Skip to content

chore: security release v0.1.4 (undici vulnerability patches)#64

Merged
overwrite00 merged 21 commits into
mainfrom
develop
Jun 22, 2026
Merged

chore: security release v0.1.4 (undici vulnerability patches)#64
overwrite00 merged 21 commits into
mainfrom
develop

Conversation

@overwrite00

Copy link
Copy Markdown
Owner

Security Release v0.1.4

Critical security update resolving 7 vulnerabilities in undici.

Vulnerabilities Fixed

undici 7.27.2 → 7.28.0

HIGH Severity (3)

  • CVE-2026-12151 - WebSocket DoS via fragment count bypass (CVSS 7.5)
  • CVE-2026-9697 - TLS certificate validation bypass in SOCKS5 ProxyAgent (CVSS 7.4)
  • CVE-2026-6734 - Cross-origin request routing via SOCKS5 pool reuse (CVSS 7.5)

MEDIUM Severity (2)

  • CVE-2026-9678 - Cross-user information disclosure via cache bypass (CVSS 5.9)
  • CVE-2026-9679 - HTTP header injection via Set-Cookie percent-decoding (CVSS 5.9)

LOW Severity (2)

  • CVE-2026-11525 - SameSite attribute downgrade via substring matching (CVSS 3.7)
  • CVE-2026-6733 - HTTP response queue poisoning via keep-alive socket reuse (CVSS 3.7)

Testing

  • ✓ Python tests: 47 passed, 1 skipped
  • ✓ Frontend build: verified with undici 7.28.0
  • ✓ Electron build: no regressions
  • ✓ App startup: confirmed working

Impact

  • Transitive dependency: undici in @electron-forge (electron devDependencies)
  • Scope: Electron desktop app runtime
  • Action required: Upgrade to v0.1.4 immediately

Version Bump

  • v0.1.3 → v0.1.4 (PATCH: security fixes)
  • Updated: python/config.py, electron/package.json, frontend/package.json, CHANGELOG.md

Release Notes

See CHANGELOG.md for full details.

overwrite00 and others added 21 commits June 13, 2026 19:54
…empty excepts, improve file permissions

- Remove unused global variable (PathT) in path_security.py
- Remove abstract method ellipsis statements in base_handler.py
- Remove unused imports: Path from diff.py, struct from ole_handler.py, Any from office_handler.py, io from image_handler.py, os/Any from routes.py, tempfile from test_path_security.py, io/tempfile from test_handlers.py, pytest from test_registry.py, pytest from conftest.py
- Replace empty except blocks with continue statements in office_handler.py, filesystem_handler.py, routes.py
- Fix overly permissive file in test_path_security.py by using mode=0o700 for directory creation
- Fix unused local variables: captured_temp_path in test_path_security.py, useCallback from App.jsx, useCallback from FilePanel.jsx, SortIcon component in FilePanel.jsx
- Add target-branch: develop to all 3 package ecosystems (pip, npm electron, npm frontend)
- Add rebase-strategy: auto for automatic conflict resolution
- Preserve existing labels for better PR organization
- NOTE: Security updates will still target main (GitHub limitation)
- See docs for details on managing existing open PRs
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.3 to 9.1.0.
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.0.3...9.1.0)

---
updated-dependencies:
- dependency-name: pytest
  dependency-version: 9.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
)

Bumps [tailwindcss](https://github.com/tailwindlabs/tailwindcss/tree/HEAD/packages/tailwindcss) from 3.4.19 to 4.3.1.
- [Release notes](https://github.com/tailwindlabs/tailwindcss/releases)
- [Changelog](https://github.com/tailwindlabs/tailwindcss/blob/main/CHANGELOG.md)
- [Commits](https://github.com/tailwindlabs/tailwindcss/commits/v4.3.1/packages/tailwindcss)

---
updated-dependencies:
- dependency-name: tailwindcss
  dependency-version: 4.3.1
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [electron](https://github.com/electron/electron) from 41.2.1 to 42.4.0.
- [Release notes](https://github.com/electron/electron/releases)
- [Commits](electron/electron@v41.2.1...v42.4.0)

---
updated-dependencies:
- dependency-name: electron
  dependency-version: 42.4.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix: resolve 30 CodeQL alerts - Remove unused imports/variables, fix empty excepts, improve file permissions

- Remove unused global variable (PathT) in path_security.py
- Remove abstract method ellipsis statements in base_handler.py
- Remove unused imports: Path from diff.py, struct from ole_handler.py, Any from office_handler.py, io from image_handler.py, os/Any from routes.py, tempfile from test_path_security.py, io/tempfile from test_handlers.py, pytest from test_registry.py, pytest from conftest.py
- Replace empty except blocks with continue statements in office_handler.py, filesystem_handler.py, routes.py
- Fix overly permissive file in test_path_security.py by using mode=0o700 for directory creation
- Fix unused local variables: captured_temp_path in test_path_security.py, useCallback from App.jsx, useCallback from FilePanel.jsx, SortIcon component in FilePanel.jsx

