From 17302415c10e6f5824842caec9bcfb16fc8a412c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 22 Apr 2026 16:16:24 +0200 Subject: [PATCH 01/16] add baseline security headers --- src/http.rs | 53 ++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 46 insertions(+), 7 deletions(-) diff --git a/src/http.rs b/src/http.rs index f1b8e2e..b0f899a 100644 --- a/src/http.rs +++ b/src/http.rs @@ -13,7 +13,7 @@ use axum::{ Json, Router, body::Body, extract::{ConnectInfo, FromRef, State}, - http::{Request, Response, StatusCode, header::HeaderValue}, + http::{HeaderName, HeaderValue, Request, Response, StatusCode, header}, middleware::{self, Next}, response::IntoResponse, routing::{get, post}, @@ -52,7 +52,13 @@ const DEFGUARD_CORE_CONNECTED_HEADER: &str = "defguard-core-connected"; const DEFGUARD_CORE_VERSION_HEADER: &str = "defguard-core-version"; const RATE_LIMITER_CLEANUP_PERIOD: Duration = Duration::from_secs(60); const X_FORWARDED_FOR: &str = "x-forwarded-for"; -const X_POWERED_BY: &str = "x-powered-by"; +// Header name constants not yet present in the `http` crate v1.x standard set. +const X_POWERED_BY: HeaderName = HeaderName::from_static("x-powered-by"); +const PERMISSIONS_POLICY: HeaderName = HeaderName::from_static("permissions-policy"); +const CROSS_ORIGIN_OPENER_POLICY: HeaderName = + HeaderName::from_static("cross-origin-opener-policy"); +const CROSS_ORIGIN_RESOURCE_POLICY: HeaderName = + HeaderName::from_static("cross-origin-resource-policy"); pub const GRPC_CERT_NAME: &str = "proxy_grpc_cert.pem"; pub const GRPC_KEY_NAME: &str = "proxy_grpc_key.pem"; pub const GRPC_CA_CERT_NAME: &str = "grpc_ca_cert.pem"; @@ -173,10 +179,43 @@ async fn core_version_middleware( response } -async fn powered_by_header(mut response: Response) -> Response { - response - .headers_mut() - .insert(X_POWERED_BY, HeaderValue::from_static("Defguard")); +/// Injects baseline security response headers on every response. +async fn security_headers_middleware(mut response: Response) -> Response { + let headers = response.headers_mut(); + // `X-Powered-By: Defguard` - server identification header + headers.insert(X_POWERED_BY, HeaderValue::from_static("Defguard")); + // `X-Content-Type-Options: nosniff` - prevents MIME-type sniffing/confusion attacks + headers.insert( + header::X_CONTENT_TYPE_OPTIONS, + HeaderValue::from_static("nosniff"), + ); + // `Referrer-Policy: strict-origin-when-cross-origin` - avoids leaking internal URLs via Referer to external sites + headers.insert( + header::REFERRER_POLICY, + HeaderValue::from_static("strict-origin-when-cross-origin"), + ); + // `Permissions-Policy: geolocation=(), camera=(), microphone=()` - disables unused browser APIs + headers.insert( + PERMISSIONS_POLICY, + HeaderValue::from_static("geolocation=(), camera=(), microphone=()"), + ); + // `Cross-Origin-Opener-Policy: same-origin` - severs window.opener references, preventing reverse tabnapping + headers.insert( + CROSS_ORIGIN_OPENER_POLICY, + HeaderValue::from_static("same-origin"), + ); + // `Cross-Origin-Resource-Policy: same-origin` - blocks cross-origin embedding of application resources + headers.insert( + CROSS_ORIGIN_RESOURCE_POLICY, + HeaderValue::from_static("same-origin"), + ); + // `X-Frame-Options: DENY` - clickjacking defense for browsers without CSP frame-ancestors support + headers.insert(header::X_FRAME_OPTIONS, HeaderValue::from_static("DENY")); + // `Content-Security-Policy: frame-ancestors 'none'` - prevents framing/clickjacking + // Use entry/or_insert so individual handlers can override CSP (e.g. per-request nonces) + headers + .entry(header::CONTENT_SECURITY_POLICY) + .or_insert(HeaderValue::from_static("frame-ancestors 'none';")); response } @@ -496,7 +535,7 @@ pub async fn run_server( shared_state.clone(), ensure_configured, )) - .layer(middleware::map_response(powered_by_header)) + .layer(middleware::map_response(security_headers_middleware)) .layer(middleware::from_fn_with_state( shared_state.clone(), core_version_middleware, From ef5861c24fda8eafdb7e4bfaca6881144064affc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 22 Apr 2026 16:55:30 +0200 Subject: [PATCH 02/16] only set HSTS header in HTTPS mode --- src/http.rs | 39 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 36 insertions(+), 3 deletions(-) diff --git a/src/http.rs b/src/http.rs index b0f899a..e452df9 100644 --- a/src/http.rs +++ b/src/http.rs @@ -4,7 +4,10 @@ use std::{ io::ErrorKind, net::{IpAddr, Ipv4Addr, SocketAddr}, path::Path, - sync::{Arc, RwLock, atomic::Ordering}, + sync::{ + Arc, RwLock, + atomic::{AtomicBool, Ordering}, + }, time::Duration, }; @@ -68,6 +71,8 @@ pub const CORE_CLIENT_CERT_NAME: &str = "core_client_cert.pem"; pub(crate) struct AppState { pub(crate) grpc_server: ProxyServer, cookie_key: Arc>>, + /// Reflects whether the HTTP server is currently running with TLS + pub(crate) tls_active: Arc, } impl FromRef for Key { @@ -180,42 +185,64 @@ async fn core_version_middleware( } /// Injects baseline security response headers on every response. -async fn security_headers_middleware(mut response: Response) -> Response { +async fn security_headers_middleware( + State(state): State, + request: Request, + next: Next, +) -> Response { + let mut response = next.run(request).await; let headers = response.headers_mut(); + // `X-Powered-By: Defguard` - server identification header headers.insert(X_POWERED_BY, HeaderValue::from_static("Defguard")); + // `X-Content-Type-Options: nosniff` - prevents MIME-type sniffing/confusion attacks headers.insert( header::X_CONTENT_TYPE_OPTIONS, HeaderValue::from_static("nosniff"), ); + // `Referrer-Policy: strict-origin-when-cross-origin` - avoids leaking internal URLs via Referer to external sites headers.insert( header::REFERRER_POLICY, HeaderValue::from_static("strict-origin-when-cross-origin"), ); + // `Permissions-Policy: geolocation=(), camera=(), microphone=()` - disables unused browser APIs headers.insert( PERMISSIONS_POLICY, HeaderValue::from_static("geolocation=(), camera=(), microphone=()"), ); + // `Cross-Origin-Opener-Policy: same-origin` - severs window.opener references, preventing