sindresorhus/globals@v16.3.0...v16.4.0) --- updated-dependencies: - dependency-name: globals dependency-version: 16.4.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Update all dependencies to latest wanted versions - Add npm override for minimatch to fix HIGH severity ReDoS vulnerabilities - Update dependabot.yml to target main branch explicitly - Reduce dependabot frequency from daily to weekly - Add dependency grouping for eslint and rollup packages Security: Fixes HIGH severity ReDoS vulnerabilities in minimatch (GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74) Note: 2 MODERATE ajv vulnerabilities remain - cannot override without breaking ESLint Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR modernizes the project to address dependency/security updates and aligns the repository with a newer Node.js baseline, including moving runtime/build configuration toward ES modules.
Changes:
- Migrates runtime/build tooling to ESM (
"type": "module", ESMserver/server.js, ESM Rollup config) and adds ESLint v9 flat config. - Updates dependencies/devDependencies (Rollup v4, ESLint v9, serve/socket.io) and adds an override for
minimatch. - Updates ops/maintenance assets (Dockerfile base image/entrypoint, GitHub workflows targeting
main, Dependabot grouping) and refreshes docs/metadata (README/SECURITY/app.json, etc.).
Reviewed changes
Copilot reviewed 16 out of 20 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
server/server.js |
Switches server entrypoint to ESM imports and updates socket.io server initialization. |
rollup.config.js |
Converts Rollup config to ESM export to match "type": "module". |
pm2.json |
Removes PM2 process config (Dockerfile no longer uses pm2-runtime). |
package.json |
Bumps versions, sets ESM mode, updates Node engine floor, and refreshes dependency set. |
eslint.config.js |
Adds ESLint v9 flat configuration and ignore patterns. |
client/source/settings.js |
Updates displayed repository link in MOTD art. |
client/public/js/cryptalk.min.js |
Rebuilds/minifies client bundle output. |
app.json |
Updates repository link to fork. |
SECURITY.md |
Updates supported versions table and vulnerability reporting instructions. |
README.md |
Updates badges, deployment instructions, and fork/maintenance notes. |
LICENSE.md |
Updates copyright line. |
Dockerfile |
Moves to node:22-alpine and runs npm start instead of PM2. |
.github/workflows/node.js.yml |
Updates CI to main, newer actions, and newer Node versions. |
.github/workflows/codeql-analysis.yml |
Updates branches and CodeQL action major version/schedule. |
.github/dependabot.yml |
Switches to weekly updates, targets main, and adds grouping. |
.github/FUNDING.yml |
Removes funding configuration. |
.eslintrc.json |
Removes legacy ESLint config in favor of flat config. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ## Development | ||
|
|
||
| Install node.js (development require >=12.0), exact procedure is dependant on platform and distribution. | ||
| Install node.js (development requires >=18.0), exact procedure is dependant on platform and distribution. |
There was a problem hiding this comment.
README states development requires Node.js >=18.0, but package.json declares engines.node as ">=22.0.0". This is confusing for contributors and can lead to setup issues; update the README to match the actual supported Node version range.
Suggested change
| Install node.js (development requires >=18.0), exact procedure is dependant on platform and distribution. | |
| Install Node.js (development requires >=22.0.0), exact procedure is dependant on platform and distribution. |
| "dependencies": { | ||
| "serve": "^13.0.2", | ||
| "socket.io": "^4.3.1" | ||
| "serve": "^14.2.4", |
There was a problem hiding this comment.
server/server.js imports serve-handler directly, but serve-handler is not declared as a direct dependency (only serve is). This relies on transitive dependency resolution and can break on install/dedupe when serve changes its dependency tree. Add serve-handler to dependencies (or stop importing it directly and use an API you depend on explicitly).
Suggested change
| "serve": "^14.2.4", | |
| "serve": "^14.2.4", | |
| "serve-handler": "^6.1.5", |
Comment on lines
41
to
43
| - name: Checkout repository | ||
| uses: actions/checkout@v2 | ||
|
|
There was a problem hiding this comment.
The CodeQL workflow still uses actions/checkout@v2 while the rest of the workflow has been updated (e.g., codeql-action v3). checkout@v2 is deprecated and may miss security/performance fixes; update it to actions/checkout@v4 for consistency with the Node CI workflow.
| CMD [ "pm2-runtime", "start", "pm2.json" ] | ||
|
|
||
| # Run the application using npm start | ||
| CMD ["npm", "start"] |
There was a problem hiding this comment.
Because this Dockerfile does not specify a non-root USER, the npm start process runs as root inside the container, which significantly increases the impact of any remote code execution or container breakout vulnerability. An attacker who gains code execution in the app would immediately have root in the container, making it easier to access host resources or other services if the container or runtime is misconfigured. Consider running the app as a dedicated unprivileged user (for example the built-in node user) before CMD ["npm", "start"] or enforcing a non-root user at runtime.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.