chore: security release v0.1.4 (undici vulnerability patches)#64
Merged
Conversation
…empty excepts, improve file permissions - Remove unused global variable (PathT) in path_security.py - Remove abstract method ellipsis statements in base_handler.py - Remove unused imports: Path from diff.py, struct from ole_handler.py, Any from office_handler.py, io from image_handler.py, os/Any from routes.py, tempfile from test_path_security.py, io/tempfile from test_handlers.py, pytest from test_registry.py, pytest from conftest.py - Replace empty except blocks with continue statements in office_handler.py, filesystem_handler.py, routes.py - Fix overly permissive file in test_path_security.py by using mode=0o700 for directory creation - Fix unused local variables: captured_temp_path in test_path_security.py, useCallback from App.jsx, useCallback from FilePanel.jsx, SortIcon component in FilePanel.jsx
…inue outside loops, remove unused TypeVar
- Add target-branch: develop to all 3 package ecosystems (pip, npm electron, npm frontend) - Add rebase-strategy: auto for automatic conflict resolution - Preserve existing labels for better PR organization - NOTE: Security updates will still target main (GitHub limitation) - See docs for details on managing existing open PRs
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.3 to 9.1.0. - [Release notes](https://github.com/pytest-dev/pytest/releases) - [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst) - [Commits](pytest-dev/pytest@9.0.3...9.1.0) --- updated-dependencies: - dependency-name: pytest dependency-version: 9.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
) Bumps [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) from 3.4.19 to 4.3.1. - [Release notes](https://github.com/tailwindlabs/tailwindcss/releases) - [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md) - [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/tailwindcss) --- updated-dependencies: - dependency-name: tailwindcss dependency-version: 4.3.1 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [electron](https://github.com/electron/electron) from 41.2.1 to 42.4.0. - [Release notes](https://github.com/electron/electron/releases) - [Commits](electron/electron@v41.2.1...v42.4.0) --- updated-dependencies: - dependency-name: electron dependency-version: 42.4.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix: resolve 30 CodeQL alerts - Remove unused imports/variables, fix empty excepts, improve file permissions - Remove unused global variable (PathT) in path_security.py - Remove abstract method ellipsis statements in base_handler.py - Remove unused imports: Path from diff.py, struct from ole_handler.py, Any from office_handler.py, io from image_handler.py, os/Any from routes.py, tempfile from test_path_security.py, io/tempfile from test_handlers.py, pytest from test_registry.py, pytest from conftest.py - Replace empty except blocks with continue statements in office_handler.py, filesystem_handler.py, routes.py - Fix overly permissive file in test_path_security.py by using mode=0o700 for directory creation - Fix unused local variables: captured_temp_path in test_path_security.py, useCallback from App.jsx, useCallback from FilePanel.jsx, SortIcon component in FilePanel.jsx * fix: correct CodeQL resolution defects - Restore Any import, fix continue outside loops, remove unused TypeVar * ci: trigger CodeQL rescan * fix: resolve remaining 10 CodeQL alerts - Correct PR #53 merge issues * chore: configure dependabot to target develop branch for version updates - Add target-branch: develop to all 3 package ecosystems (pip, npm electron, npm frontend) - Add rebase-strategy: auto for automatic conflict resolution - Preserve existing labels for better PR organization - NOTE: Security updates will still target main (GitHub limitation) - See docs for details on managing existing open PRs * chore(deps): bump react-dom from 19.2.5 to 19.2.7 in /frontend Bumps [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) from 19.2.5 to 19.2.7. - [Release notes](https://github.com/facebook/react/releases) - [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md) - [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom) --- updated-dependencies: - dependency-name: react-dom dependency-version: 19.2.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: 0verwrite <31691645+overwrite00@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pywin32](https://github.com/mhammond/pywin32) from 310 to 312. - [Release notes](https://github.com/mhammond/pywin32/releases) - [Changelog](https://github.com/mhammond/pywin32/blob/main/CHANGES.md) - [Commits](https://github.com/mhammond/pywin32/commits) --- updated-dependencies: - dependency-name: pywin32 dependency-version: '312' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [xattr](https://github.com/xattr/xattr) from 1.1.0 to 1.3.0. - [Release notes](https://github.com/xattr/xattr/releases) - [Changelog](https://github.com/xattr/xattr/blob/main/CHANGES.txt) - [Commits](xattr/xattr@v1.1.0...v1.3.0) --- updated-dependencies: - dependency-name: xattr dependency-version: 1.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [electron](https://github.com/electron/electron) from 42.4.0 to 42.4.1. - [Release notes](https://github.com/electron/electron/releases) - [Commits](electron/electron@v42.4.0...v42.4.1) --- updated-dependencies: - dependency-name: electron dependency-version: 42.4.1 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [fastapi](https://github.com/fastapi/fastapi) from 0.136.3 to 0.137.2. - [Release notes](https://github.com/fastapi/fastapi/releases) - [Commits](fastapi/fastapi@0.136.3...0.137.2) --- updated-dependencies: - dependency-name: fastapi dependency-version: 0.137.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) from 1.18.0 to 1.21.0. - [Release notes](https://github.com/lucide-icons/lucide/releases) - [Commits](https://github.com/lucide-icons/lucide/commits/1.21.0/packages/lucide-react) --- updated-dependencies: - dependency-name: lucide-react dependency-version: 1.21.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pypdf](https://github.com/py-pdf/pypdf) from 6.13.2 to 6.13.3. - [Release notes](https://github.com/py-pdf/pypdf/releases) - [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md) - [Commits](py-pdf/pypdf@6.13.2...6.13.3) --- updated-dependencies: - dependency-name: pypdf dependency-version: 6.13.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Tailwind CSS v4 moved the PostCSS plugin to a separate package. Updated postcss.config.js to use @tailwindcss/postcss instead of tailwindcss plugin. Added @tailwindcss/postcss to devDependencies. Fixes test-frontend workflow failure.
…s release Patch release with dependency updates and Tailwind CSS v4 fix. Changes: - Tailwind CSS v4 breaking change fix (PostCSS plugin) - electron 42.4.0 → 42.4.1 - fastapi 0.136.3 → 0.137.2 - lucide-react 1.18.0 → 1.21.0 - pypdf 6.13.2 → 6.13.3 (security fix) - All other routine dependency updates
Bumps the npm_and_yarn group with 1 update in the /electron directory: [undici](https://github.com/nodejs/undici). Updates `undici` from 7.27.2 to 7.28.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.27.2...v7.28.0) --- updated-dependencies: - dependency-name: undici dependency-version: 7.28.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Patch release with critical security update. undici 7.27.2 → 7.28.0: Resolves 7 security vulnerabilities - 3× HIGH severity (WebSocket DoS, TLS bypass, cross-origin routing) - 2× MEDIUM severity (cache bypass, HTTP injection) - 2× LOW severity (SameSite downgrade, response poisoning) All tests passing: 47 passed, 1 skipped Frontend/Electron builds verified.
Resolved conflicts: - python/config.py: VERSION 0.1.4 - electron/package.json: version 0.1.4 - frontend/package.json: version 0.1.4 - CHANGELOG.md: 0.1.4 security release section
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Release v0.1.4
Critical security update resolving 7 vulnerabilities in undici.
Vulnerabilities Fixed
undici 7.27.2 → 7.28.0
HIGH Severity (3)
MEDIUM Severity (2)
LOW Severity (2)
Testing
Impact
Version Bump
Release Notes
See CHANGELOG.md for full details.