* fix: correct CodeQL resolution defects - Restore Any import, fix continue outside loops, remove unused TypeVar

* ci: trigger CodeQL rescan

* fix: resolve remaining 10 CodeQL alerts - Correct PR #53 merge issues

* chore: configure dependabot to target develop branch for version updates

- Add target-branch: develop to all 3 package ecosystems (pip, npm electron, npm frontend)
- Add rebase-strategy: auto for automatic conflict resolution
- Preserve existing labels for better PR organization
- NOTE: Security updates will still target main (GitHub limitation)
- See docs for details on managing existing open PRs

* chore(deps): bump react-dom from 19.2.5 to 19.2.7 in /frontend

Bumps [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) from 19.2.5 to 19.2.7.
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.7/packages/react-dom)

---
updated-dependencies:
- dependency-name: react-dom
  dependency-version: 19.2.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: 0verwrite <31691645+overwrite00@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pywin32](https://github.com/mhammond/pywin32) from 310 to 312.
- [Release notes](https://github.com/mhammond/pywin32/releases)
- [Changelog](https://github.com/mhammond/pywin32/blob/main/CHANGES.md)
- [Commits](https://github.com/mhammond/pywin32/commits)

---
updated-dependencies:
- dependency-name: pywin32
  dependency-version: '312'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [xattr](https://github.com/xattr/xattr) from 1.1.0 to 1.3.0.
- [Release notes](https://github.com/xattr/xattr/releases)
- [Changelog](https://github.com/xattr/xattr/blob/main/CHANGES.txt)
- [Commits](xattr/xattr@v1.1.0...v1.3.0)

---
updated-dependencies:
- dependency-name: xattr
  dependency-version: 1.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [electron](https://github.com/electron/electron) from 42.4.0 to 42.4.1.
- [Release notes](https://github.com/electron/electron/releases)
- [Commits](electron/electron@v42.4.0...v42.4.1)

---
updated-dependencies:
- dependency-name: electron
  dependency-version: 42.4.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [fastapi](https://github.com/fastapi/fastapi) from 0.136.3 to 0.137.2.
- [Release notes](https://github.com/fastapi/fastapi/releases)
- [Commits](fastapi/fastapi@0.136.3...0.137.2)

---
updated-dependencies:
- dependency-name: fastapi
  dependency-version: 0.137.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [lucide-react](https://github.com/lucide-icons/lucide/tree/HEAD/packages/lucide-react) from 1.18.0 to 1.21.0.
- [Release notes](https://github.com/lucide-icons/lucide/releases)
- [Commits](https://github.com/lucide-icons/lucide/commits/1.21.0/packages/lucide-react)

---
updated-dependencies:
- dependency-name: lucide-react
  dependency-version: 1.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [pypdf](https://github.com/py-pdf/pypdf) from 6.13.2 to 6.13.3.
- [Release notes](https://github.com/py-pdf/pypdf/releases)
- [Changelog](https://github.com/py-pdf/pypdf/blob/main/CHANGELOG.md)
- [Commits](py-pdf/pypdf@6.13.2...6.13.3)

---
updated-dependencies:
- dependency-name: pypdf
  dependency-version: 6.13.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Tailwind CSS v4 moved the PostCSS plugin to a separate package.
Updated postcss.config.js to use @tailwindcss/postcss instead of tailwindcss plugin.
Added @tailwindcss/postcss to devDependencies.

Fixes test-frontend workflow failure.
…s release

Patch release with dependency updates and Tailwind CSS v4 fix.

Changes:
- Tailwind CSS v4 breaking change fix (PostCSS plugin)
- electron 42.4.0 → 42.4.1
- fastapi 0.136.3 → 0.137.2
- lucide-react 1.18.0 → 1.21.0
- pypdf 6.13.2 → 6.13.3 (security fix)
- All other routine dependency updates
Bumps the npm_and_yarn group with 1 update in the /electron directory: [undici](https://github.com/nodejs/undici).


Updates `undici` from 7.27.2 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.27.2...v7.28.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Patch release with critical security update.

undici 7.27.2 → 7.28.0: Resolves 7 security vulnerabilities
- 3× HIGH severity (WebSocket DoS, TLS bypass, cross-origin routing)
- 2× MEDIUM severity (cache bypass, HTTP injection)
- 2× LOW severity (SameSite downgrade, response poisoning)

All tests passing: 47 passed, 1 skipped
Frontend/Electron builds verified.
Resolved conflicts:
- python/config.py: VERSION 0.1.4
- electron/package.json: version 0.1.4
- frontend/package.json: version 0.1.4
- CHANGELOG.md: 0.1.4 security release section
@overwrite00 overwrite00 merged commit 5a22d22 into main Jun 22, 2026
13 checks passed
@overwrite00 overwrite00 self-assigned this Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant