From 655e9035ff2e3a20a811cc47a4c97d97fa94354d Mon Sep 17 00:00:00 2001 From: mrdulasolutions Date: Wed, 13 May 2026 19:53:08 -0400 Subject: [PATCH] ci: clear protobufjs CVEs and prettier failures from v0.1.9 release PR MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The v0.1.9 release PR had two non-gating CI failures. Security Audit (`npm audit --omit=dev --audit-level=high`): posthog-js → @opentelemetry/exporter-logs-otlp-http → @opentelemetry/otlp-transformer pulled in protobufjs ^7.3.0, which resolved to 7.5.5 — vulnerable to a high severity advisory (GHSA-66ff-xgx4-vchm and others, all fixed in 7.5.6). No OpenTelemetry release advances the floor yet, so we use an npm override to force the whole tree onto protobufjs ^7.5.8 (latest 7.x). Prettier (`npm run format:check`): SetupWizard.tsx had two lines that exceeded the print width after the notification-permission step landed. Auto-formatted. Co-Authored-By: Claude Opus 4.7 --- package-lock.json | 34 ++++++++++++------------- package.json | 3 +++ src/renderer/components/SetupWizard.tsx | 9 ++++--- 3 files changed, 25 insertions(+), 21 deletions(-) diff --git a/package-lock.json b/package-lock.json index b9ca5fd..4bc9725 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "aos-mail", - "version": "0.1.8", + "version": "0.1.9", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "aos-mail", - "version": "0.1.8", + "version": "0.1.9", "license": "BUSL-1.1", "workspaces": [ "src/extensions-private/*" @@ -2164,9 +2164,9 @@ "license": "BSD-3-Clause" }, "node_modules/@protobufjs/codegen": { - "version": "2.0.4", - "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.4.tgz", - "integrity": "sha512-YyFaikqM5sH0ziFZCN3xDC7zeGaB/d0IUb9CATugHWbd1FRFwWwt4ld4OYMPWu5a3Xe01mGAULCdqhMlPl29Jg==", + "version": "2.0.5", + "resolved": "https://registry.npmjs.org/@protobufjs/codegen/-/codegen-2.0.5.tgz", + "integrity": "sha512-zgXFLzW3Ap33e6d0Wlj4MGIm6Ce8O89n/apUaGNB/jx+hw+ruWEp7EwGUshdLKVRCxZW12fp9r40E1mQrf/34g==", "license": "BSD-3-Clause" }, "node_modules/@protobufjs/eventemitter": { @@ -2192,9 +2192,9 @@ "license": "BSD-3-Clause" }, "node_modules/@protobufjs/inquire": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.0.tgz", - "integrity": "sha512-kdSefcPdruJiFMVSbn801t4vFK7KB/5gd2fYvrxhuJYg8ILrmn9SKSX2tZdV6V+ksulWqS7aXjBcRXl3wHoD9Q==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@protobufjs/inquire/-/inquire-1.1.1.tgz", + "integrity": "sha512-mnzgDV26ueAvk7rsbt9L7bE0SuAoqyuys/sMMrmVcN5x9VsxpcG3rqAUSgDyLp0UZlmNfIbQ4fHfCtreVBk8Ew==", "license": "BSD-3-Clause" }, "node_modules/@protobufjs/path": { @@ -2210,9 +2210,9 @@ "license": "BSD-3-Clause" }, "node_modules/@protobufjs/utf8": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.0.tgz", - "integrity": "sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@protobufjs/utf8/-/utf8-1.1.1.tgz", + "integrity": "sha512-oOAWABowe8EAbMyWKM0tYDKi8Yaox52D+HWZhAIJqQXbqe0xI/GV7FhLWqlEKreMkfDjshR5FKgi3mnle0h6Eg==", "license": "BSD-3-Clause" }, "node_modules/@remirror/core-constants": { @@ -8533,22 +8533,22 @@ } }, "node_modules/protobufjs": { - "version": "7.5.5", - "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.5.tgz", - "integrity": "sha512-3wY1AxV+VBNW8Yypfd1yQY9pXnqTAN+KwQxL8iYm3/BjKYMNg4i0owhEe26PWDOMaIrzeeF98Lqd5NGz4omiIg==", + "version": "7.5.8", + "resolved": "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.8.tgz", + "integrity": "sha512-dvpCIeLPbXZS/Ete7yLaO7RenOdken2NHKykBXbsaGxZT0UTltcarBciw+A78SRQs9iMAAVpsYA+l8b1hTePIA==", "hasInstallScript": true, "license": "BSD-3-Clause", "dependencies": { "@protobufjs/aspromise": "^1.1.2", "@protobufjs/base64": "^1.1.2", - "@protobufjs/codegen": "^2.0.4", + "@protobufjs/codegen": "^2.0.5", "@protobufjs/eventemitter": "^1.1.0", "@protobufjs/fetch": "^1.1.0", "@protobufjs/float": "^1.0.2", - "@protobufjs/inquire": "^1.1.0", + "@protobufjs/inquire": "^1.1.1", "@protobufjs/path": "^1.1.2", "@protobufjs/pool": "^1.1.0", - "@protobufjs/utf8": "^1.1.0", + "@protobufjs/utf8": "^1.1.1", "@types/node": ">=13.7.0", "long": "^5.0.0" }, diff --git a/package.json b/package.json index dd7c00f..5a66be0 100644 --- a/package.json +++ b/package.json @@ -104,5 +104,8 @@ "typescript": "^5.8.0", "typescript-eslint": "^8.57.2", "vite": "^6.0.5" + }, + "overrides": { + "protobufjs": "^7.5.8" } } diff --git a/src/renderer/components/SetupWizard.tsx b/src/renderer/components/SetupWizard.tsx index 29f1244..408fb1f 100644 --- a/src/renderer/components/SetupWizard.tsx +++ b/src/renderer/components/SetupWizard.tsx @@ -638,9 +638,8 @@ export function SetupWizard({ onComplete, initialStep }: SetupWizardProps) { onClick={async () => { setNotificationPermission("requesting"); try { - const { isPermissionGranted, requestPermission } = await import( - "@tauri-apps/plugin-notification" - ); + const { isPermissionGranted, requestPermission } = + await import("@tauri-apps/plugin-notification"); const already = await isPermissionGranted(); if (already) { setNotificationPermission("granted"); @@ -693,7 +692,9 @@ export function SetupWizard({ onComplete, initialStep }: SetupWizardProps) { onClick={() => setStep("analytics")} className="aos-btn-secondary w-full py-3 mt-2" > - {notificationPermission === "granted" ? "Continue" : "Continue without notifications"} + {notificationPermission === "granted" + ? "Continue" + : "Continue without notifications"} )}