reverse tabnapping headers.insert( CROSS_ORIGIN_OPENER_POLICY, HeaderValue::from_static("same-origin"), ); + // `Cross-Origin-Resource-Policy: same-origin` - blocks cross-origin embedding of application resources headers.insert( CROSS_ORIGIN_RESOURCE_POLICY, HeaderValue::from_static("same-origin"), ); + // `X-Frame-Options: DENY` - clickjacking defense for browsers without CSP frame-ancestors support headers.insert(header::X_FRAME_OPTIONS, HeaderValue::from_static("DENY")); + // `Content-Security-Policy: frame-ancestors 'none'` - prevents framing/clickjacking // Use entry/or_insert so individual handlers can override CSP (e.g. per-request nonces) headers .entry(header::CONTENT_SECURITY_POLICY) .or_insert(HeaderValue::from_static("frame-ancestors 'none';")); + + // `Strict-Transport-Security` - only sent over TLS; ignored and potentially harmful over plain HTTP (RFC 6797 §7.2) + let tls = state.tls_active.load(Ordering::Relaxed); + if tls { + headers.insert( + header::STRICT_TRANSPORT_SECURITY, + HeaderValue::from_static("max-age=31536000; includeSubDomains"), + ); + } response } @@ -472,9 +499,11 @@ pub async fn run_server( // build application debug!("Setting up API server"); + let tls_active = Arc::new(AtomicBool::new(false)); let shared_state = AppState { grpc_server, cookie_key, + tls_active: Arc::clone(&tls_active), }; // Setup tower_governor rate-limiter @@ -535,7 +564,10 @@ pub async fn run_server( shared_state.clone(), ensure_configured, )) - .layer(middleware::map_response(security_headers_middleware)) + .layer(middleware::from_fn_with_state( + shared_state.clone(), + security_headers_middleware, + )) .layer(middleware::from_fn_with_state( shared_state.clone(), core_version_middleware, @@ -585,6 +617,7 @@ pub async fn run_server( loop { let handle = axum_server::Handle::new(); let handle_clone = handle.clone(); + tls_active.store(current_tls.is_some(), Ordering::Relaxed); let app_service = app.clone().into_make_service_with_connect_info::(); let tls_certs = current_tls.clone(); From 77e1e5e63cba1e56799813c515c7c47007e765a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 22 Apr 2026 18:48:48 +0200 Subject: [PATCH 03/16] set request body size limit --- src/http.rs | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/http.rs b/src/http.rs index e452df9..64d2e67 100644 --- a/src/http.rs +++ b/src/http.rs @@ -15,7 +15,7 @@ use anyhow::Context; use axum::{ Json, Router, body::Body, - extract::{ConnectInfo, FromRef, State}, + extract::{ConnectInfo, DefaultBodyLimit, FromRef, State}, http::{HeaderName, HeaderValue, Request, Response, StatusCode, header}, middleware::{self, Next}, response::IntoResponse, @@ -55,6 +55,8 @@ const DEFGUARD_CORE_CONNECTED_HEADER: &str = "defguard-core-connected"; const DEFGUARD_CORE_VERSION_HEADER: &str = "defguard-core-version"; const RATE_LIMITER_CLEANUP_PERIOD: Duration = Duration::from_secs(60); const X_FORWARDED_FOR: &str = "x-forwarded-for"; +/// Default request body size limit applied globally to every route. +const REQUEST_BODY_LIMIT: usize = 256 * 1024; // 256 KB // Header name constants not yet present in the `http` crate v1.x standard set. const X_POWERED_BY: HeaderName = HeaderName::from_static("x-powered-by"); const PERMISSIONS_POLICY: HeaderName = HeaderName::from_static("permissions-policy"); @@ -592,6 +594,8 @@ pub async fn run_server( if let Some(conf) = governor_conf { app = app.layer(GovernorLayer::new(conf)); } + // Global request body size limit; all proxy endpoints have small payloads. + app = app.layer(DefaultBodyLimit::max(REQUEST_BODY_LIMIT)); debug!("Configured API server routing: {app:?}"); // Start web server. From d738ec6e2ba58361d4a7db81442741fd03b69db1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 22 Apr 2026 20:26:25 +0200 Subject: [PATCH 04/16] add request timeout --- Cargo.toml | 2 +- src/http.rs | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index d924a5f..34e944e 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -25,7 +25,7 @@ axum-server = { version = "0.8", features = ["tls-rustls"] } time = { version = "0.3", default-features = false } tokio = { version = "1", features = ["macros", "rt-multi-thread", "sync", "time"] } tokio-stream = "0.1" -tower-http = { version = "0.6", features = ["fs", "trace"] } +tower-http = { version = "0.6", features = ["fs", "trace", "timeout"] } # logging/tracing tracing = "0.1" tracing-subscriber = { version = "0.3", features = ["env-filter"] } diff --git a/src/http.rs b/src/http.rs index 64d2e67..9c551a9 100644 --- a/src/http.rs +++ b/src/http.rs @@ -35,7 +35,10 @@ use tokio::{ use tower_governor::{ GovernorLayer, governor::GovernorConfigBuilder, key_extractor::SmartIpKeyExtractor, }; -use tower_http::trace::{self, TraceLayer}; +use tower_http::{ + timeout::TimeoutLayer, + trace::{self, TraceLayer}, +}; use tracing::{Level, info_span}; use crate::{ @@ -57,6 +60,9 @@ const RATE_LIMITER_CLEANUP_PERIOD: Duration = Duration::from_secs(60); const X_FORWARDED_FOR: &str = "x-forwarded-for"; /// Default request body size limit applied globally to every route. const REQUEST_BODY_LIMIT: usize = 256 * 1024; // 256 KB + +/// Maximum time a single request may take before the server returns 408. +const REQUEST_TIMEOUT: Duration = Duration::from_secs(30); // Header name constants not yet present in the `http` crate v1.x standard set. const X_POWERED_BY: HeaderName = HeaderName::from_static("x-powered-by"); const PERMISSIONS_POLICY: HeaderName = HeaderName::from_static("permissions-policy"); @@ -575,6 +581,10 @@ pub async fn run_server( core_version_middleware, )) .layer(DefguardVersionLayer::new(Version::parse(VERSION)?)) + .layer(TimeoutLayer::with_status_code( + StatusCode::REQUEST_TIMEOUT, + REQUEST_TIMEOUT, + )) .with_state(shared_state) .layer( TraceLayer::new_for_http() From 7ccb64954f508e6fc6a0e355f5ab87aafaece385 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 22 Apr 2026 21:15:37 +0200 Subject: [PATCH 05/16] enable rate limiting by default --- src/config.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/config.rs b/src/config.rs index c17adec..5fb8d35 100644 --- a/src/config.rs +++ b/src/config.rs @@ -50,11 +50,11 @@ pub struct EnvConfig { #[serde(default = "default_log_level")] pub log_level: LevelFilter, - #[arg(long, env = "DEFGUARD_PROXY_RATELIMIT_PERSECOND", default_value_t = 0)] + #[arg(long, env = "DEFGUARD_PROXY_RATELIMIT_PERSECOND", default_value_t = 10)] #[serde(default)] pub rate_limit_per_second: u64, - #[arg(long, env = "DEFGUARD_PROXY_RATELIMIT_BURST", default_value_t = 0)] + #[arg(long, env = "DEFGUARD_PROXY_RATELIMIT_BURST", default_value_t = 100)] #[serde(default)] pub rate_limit_burst: u32, From 1f7c614311555d0d557bb575cc7b079921d2732e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 23 Apr 2026 07:37:11 +0200 Subject: [PATCH 06/16] set cookie control header for api routes --- src/http.rs | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/http.rs b/src/http.rs index 9c551a9..d0fc7e5 100644 --- a/src/http.rs +++ b/src/http.rs @@ -198,6 +198,7 @@ async fn security_headers_middleware( request: Request, next: Next, ) -> Response { + let is_api = request.uri().path().starts_with("/api/"); let mut response = next.run(request).await; let headers = response.headers_mut(); @@ -251,6 +252,12 @@ async fn security_headers_middleware( HeaderValue::from_static("max-age=31536000; includeSubDomains"), ); } + + // `Cache-Control: no-store` - prevents browsers and caches from storing sensitive API responses + if is_api { + headers.insert(header::CACHE_CONTROL, HeaderValue::from_static("no-store")); + } + response } From 5ed0b3e9ae74576b5a1186dff29569c0f78e31bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 23 Apr 2026 07:56:33 +0200 Subject: [PATCH 07/16] adjust cookie security settings --- src/handlers/enrollment.rs | 14 ++++++++++++-- src/handlers/password_reset.rs | 14 ++++++++++++-- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/src/handlers/enrollment.rs b/src/handlers/enrollment.rs index 7520b13..86b5e95 100644 --- a/src/handlers/enrollment.rs +++ b/src/handlers/enrollment.rs @@ -1,5 +1,8 @@ use axum::{Json, Router, extract::State, routing::post}; -use axum_extra::extract::{PrivateCookieJar, cookie::Cookie}; +use axum_extra::extract::{ + PrivateCookieJar, + cookie::{Cookie, SameSite}, +}; use time::OffsetDateTime; use super::register_mfa::router as register_mfa_router; @@ -56,7 +59,14 @@ async fn start_enrollment_process( ); // set session cookie let cookie = Cookie::build((ENROLLMENT_COOKIE_NAME, token)) - .expires(OffsetDateTime::from_unix_timestamp(response.deadline_timestamp).unwrap()); + .expires( + OffsetDateTime::from_unix_timestamp(response.deadline_timestamp).map_err(|_| { + ApiError::Unexpected("Invalid enrollment deadline timestamp".into()) + })?, + ) + .http_only(true) + .same_site(SameSite::Strict) + .path("/api/v1/enrollment"); Ok((private_cookies.add(cookie), Json(response))) } else { diff --git a/src/handlers/password_reset.rs b/src/handlers/password_reset.rs index af5c3ef..26e58aa 100644 --- a/src/handlers/password_reset.rs +++ b/src/handlers/password_reset.rs @@ -1,5 +1,8 @@ use axum::{Json, Router, extract::State, routing::post}; -use axum_extra::extract::{PrivateCookieJar, cookie::Cookie}; +use axum_extra::extract::{ + PrivateCookieJar, + cookie::{Cookie, SameSite}, +}; use time::OffsetDateTime; use crate::{ @@ -65,7 +68,14 @@ async fn start_password_reset( if let core_response::Payload::PasswordResetStart(response) = payload { // set session cookie let cookie = Cookie::build((PASSWORD_RESET_COOKIE_NAME, token)) - .expires(OffsetDateTime::from_unix_timestamp(response.deadline_timestamp).unwrap()); + .expires( + OffsetDateTime::from_unix_timestamp(response.deadline_timestamp).map_err(|_| { + ApiError::Unexpected("Invalid password reset deadline timestamp".into()) + })?, + ) + .http_only(true) + .same_site(SameSite::Strict) + .path("/api/v1/password-reset"); info!("Started password reset process"); Ok((private_cookies.add(cookie), Json(response))) From af8754e258d799a6228900d46bb70c40964994d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 23 Apr 2026 08:15:44 +0200 Subject: [PATCH 08/16] review fixes --- src/config.rs | 12 ++++++++++-- src/http.rs | 17 +++++++++++------ 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/src/config.rs b/src/config.rs index 5fb8d35..792df84 100644 --- a/src/config.rs +++ b/src/config.rs @@ -28,6 +28,14 @@ fn default_adoption_timeout() -> u64 { 10 } +fn default_rate_limit_per_second() -> u64 { + 10 +} + +fn default_rate_limit_burst() -> u32 { + 100 +} + #[derive(Parser, Debug, Deserialize, Clone)] #[command(version)] pub struct EnvConfig { @@ -51,11 +59,11 @@ pub struct EnvConfig { pub log_level: LevelFilter, #[arg(long, env = "DEFGUARD_PROXY_RATELIMIT_PERSECOND", default_value_t = 10)] - #[serde(default)] + #[serde(default = "default_rate_limit_per_second")] pub rate_limit_per_second: u64, #[arg(long, env = "DEFGUARD_PROXY_RATELIMIT_BURST", default_value_t = 100)] - #[serde(default)] + #[serde(default = "default_rate_limit_burst")] pub rate_limit_burst: u32, /// Configuration file path diff --git a/src/http.rs b/src/http.rs index d0fc7e5..afa860b 100644 --- a/src/http.rs +++ b/src/http.rs @@ -249,7 +249,7 @@ async fn security_headers_middleware( if tls { headers.insert( header::STRICT_TRANSPORT_SECURITY, - HeaderValue::from_static("max-age=31536000; includeSubDomains"), + HeaderValue::from_static("max-age=31536000"), ); } @@ -557,6 +557,9 @@ pub async fn run_server( }; // Build axum app + // Capture a clone for security_headers_middleware which must be applied *outside* + // TimeoutLayer so that 408 timeout responses also carry the security headers. + let security_headers_state = shared_state.clone(); let mut app = Router::new() .route("/", get(index)) .route("/{*path}", get(index)) @@ -579,20 +582,22 @@ pub async fn run_server( shared_state.clone(), ensure_configured, )) - .layer(middleware::from_fn_with_state( - shared_state.clone(), - security_headers_middleware, - )) .layer(middleware::from_fn_with_state( shared_state.clone(), core_version_middleware, )) - .layer(DefguardVersionLayer::new(Version::parse(VERSION)?)) .layer(TimeoutLayer::with_status_code( StatusCode::REQUEST_TIMEOUT, REQUEST_TIMEOUT, )) .with_state(shared_state) + // security_headers_middleware and DefguardVersionLayer are applied outside + // TimeoutLayer so that 408 responses also receive security headers. + .layer(middleware::from_fn_with_state( + security_headers_state, + security_headers_middleware, + )) + .layer(DefguardVersionLayer::new(Version::parse(VERSION)?)) .layer( TraceLayer::new_for_http() .make_span_with(|request: &Request| { From 035f5a56f6142caa51af2ea810aa4acea725e44c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 23 Apr 2026 10:49:04 +0200 Subject: [PATCH 09/16] reorder http server layers --- src/http.rs | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/src/http.rs b/src/http.rs index afa860b..4b12948 100644 --- a/src/http.rs +++ b/src/http.rs @@ -591,13 +591,6 @@ pub async fn run_server( REQUEST_TIMEOUT, )) .with_state(shared_state) - // security_headers_middleware and DefguardVersionLayer are applied outside - // TimeoutLayer so that 408 responses also receive security headers. - .layer(middleware::from_fn_with_state( - security_headers_state, - security_headers_middleware, - )) - .layer(DefguardVersionLayer::new(Version::parse(VERSION)?)) .layer( TraceLayer::new_for_http() .make_span_with(|request: &Request| { @@ -618,6 +611,15 @@ pub async fn run_server( } // Global request body size limit; all proxy endpoints have small payloads. app = app.layer(DefaultBodyLimit::max(REQUEST_BODY_LIMIT)); + // Security headers and version are the outermost layers so that ALL short-circuit + // responses (408 timeout, 413 body-too-large, 429 rate-limited) also carry the + // baseline security headers and the server version header. + app = app + .layer(middleware::from_fn_with_state( + security_headers_state, + security_headers_middleware, + )) + .layer(DefguardVersionLayer::new(Version::parse(VERSION)?)); debug!("Configured API server routing: {app:?}"); // Start web server. From 864ccdf9c656a2a9f5c9eef6efa20d6b7fd9c46e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 23 Apr 2026 11:09:10 +0200 Subject: [PATCH 10/16] simplify middleware --- src/http.rs | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/src/http.rs b/src/http.rs index 4b12948..04f5f9e 100644 --- a/src/http.rs +++ b/src/http.rs @@ -79,8 +79,6 @@ pub const CORE_CLIENT_CERT_NAME: &str = "core_client_cert.pem"; pub(crate) struct AppState { pub(crate) grpc_server: ProxyServer, cookie_key: Arc>>, - /// Reflects whether the HTTP server is currently running with TLS - pub(crate) tls_active: Arc, } impl FromRef for Key { @@ -194,7 +192,7 @@ async fn core_version_middleware( /// Injects baseline security response headers on every response. async fn security_headers_middleware( - State(state): State, + tls_active: Arc, request: Request, next: Next, ) -> Response { @@ -245,7 +243,7 @@ async fn security_headers_middleware( .or_insert(HeaderValue::from_static("frame-ancestors 'none';")); // `Strict-Transport-Security` - only sent over TLS; ignored and potentially harmful over plain HTTP (RFC 6797 §7.2) - let tls = state.tls_active.load(Ordering::Relaxed); + let tls = tls_active.load(Ordering::Relaxed); if tls { headers.insert( header::STRICT_TRANSPORT_SECURITY, @@ -518,7 +516,6 @@ pub async fn run_server( let shared_state = AppState { grpc_server, cookie_key, - tls_active: Arc::clone(&tls_active), }; // Setup tower_governor rate-limiter @@ -557,9 +554,6 @@ pub async fn run_server( }; // Build axum app - // Capture a clone for security_headers_middleware which must be applied *outside* - // TimeoutLayer so that 408 timeout responses also carry the security headers. - let security_headers_state = shared_state.clone(); let mut app = Router::new() .route("/", get(index)) .route("/{*path}", get(index)) @@ -614,11 +608,11 @@ pub async fn run_server( // Security headers and version are the outermost layers so that ALL short-circuit // responses (408 timeout, 413 body-too-large, 429 rate-limited) also carry the // baseline security headers and the server version header. + let tls_for_headers = Arc::clone(&tls_active); app = app - .layer(middleware::from_fn_with_state( - security_headers_state, - security_headers_middleware, - )) + .layer(middleware::from_fn(move |req, next| { + security_headers_middleware(Arc::clone(&tls_for_headers), req, next) + })) .layer(DefguardVersionLayer::new(Version::parse(VERSION)?)); debug!("Configured API server routing: {app:?}"); From fd04be0c853c995d40fbd9f4bcfadde6778898e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 23 Apr 2026 11:39:16 +0200 Subject: [PATCH 11/16] mirror default rate limit in example config file --- example-config.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/example-config.toml b/example-config.toml index 066b626..2da968e 100644 --- a/example-config.toml +++ b/example-config.toml @@ -7,6 +7,6 @@ http_port = 8080 grpc_port = 50051 log_level = "info" -rate_limit_per_second = 0 -rate_limit_burst = 0 +rate_limit_per_second = 10 +rate_limit_burst = 100 acme_staging = false From d8c136f423e332e6161ae3dceca9fe00db61ea5e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 23 Apr 2026 11:50:34 +0200 Subject: [PATCH 12/16] update deps --- Cargo.lock | 4 +- flake.lock | 12 +- package.json | 2 +- pnpm-lock.yaml | 708 ++++++++++++++++++++++++--------------------- web/package.json | 5 +- web/pnpm-lock.yaml | 77 +++-- 6 files changed, 423 insertions(+), 385 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index bf761b3..801c1d4 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3737,9 +3737,9 @@ dependencies = [ [[package]] name = "rustls" -version = "0.23.38" +version = "0.23.39" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "69f9466fb2c14ea04357e91413efb882e2a6d4a406e625449bc0a5d360d53a21" +checksum = "7c2c118cb077cca2822033836dfb1b975355dfb784b5e8da48f7b6c5db74e60e" dependencies = [ "aws-lc-rs", "log", diff --git a/flake.lock b/flake.lock index db9a2b6..9bade8f 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1776169885, - "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=", + "lastModified": 1776548001, + "narHash": "sha256-ZSK0NL4a1BwVbbTBoSnWgbJy9HeZFXLYQizjb2DPF24=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9", + "rev": "b12141ef619e0a9c1c84dc8c684040326f27cdcc", "type": "github" }, "original": { @@ -48,11 +48,11 @@ ] }, "locked": { - "lastModified": 1776654897, - "narHash": "sha256-Vqi4AiJVCcBGn/RmBtRCgyH5rCxqm/w0xV9diJWF1Ic=", + "lastModified": 1776914043, + "narHash": "sha256-qug5r56yW1qOsjSI99l3Jm15JNT9CvS2otkXNRNtrPI=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "25d75be8139815a53560745fa060909777495105", + "rev": "2d35c4358d7de3a0e606a6e8b27925d981c01cc3", "type": "github" }, "original": { diff --git a/package.json b/package.json index 902fc51..18c8c1d 100644 --- a/package.json +++ b/package.json @@ -1,5 +1,5 @@ { "devDependencies": { - "@tanstack/devtools-vite": "^0.3.11" + "@tanstack/devtools-vite": "^0.3.12" } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 4a3f21d..699135c 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -9,41 +9,41 @@ importers: .: devDependencies: '@tanstack/devtools-vite': - specifier: ^0.3.11 - version: 0.3.11(vite@7.1.12) + specifier: ^0.3.12 + version: 0.3.12(vite@7.1.12) packages: - '@babel/code-frame@7.27.1': - resolution: {integrity: sha512-cjQ7ZlQ0Mv3b47hABuTevyTuYN4i+loJKGeV9flcCgIK37cCXRh+L1bd3iBHlynerhQ7BhCkn2BPbQUL+rGqFg==} + '@babel/code-frame@7.29.0': + resolution: {integrity: sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==} engines: {node: '>=6.9.0'} - '@babel/compat-data@7.28.5': - resolution: {integrity: sha512-6uFXyCayocRbqhZOB+6XcuZbkMNimwfVGFji8CTZnCzOHVGvDqzvitu1re2AU5LROliz7eQPhB8CpAMvnx9EjA==} + '@babel/compat-data@7.29.0': + resolution: {integrity: sha512-T1NCJqT/j9+cn8fvkt7jtwbLBfLC/1y1c7NtCeXFRgzGTsafi68MRv8yzkYSapBnFA6L3U2VSc02ciDzoAJhJg==} engines: {node: '>=6.9.0'} - '@babel/core@7.28.5': - resolution: {integrity: sha512-e7jT4DxYvIDLk1ZHmU/m/mB19rex9sv0c2ftBtjSBv+kVM/902eh0fINUzD7UwLLNR+jU585GxUJ8/EBfAM5fw==} + '@babel/core@7.29.0': + resolution: {integrity: sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==} engines: {node: '>=6.9.0'} - '@babel/generator@7.28.5': - resolution: {integrity: sha512-3EwLFhZ38J4VyIP6WNtt2kUdW9dokXA9Cr4IVIFHuCpZ3H8/YFOl5JjZHisrn1fATPBmKKqXzDFvh9fUwHz6CQ==} + '@babel/generator@7.29.1': + resolution: {integrity: sha512-qsaF+9Qcm2Qv8SRIMMscAvG4O3lJ0F1GuMo5HR/Bp02LopNgnZBC/EkbevHFeGs4ls/oPz9v+Bsmzbkbe+0dUw==} engines: {node: '>=6.9.0'} - '@babel/helper-compilation-targets@7.27.2': - resolution: {integrity: sha512-2+1thGUUWWjLTYTHZWK1n8Yga0ijBz1XAhUXcKy81rd5g6yh7hGqMp45v7cadSbEHc9G3OTv45SyneRN3ps4DQ==} + '@babel/helper-compilation-targets@7.28.6': + resolution: {integrity: sha512-JYtls3hqi15fcx5GaSNL7SCTJ2MNmjrkHXg4FSpOA/grxK8KwyZ5bubHsCq8FXCkua6xhuaaBit+3b7+VZRfcA==} engines: {node: '>=6.9.0'} '@babel/helper-globals@7.28.0': resolution: {integrity: sha512-+W6cISkXFa1jXsDEdYA8HeevQT/FULhxzR99pxphltZcVaugps53THCeiWA8SguxxpSp3gKPiuYfSWopkLQ4hw==} engines: {node: '>=6.9.0'} - '@babel/helper-module-imports@7.27.1': - resolution: {integrity: sha512-0gSFWUPNXNopqtIPQvlD5WgXYI5GY2kP2cCvoT8kczjbfcfuIljTbcWrulD1CIPIX2gt1wghbDy08yE1p+/r3w==} + '@babel/helper-module-imports@7.28.6': + resolution: {integrity: sha512-l5XkZK7r7wa9LucGw9LwZyyCUscb4x37JWTPz7swwFE/0FMQAGpiWUZn8u9DzkSBWEcK25jmvubfpw2dnAMdbw==} engines: {node: '>=6.9.0'} - '@babel/helper-module-transforms@7.28.3': - resolution: {integrity: sha512-gytXUbs8k2sXS9PnQptz5o0QnpLL51SwASIORY6XaBKF88nsOT0Zw9szLqlSGQDP/4TljBAD5y98p2U1fqkdsw==} + '@babel/helper-module-transforms@7.28.6': + resolution: {integrity: sha512-67oXFAYr2cDLDVGLXTEABjdBJZ6drElUSI7WKp70NrpyISso3plG9SAGEF6y7zbha/wOzUByWWTJvEDVNIUGcA==} engines: {node: '>=6.9.0'} peerDependencies: '@babel/core': ^7.0.0 @@ -60,179 +60,179 @@ packages: resolution: {integrity: sha512-YvjJow9FxbhFFKDSuFnVCe2WxXk1zWc22fFePVNEaWJEu8IrZVlda6N0uHwzZrUM1il7NC9Mlp4MaJYbYd9JSg==} engines: {node: '>=6.9.0'} - '@babel/helpers@7.28.4': - resolution: {integrity: sha512-HFN59MmQXGHVyYadKLVumYsA9dBFun/ldYxipEjzA4196jpLZd8UjEEBLkbEkvfYreDqJhZxYAWFPtrfhNpj4w==} + '@babel/helpers@7.29.2': + resolution: {integrity: sha512-HoGuUs4sCZNezVEKdVcwqmZN8GoHirLUcLaYVNBK2J0DadGtdcqgr3BCbvH8+XUo4NGjNl3VOtSjEKNzqfFgKw==} engines: {node: '>=6.9.0'} - '@babel/parser@7.28.5': - resolution: {integrity: sha512-KKBU1VGYR7ORr3At5HAtUQ+TV3SzRCXmA/8OdDZiLDBIZxVyzXuztPjfLd3BV1PRAQGCMWWSHYhL0F8d5uHBDQ==} + '@babel/parser@7.29.2': + resolution: {integrity: sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==} engines: {node: '>=6.0.0'} hasBin: true - '@babel/template@7.27.2': - resolution: {integrity: sha512-LPDZ85aEJyYSd18/DkjNh4/y1ntkE5KwUHWTiqgRxruuZL2F1yuHligVHLvcHY2vMHXttKFpJn6LwfI7cw7ODw==} + '@babel/template@7.28.6': + resolution: {integrity: sha512-YA6Ma2KsCdGb+WC6UpBVFJGXL58MDA6oyONbjyF/+5sBgxY/dwkhLogbMT2GXXyU84/IhRw/2D1Os1B/giz+BQ==} engines: {node: '>=6.9.0'} - '@babel/traverse@7.28.5': - resolution: {integrity: sha512-TCCj4t55U90khlYkVV/0TfkJkAkUg3jZFA3Neb7unZT8CPok7iiRfaX0F+WnqWqt7OxhOn0uBKXCw4lbL8W0aQ==} + '@babel/traverse@7.29.0': + resolution: {integrity: sha512-4HPiQr0X7+waHfyXPZpWPfWL/J7dcN1mx9gL6WdQVMbPnF3+ZhSMs8tCxN7oHddJE9fhNE7+lxdnlyemKfJRuA==} engines: {node: '>=6.9.0'} - '@babel/types@7.28.5': - resolution: {integrity: sha512-qQ5m48eI/MFLQ5PxQj4PFaprjyCTLI37ElWMmNs0K8Lk3dVeOdNpB3ks8jc7yM5CDmVC73eMVk/trk3fgmrUpA==} + '@babel/types@7.29.0': + resolution: {integrity: sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==} engines: {node: '>=6.9.0'} - '@esbuild/aix-ppc64@0.25.11': - resolution: {integrity: sha512-Xt1dOL13m8u0WE8iplx9Ibbm+hFAO0GsU2P34UNoDGvZYkY8ifSiy6Zuc1lYxfG7svWE2fzqCUmFp5HCn51gJg==} + '@esbuild/aix-ppc64@0.25.12': + resolution: {integrity: sha512-Hhmwd6CInZ3dwpuGTF8fJG6yoWmsToE+vYgD4nytZVxcu1ulHpUQRAB1UJ8+N1Am3Mz4+xOByoQoSZf4D+CpkA==} engines: {node: '>=18'} cpu: [ppc64] os: [aix] - '@esbuild/android-arm64@0.25.11': - resolution: {integrity: sha512-9slpyFBc4FPPz48+f6jyiXOx/Y4v34TUeDDXJpZqAWQn/08lKGeD8aDp9TMn9jDz2CiEuHwfhRmGBvpnd/PWIQ==} + '@esbuild/android-arm64@0.25.12': + resolution: {integrity: sha512-6AAmLG7zwD1Z159jCKPvAxZd4y/VTO0VkprYy+3N2FtJ8+BQWFXU+OxARIwA46c5tdD9SsKGZ/1ocqBS/gAKHg==} engines: {node: '>=18'} cpu: [arm64] os: [android] - '@esbuild/android-arm@0.25.11': - resolution: {integrity: sha512-uoa7dU+Dt3HYsethkJ1k6Z9YdcHjTrSb5NUy66ZfZaSV8hEYGD5ZHbEMXnqLFlbBflLsl89Zke7CAdDJ4JI+Gg==} + '@esbuild/android-arm@0.25.12': + resolution: {integrity: sha512-VJ+sKvNA/GE7Ccacc9Cha7bpS8nyzVv0jdVgwNDaR4gDMC/2TTRc33Ip8qrNYUcpkOHUT5OZ0bUcNNVZQ9RLlg==} engines: {node: '>=18'} cpu: [arm] os: [android] - '@esbuild/android-x64@0.25.11': - resolution: {integrity: sha512-Sgiab4xBjPU1QoPEIqS3Xx+R2lezu0LKIEcYe6pftr56PqPygbB7+szVnzoShbx64MUupqoE0KyRlN7gezbl8g==} + '@esbuild/android-x64@0.25.12': + resolution: {integrity: sha512-5jbb+2hhDHx5phYR2By8GTWEzn6I9UqR11Kwf22iKbNpYrsmRB18aX/9ivc5cabcUiAT/wM+YIZ6SG9QO6a8kg==} engines: {node: '>=18'} cpu: [x64] os: [android] - '@esbuild/darwin-arm64@0.25.11': - resolution: {integrity: sha512-VekY0PBCukppoQrycFxUqkCojnTQhdec0vevUL/EDOCnXd9LKWqD/bHwMPzigIJXPhC59Vd1WFIL57SKs2mg4w==} + '@esbuild/darwin-arm64@0.25.12': + resolution: {integrity: sha512-N3zl+lxHCifgIlcMUP5016ESkeQjLj/959RxxNYIthIg+CQHInujFuXeWbWMgnTo4cp5XVHqFPmpyu9J65C1Yg==} engines: {node: '>=18'} cpu: [arm64] os: [darwin] - '@esbuild/darwin-x64@0.25.11': - resolution: {integrity: sha512-+hfp3yfBalNEpTGp9loYgbknjR695HkqtY3d3/JjSRUyPg/xd6q+mQqIb5qdywnDxRZykIHs3axEqU6l1+oWEQ==} + '@esbuild/darwin-x64@0.25.12': + resolution: {integrity: sha512-HQ9ka4Kx21qHXwtlTUVbKJOAnmG1ipXhdWTmNXiPzPfWKpXqASVcWdnf2bnL73wgjNrFXAa3yYvBSd9pzfEIpA==} engines: {node: '>=18'} cpu: [x64] os: [darwin] - '@esbuild/freebsd-arm64@0.25.11': - resolution: {integrity: sha512-CmKjrnayyTJF2eVuO//uSjl/K3KsMIeYeyN7FyDBjsR3lnSJHaXlVoAK8DZa7lXWChbuOk7NjAc7ygAwrnPBhA==} + '@esbuild/freebsd-arm64@0.25.12': + resolution: {integrity: sha512-gA0Bx759+7Jve03K1S0vkOu5Lg/85dou3EseOGUes8flVOGxbhDDh/iZaoek11Y8mtyKPGF3vP8XhnkDEAmzeg==} engines: {node: '>=18'} cpu: [arm64] os: [freebsd] - '@esbuild/freebsd-x64@0.25.11': - resolution: {integrity: sha512-Dyq+5oscTJvMaYPvW3x3FLpi2+gSZTCE/1ffdwuM6G1ARang/mb3jvjxs0mw6n3Lsw84ocfo9CrNMqc5lTfGOw==} + '@esbuild/freebsd-x64@0.25.12': + resolution: {integrity: sha512-TGbO26Yw2xsHzxtbVFGEXBFH0FRAP7gtcPE7P5yP7wGy7cXK2oO7RyOhL5NLiqTlBh47XhmIUXuGciXEqYFfBQ==} engines: {node: '>=18'} cpu: [x64] os: [freebsd] - '@esbuild/linux-arm64@0.25.11': - resolution: {integrity: sha512-Qr8AzcplUhGvdyUF08A1kHU3Vr2O88xxP0Tm8GcdVOUm25XYcMPp2YqSVHbLuXzYQMf9Bh/iKx7YPqECs6ffLA==} + '@esbuild/linux-arm64@0.25.12': + resolution: {integrity: sha512-8bwX7a8FghIgrupcxb4aUmYDLp8pX06rGh5HqDT7bB+8Rdells6mHvrFHHW2JAOPZUbnjUpKTLg6ECyzvas2AQ==} engines: {node: '>=18'} cpu: [arm64] os: [linux] - '@esbuild/linux-arm@0.25.11': - resolution: {integrity: sha512-TBMv6B4kCfrGJ8cUPo7vd6NECZH/8hPpBHHlYI3qzoYFvWu2AdTvZNuU/7hsbKWqu/COU7NIK12dHAAqBLLXgw==} + '@esbuild/linux-arm@0.25.12': + resolution: {integrity: sha512-lPDGyC1JPDou8kGcywY0YILzWlhhnRjdof3UlcoqYmS9El818LLfJJc3PXXgZHrHCAKs/Z2SeZtDJr5MrkxtOw==} engines: {node: '>=18'} cpu: [arm] os: [linux] - '@esbuild/linux-ia32@0.25.11': - resolution: {integrity: sha512-TmnJg8BMGPehs5JKrCLqyWTVAvielc615jbkOirATQvWWB1NMXY77oLMzsUjRLa0+ngecEmDGqt5jiDC6bfvOw==} + '@esbuild/linux-ia32@0.25.12': + resolution: {integrity: sha512-0y9KrdVnbMM2/vG8KfU0byhUN+EFCny9+8g202gYqSSVMonbsCfLjUO+rCci7pM0WBEtz+oK/PIwHkzxkyharA==} engines: {node: '>=18'} cpu: [ia32] os: [linux] - '@esbuild/linux-loong64@0.25.11': - resolution: {integrity: sha512-DIGXL2+gvDaXlaq8xruNXUJdT5tF+SBbJQKbWy/0J7OhU8gOHOzKmGIlfTTl6nHaCOoipxQbuJi7O++ldrxgMw==} + '@esbuild/linux-loong64@0.25.12': + resolution: {integrity: sha512-h///Lr5a9rib/v1GGqXVGzjL4TMvVTv+s1DPoxQdz7l/AYv6LDSxdIwzxkrPW438oUXiDtwM10o9PmwS/6Z0Ng==} engines: {node: '>=18'} cpu: [loong64] os: [linux] - '@esbuild/linux-mips64el@0.25.11': - resolution: {integrity: sha512-Osx1nALUJu4pU43o9OyjSCXokFkFbyzjXb6VhGIJZQ5JZi8ylCQ9/LFagolPsHtgw6himDSyb5ETSfmp4rpiKQ==} + '@esbuild/linux-mips64el@0.25.12': + resolution: {integrity: sha512-iyRrM1Pzy9GFMDLsXn1iHUm18nhKnNMWscjmp4+hpafcZjrr2WbT//d20xaGljXDBYHqRcl8HnxbX6uaA/eGVw==} engines: {node: '>=18'} cpu: [mips64el] os: [linux] - '@esbuild/linux-ppc64@0.25.11': - resolution: {integrity: sha512-nbLFgsQQEsBa8XSgSTSlrnBSrpoWh7ioFDUmwo158gIm5NNP+17IYmNWzaIzWmgCxq56vfr34xGkOcZ7jX6CPw==} + '@esbuild/linux-ppc64@0.25.12': + resolution: {integrity: sha512-9meM/lRXxMi5PSUqEXRCtVjEZBGwB7P/D4yT8UG/mwIdze2aV4Vo6U5gD3+RsoHXKkHCfSxZKzmDssVlRj1QQA==} engines: {node: '>=18'} cpu: [ppc64] os: [linux] - '@esbuild/linux-riscv64@0.25.11': - resolution: {integrity: sha512-HfyAmqZi9uBAbgKYP1yGuI7tSREXwIb438q0nqvlpxAOs3XnZ8RsisRfmVsgV486NdjD7Mw2UrFSw51lzUk1ww==} + '@esbuild/linux-riscv64@0.25.12': + resolution: {integrity: sha512-Zr7KR4hgKUpWAwb1f3o5ygT04MzqVrGEGXGLnj15YQDJErYu/BGg+wmFlIDOdJp0PmB0lLvxFIOXZgFRrdjR0w==} engines: {node: '>=18'} cpu: [riscv64] os: [linux] - '@esbuild/linux-s390x@0.25.11': - resolution: {integrity: sha512-HjLqVgSSYnVXRisyfmzsH6mXqyvj0SA7pG5g+9W7ESgwA70AXYNpfKBqh1KbTxmQVaYxpzA/SvlB9oclGPbApw==} + '@esbuild/linux-s390x@0.25.12': + resolution: {integrity: sha512-MsKncOcgTNvdtiISc/jZs/Zf8d0cl/t3gYWX8J9ubBnVOwlk65UIEEvgBORTiljloIWnBzLs4qhzPkJcitIzIg==} engines: {node: '>=18'} cpu: [s390x] os: [linux] - '@esbuild/linux-x64@0.25.11': - resolution: {integrity: sha512-HSFAT4+WYjIhrHxKBwGmOOSpphjYkcswF449j6EjsjbinTZbp8PJtjsVK1XFJStdzXdy/jaddAep2FGY+wyFAQ==} + '@esbuild/linux-x64@0.25.12': + resolution: {integrity: sha512-uqZMTLr/zR/ed4jIGnwSLkaHmPjOjJvnm6TVVitAa08SLS9Z0VM8wIRx7gWbJB5/J54YuIMInDquWyYvQLZkgw==} engines: {node: '>=18'} cpu: [x64] os: [linux] - '@esbuild/netbsd-arm64@0.25.11': - resolution: {integrity: sha512-hr9Oxj1Fa4r04dNpWr3P8QKVVsjQhqrMSUzZzf+LZcYjZNqhA3IAfPQdEh1FLVUJSiu6sgAwp3OmwBfbFgG2Xg==} + '@esbuild/netbsd-arm64@0.25.12': + resolution: {integrity: sha512-xXwcTq4GhRM7J9A8Gv5boanHhRa/Q9KLVmcyXHCTaM4wKfIpWkdXiMog/KsnxzJ0A1+nD+zoecuzqPmCRyBGjg==} engines: {node: '>=18'} cpu: [arm64] os: [netbsd] - '@esbuild/netbsd-x64@0.25.11': - resolution: {integrity: sha512-u7tKA+qbzBydyj0vgpu+5h5AeudxOAGncb8N6C9Kh1N4n7wU1Xw1JDApsRjpShRpXRQlJLb9wY28ELpwdPcZ7A==} + '@esbuild/netbsd-x64@0.25.12': + resolution: {integrity: sha512-Ld5pTlzPy3YwGec4OuHh1aCVCRvOXdH8DgRjfDy/oumVovmuSzWfnSJg+VtakB9Cm0gxNO9BzWkj6mtO1FMXkQ==} engines: {node: '>=18'} cpu: [x64] os: [netbsd] - '@esbuild/openbsd-arm64@0.25.11': - resolution: {integrity: sha512-Qq6YHhayieor3DxFOoYM1q0q1uMFYb7cSpLD2qzDSvK1NAvqFi8Xgivv0cFC6J+hWVw2teCYltyy9/m/14ryHg==} + '@esbuild/openbsd-arm64@0.25.12': + resolution: {integrity: sha512-fF96T6KsBo/pkQI950FARU9apGNTSlZGsv1jZBAlcLL1MLjLNIWPBkj5NlSz8aAzYKg+eNqknrUJ24QBybeR5A==} engines: {node: '>=18'} cpu: [arm64] os: [openbsd] - '@esbuild/openbsd-x64@0.25.11': - resolution: {integrity: sha512-CN+7c++kkbrckTOz5hrehxWN7uIhFFlmS/hqziSFVWpAzpWrQoAG4chH+nN3Be+Kzv/uuo7zhX716x3Sn2Jduw==} + '@esbuild/openbsd-x64@0.25.12': + resolution: {integrity: sha512-MZyXUkZHjQxUvzK7rN8DJ3SRmrVrke8ZyRusHlP+kuwqTcfWLyqMOE3sScPPyeIXN/mDJIfGXvcMqCgYKekoQw==} engines: {node: '>=18'} cpu: [x64] os: [openbsd] - '@esbuild/openharmony-arm64@0.25.11': - resolution: {integrity: sha512-rOREuNIQgaiR+9QuNkbkxubbp8MSO9rONmwP5nKncnWJ9v5jQ4JxFnLu4zDSRPf3x4u+2VN4pM4RdyIzDty/wQ==} + '@esbuild/openharmony-arm64@0.25.12': + resolution: {integrity: sha512-rm0YWsqUSRrjncSXGA7Zv78Nbnw4XL6/dzr20cyrQf7ZmRcsovpcRBdhD43Nuk3y7XIoW2OxMVvwuRvk9XdASg==} engines: {node: '>=18'} cpu: [arm64] os: [openharmony] - '@esbuild/sunos-x64@0.25.11': - resolution: {integrity: sha512-nq2xdYaWxyg9DcIyXkZhcYulC6pQ2FuCgem3LI92IwMgIZ69KHeY8T4Y88pcwoLIjbed8n36CyKoYRDygNSGhA==} + '@esbuild/sunos-x64@0.25.12': + resolution: {integrity: sha512-3wGSCDyuTHQUzt0nV7bocDy72r2lI33QL3gkDNGkod22EsYl04sMf0qLb8luNKTOmgF/eDEDP5BFNwoBKH441w==} engines: {node: '>=18'} cpu: [x64] os: [sunos] - '@esbuild/win32-arm64@0.25.11': - resolution: {integrity: sha512-3XxECOWJq1qMZ3MN8srCJ/QfoLpL+VaxD/WfNRm1O3B4+AZ/BnLVgFbUV3eiRYDMXetciH16dwPbbHqwe1uU0Q==} + '@esbuild/win32-arm64@0.25.12': + resolution: {integrity: sha512-rMmLrur64A7+DKlnSuwqUdRKyd3UE7oPJZmnljqEptesKM8wx9J8gx5u0+9Pq0fQQW8vqeKebwNXdfOyP+8Bsg==} engines: {node: '>=18'} cpu: [arm64] os: [win32] - '@esbuild/win32-ia32@0.25.11': - resolution: {integrity: sha512-3ukss6gb9XZ8TlRyJlgLn17ecsK4NSQTmdIXRASVsiS2sQ6zPPZklNJT5GR5tE/MUarymmy8kCEf5xPCNCqVOA==} + '@esbuild/win32-ia32@0.25.12': + resolution: {integrity: sha512-HkqnmmBoCbCwxUKKNPBixiWDGCpQGVsrQfJoVGYLPT41XWF8lHuE5N6WhVia2n4o5QK5M4tYr21827fNhi4byQ==} engines: {node: '>=18'} cpu: [ia32] os: [win32] - '@esbuild/win32-x64@0.25.11': - resolution: {integrity: sha512-D7Hpz6A2L4hzsRpPaCYkQnGOotdUpDzSGRIv9I+1ITdHROSFUWW95ZPZWQmGka1Fg7W3zFJowyn9WGwMJ0+KPA==} + '@esbuild/win32-x64@0.25.12': + resolution: {integrity: sha512-alJC0uCZpTFrSL0CCDjcgleBXPnCrEAhTBILpeAp7M/OFgoqtAetfBzX0xM00MUsVVPpVjlPuMbREqnZCXaTnA==} engines: {node: '>=18'} cpu: [x64] os: [win32] @@ -253,130 +253,159 @@ packages: '@jridgewell/trace-mapping@0.3.31': resolution: {integrity: sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw==} - '@rollup/rollup-android-arm-eabi@4.52.5': - resolution: {integrity: sha512-8c1vW4ocv3UOMp9K+gToY5zL2XiiVw3k7f1ksf4yO1FlDFQ1C2u72iACFnSOceJFsWskc2WZNqeRhFRPzv+wtQ==} + '@rollup/rollup-android-arm-eabi@4.60.2': + resolution: {integrity: sha512-dnlp69efPPg6Uaw2dVqzWRfAWRnYVb1XJ8CyyhIbZeaq4CA5/mLeZ1IEt9QqQxmbdvagjLIm2ZL8BxXv5lH4Yw==} cpu: [arm] os: [android] - '@rollup/rollup-android-arm64@4.52.5': - resolution: {integrity: sha512-mQGfsIEFcu21mvqkEKKu2dYmtuSZOBMmAl5CFlPGLY94Vlcm+zWApK7F/eocsNzp8tKmbeBP8yXyAbx0XHsFNA==} + '@rollup/rollup-android-arm64@4.60.2': + resolution: {integrity: sha512-OqZTwDRDchGRHHm/hwLOL7uVPB9aUvI0am/eQuWMNyFHf5PSEQmyEeYYheA0EPPKUO/l0uigCp+iaTjoLjVoHg==} cpu: [arm64] os: [android] - '@rollup/rollup-darwin-arm64@4.52.5': - resolution: {integrity: sha512-takF3CR71mCAGA+v794QUZ0b6ZSrgJkArC+gUiG6LB6TQty9T0Mqh3m2ImRBOxS2IeYBo4lKWIieSvnEk2OQWA==} + '@rollup/rollup-darwin-arm64@4.60.2': + resolution: {integrity: sha512-UwRE7CGpvSVEQS8gUMBe1uADWjNnVgP3Iusyda1nSRwNDCsRjnGc7w6El6WLQsXmZTbLZx9cecegumcitNfpmA==} cpu: [arm64] os: [darwin] - '@rollup/rollup-darwin-x64@4.52.5': - resolution: {integrity: sha512-W901Pla8Ya95WpxDn//VF9K9u2JbocwV/v75TE0YIHNTbhqUTv9w4VuQ9MaWlNOkkEfFwkdNhXgcLqPSmHy0fA==} + '@rollup/rollup-darwin-x64@4.60.2': + resolution: {integrity: sha512-gjEtURKLCC5VXm1I+2i1u9OhxFsKAQJKTVB8WvDAHF+oZlq0GTVFOlTlO1q3AlCTE/DF32c16ESvfgqR7343/g==} cpu: [x64] os: [darwin] - '@rollup/rollup-freebsd-arm64@4.52.5': - resolution: {integrity: sha512-QofO7i7JycsYOWxe0GFqhLmF6l1TqBswJMvICnRUjqCx8b47MTo46W8AoeQwiokAx3zVryVnxtBMcGcnX12LvA==} + '@rollup/rollup-freebsd-arm64@4.60.2': + resolution: {integrity: sha512-Bcl6CYDeAgE70cqZaMojOi/eK63h5Me97ZqAQoh77VPjMysA/4ORQBRGo3rRy45x4MzVlU9uZxs8Uwy7ZaKnBw==} cpu: [arm64] os: [freebsd] - '@rollup/rollup-freebsd-x64@4.52.5': - resolution: {integrity: sha512-jr21b/99ew8ujZubPo9skbrItHEIE50WdV86cdSoRkKtmWa+DDr6fu2c/xyRT0F/WazZpam6kk7IHBerSL7LDQ==} + '@rollup/rollup-freebsd-x64@4.60.2': + resolution: {integrity: sha512-LU+TPda3mAE2QB0/Hp5VyeKJivpC6+tlOXd1VMoXV/YFMvk/MNk5iXeBfB4MQGRWyOYVJ01625vjkr0Az98OJQ==} cpu: [x64] os: [freebsd] - '@rollup/rollup-linux-arm-gnueabihf@4.52.5': - resolution: {integrity: sha512-PsNAbcyv9CcecAUagQefwX8fQn9LQ4nZkpDboBOttmyffnInRy8R8dSg6hxxl2Re5QhHBf6FYIDhIj5v982ATQ==} + '@rollup/rollup-linux-arm-gnueabihf@4.60.2': + resolution: {integrity: sha512-2QxQrM+KQ7DAW4o22j+XZ6RKdxjLD7BOWTP0Bv0tmjdyhXSsr2Ul1oJDQqh9Zf5qOwTuTc7Ek83mOFaKnodPjg==} cpu: [arm] os: [linux] + libc: [glibc] - '@rollup/rollup-linux-arm-musleabihf@4.52.5': - resolution: {integrity: sha512-Fw4tysRutyQc/wwkmcyoqFtJhh0u31K+Q6jYjeicsGJJ7bbEq8LwPWV/w0cnzOqR2m694/Af6hpFayLJZkG2VQ==} + '@rollup/rollup-linux-arm-musleabihf@4.60.2': + resolution: {integrity: sha512-TbziEu2DVsTEOPif2mKWkMeDMLoYjx95oESa9fkQQK7r/Orta0gnkcDpzwufEcAO2BLBsD7mZkXGFqEdMRRwfw==} cpu: [arm] os: [linux] + libc: [musl] - '@rollup/rollup-linux-arm64-gnu@4.52.5': - resolution: {integrity: sha512-a+3wVnAYdQClOTlyapKmyI6BLPAFYs0JM8HRpgYZQO02rMR09ZcV9LbQB+NL6sljzG38869YqThrRnfPMCDtZg==} + '@rollup/rollup-linux-arm64-gnu@4.60.2': + resolution: {integrity: sha512-bO/rVDiDUuM2YfuCUwZ1t1cP+/yqjqz+Xf2VtkdppefuOFS2OSeAfgafaHNkFn0t02hEyXngZkxtGqXcXwO8Rg==} cpu: [arm64] os: [linux] + libc: [glibc] - '@rollup/rollup-linux-arm64-musl@4.52.5': - resolution: {integrity: sha512-AvttBOMwO9Pcuuf7m9PkC1PUIKsfaAJ4AYhy944qeTJgQOqJYJ9oVl2nYgY7Rk0mkbsuOpCAYSs6wLYB2Xiw0Q==} + '@rollup/rollup-linux-arm64-musl@4.60.2': + resolution: {integrity: sha512-hr26p7e93Rl0Za+JwW7EAnwAvKkehh12BU1Llm9Ykiibg4uIr2rbpxG9WCf56GuvidlTG9KiiQT/TXT1yAWxTA==} cpu: [arm64] os: [linux] + libc: [musl] - '@rollup/rollup-linux-loong64-gnu@4.52.5': - resolution: {integrity: sha512-DkDk8pmXQV2wVrF6oq5tONK6UHLz/XcEVow4JTTerdeV1uqPeHxwcg7aFsfnSm9L+OO8WJsWotKM2JJPMWrQtA==} + '@rollup/rollup-linux-loong64-gnu@4.60.2': + resolution: {integrity: sha512-pOjB/uSIyDt+ow3k/RcLvUAOGpysT2phDn7TTUB3n75SlIgZzM6NKAqlErPhoFU+npgY3/n+2HYIQVbF70P9/A==} cpu: [loong64] os: [linux] + libc: [glibc] - '@rollup/rollup-linux-ppc64-gnu@4.52.5': - resolution: {integrity: sha512-W/b9ZN/U9+hPQVvlGwjzi+Wy4xdoH2I8EjaCkMvzpI7wJUs8sWJ03Rq96jRnHkSrcHTpQe8h5Tg3ZzUPGauvAw==} + '@rollup/rollup-linux-loong64-musl@4.60.2': + resolution: {integrity: sha512-2/w+q8jszv9Ww1c+6uJT3OwqhdmGP2/4T17cu8WuwyUuuaCDDJ2ojdyYwZzCxx0GcsZBhzi3HmH+J5pZNXnd+Q==} + cpu: [loong64] + os: [linux] + libc: [musl] + + '@rollup/rollup-linux-ppc64-gnu@4.60.2': + resolution: {integrity: sha512-11+aL5vKheYgczxtPVVRhdptAM2H7fcDR5Gw4/bTcteuZBlH4oP9f5s9zYO9aGZvoGeBpqXI/9TZZihZ609wKw==} cpu: [ppc64] os: [linux] + libc: [glibc] - '@rollup/rollup-linux-riscv64-gnu@4.52.5': - resolution: {integrity: sha512-sjQLr9BW7R/ZiXnQiWPkErNfLMkkWIoCz7YMn27HldKsADEKa5WYdobaa1hmN6slu9oWQbB6/jFpJ+P2IkVrmw==} + '@rollup/rollup-linux-ppc64-musl@4.60.2': + resolution: {integrity: sha512-i16fokAGK46IVZuV8LIIwMdtqhin9hfYkCh8pf8iC3QU3LpwL+1FSFGej+O7l3E/AoknL6Dclh2oTdnRMpTzFQ==} + cpu: [ppc64] + os: [linux] + libc: [musl] + + '@rollup/rollup-linux-riscv64-gnu@4.60.2': + resolution: {integrity: sha512-49FkKS6RGQoriDSK/6E2GkAsAuU5kETFCh7pG4yD/ylj9rKhTmO3elsnmBvRD4PgJPds5W2PkhC82aVwmUcJ7A==} cpu: [riscv64] os: [linux] + libc: [glibc] - '@rollup/rollup-linux-riscv64-musl@4.52.5': - resolution: {integrity: sha512-hq3jU/kGyjXWTvAh2awn8oHroCbrPm8JqM7RUpKjalIRWWXE01CQOf/tUNWNHjmbMHg/hmNCwc/Pz3k1T/j/Lg==} + '@rollup/rollup-linux-riscv64-musl@4.60.2': + resolution: {integrity: sha512-mjYNkHPfGpUR00DuM1ZZIgs64Hpf4bWcz9Z41+4Q+pgDx73UwWdAYyf6EG/lRFldmdHHzgrYyge5akFUW0D3mQ==} cpu: [riscv64] os: [linux] + libc: [musl] - '@rollup/rollup-linux-s390x-gnu@4.52.5': - resolution: {integrity: sha512-gn8kHOrku8D4NGHMK1Y7NA7INQTRdVOntt1OCYypZPRt6skGbddska44K8iocdpxHTMMNui5oH4elPH4QOLrFQ==} + '@rollup/rollup-linux-s390x-gnu@4.60.2': + resolution: {integrity: sha512-ALyvJz965BQk8E9Al/JDKKDLH2kfKFLTGMlgkAbbYtZuJt9LU8DW3ZoDMCtQpXAltZxwBHevXz5u+gf0yA0YoA==} cpu: [s390x] os: [linux] + libc: [glibc] - '@rollup/rollup-linux-x64-gnu@4.52.5': - resolution: {integrity: sha512-hXGLYpdhiNElzN770+H2nlx+jRog8TyynpTVzdlc6bndktjKWyZyiCsuDAlpd+j+W+WNqfcyAWz9HxxIGfZm1Q==} + '@rollup/rollup-linux-x64-gnu@4.60.2': + resolution: {integrity: sha512-UQjrkIdWrKI626Du8lCQ6MJp/6V1LAo2bOK9OTu4mSn8GGXIkPXk/Vsp4bLHCd9Z9Iz2OTEaokUE90VweJgIYQ==} cpu: [x64] os: [linux] + libc: [glibc] - '@rollup/rollup-linux-x64-musl@4.52.5': - resolution: {integrity: sha512-arCGIcuNKjBoKAXD+y7XomR9gY6Mw7HnFBv5Rw7wQRvwYLR7gBAgV7Mb2QTyjXfTveBNFAtPt46/36vV9STLNg==} + '@rollup/rollup-linux-x64-musl@4.60.2': + resolution: {integrity: sha512-bTsRGj6VlSdn/XD4CGyzMnzaBs9bsRxy79eTqTCBsA8TMIEky7qg48aPkvJvFe1HyzQ5oMZdg7AnVlWQSKLTnw==} cpu: [x64] os: [linux] + libc: [musl] + + '@rollup/rollup-openbsd-x64@4.60.2': + resolution: {integrity: sha512-6d4Z3534xitaA1FcMWP7mQPq5zGwBmGbhphh2DwaA1aNIXUu3KTOfwrWpbwI4/Gr0uANo7NTtaykFyO2hPuFLg==} + cpu: [x64] + os: [openbsd] - '@rollup/rollup-openharmony-arm64@4.52.5': - resolution: {integrity: sha512-QoFqB6+/9Rly/RiPjaomPLmR/13cgkIGfA40LHly9zcH1S0bN2HVFYk3a1eAyHQyjs3ZJYlXvIGtcCs5tko9Cw==} + '@rollup/rollup-openharmony-arm64@4.60.2': + resolution: {integrity: sha512-NetAg5iO2uN7eB8zE5qrZ3CSil+7IJt4WDFLcC75Ymywq1VZVD6qJ6EvNLjZ3rEm6gB7XW5JdT60c6MN35Z85Q==} cpu: [arm64] os: [openharmony] - '@rollup/rollup-win32-arm64-msvc@4.52.5': - resolution: {integrity: sha512-w0cDWVR6MlTstla1cIfOGyl8+qb93FlAVutcor14Gf5Md5ap5ySfQ7R9S/NjNaMLSFdUnKGEasmVnu3lCMqB7w==} + '@rollup/rollup-win32-arm64-msvc@4.60.2': + resolution: {integrity: sha512-NCYhOotpgWZ5kdxCZsv6Iudx0wX8980Q/oW4pNFNihpBKsDbEA1zpkfxJGC0yugsUuyDZ7gL37dbzwhR0VI7pQ==} cpu: [arm64] os: [win32] - '@rollup/rollup-win32-ia32-msvc@4.52.5': - resolution: {integrity: sha512-Aufdpzp7DpOTULJCuvzqcItSGDH73pF3ko/f+ckJhxQyHtp67rHw3HMNxoIdDMUITJESNE6a8uh4Lo4SLouOUg==} + '@rollup/rollup-win32-ia32-msvc@4.60.2': + resolution: {integrity: sha512-RXsaOqXxfoUBQoOgvmmijVxJnW2IGB0eoMO7F8FAjaj0UTywUO/luSqimWBJn04WNgUkeNhh7fs7pESXajWmkg==} cpu: [ia32] os: [win32] - '@rollup/rollup-win32-x64-gnu@4.52.5': - resolution: {integrity: sha512-UGBUGPFp1vkj6p8wCRraqNhqwX/4kNQPS57BCFc8wYh0g94iVIW33wJtQAx3G7vrjjNtRaxiMUylM0ktp/TRSQ==} + '@rollup/rollup-win32-x64-gnu@4.60.2': + resolution: {integrity: sha512-qdAzEULD+/hzObedtmV6iBpdL5TIbKVztGiK7O3/KYSf+HIzU257+MX1EXJcyIiDbMAqmbwaufcYPvyRryeZtA==} cpu: [x64] os: [win32] - '@rollup/rollup-win32-x64-msvc@4.52.5': - resolution: {integrity: sha512-TAcgQh2sSkykPRWLrdyy2AiceMckNf5loITqXxFI5VuQjS5tSuw3WlwdN8qv8vzjLAUTvYaH/mVjSFpbkFbpTg==} + '@rollup/rollup-win32-x64-msvc@4.60.2': + resolution: {integrity: sha512-Nd/SgG27WoA9e+/TdK74KnHz852TLa94ovOYySo/yMPuTmpckK/jIF2jSwS3g7ELSKXK13/cVdmg1Z/DaCWKxA==} cpu: [x64] os: [win32] - '@tanstack/devtools-client@0.0.4': - resolution: {integrity: sha512-LefnH9KE9uRDEWifc3QDcooskA8ikfs41bybDTgpYQpyTUspZnaEdUdya9Hry0KYxZ8nos0S3nNbsP79KHqr6Q==} + '@tanstack/devtools-client@0.0.5': + resolution: {integrity: sha512-hsNDE3iu4frt9cC2ppn1mNRnLKo2uc1/1hXAyY9z4UYb+o40M2clFAhiFoo4HngjfGJDV3x18KVVIq7W4Un+zA==} engines: {node: '>=18'} '@tanstack/devtools-event-bus@0.3.3': resolution: {integrity: sha512-lWl88uLAz7ZhwNdLH6A3tBOSEuBCrvnY9Fzr5JPdzJRFdM5ZFdyNWz1Bf5l/F3GU57VodrN0KCFi9OA26H5Kpg==} engines: {node: '>=18'} - '@tanstack/devtools-event-client@0.3.4': - resolution: {integrity: sha512-eq+PpuutUyubXu+ycC1GIiVwBs86NF/8yYJJAKSpPcJLWl6R/761F1H4F/9ziX6zKezltFUH1ah3Cz8Ah+KJrw==} + '@tanstack/devtools-event-client@0.4.3': + resolution: {integrity: sha512-OZI6QyULw0FI0wjgmeYzCIfbgPsOEzwJtCpa69XrfLMtNXLGnz3d/dIabk7frg0TmHo+Ah49w5I4KC7Tufwsvw==} engines: {node: '>=18'} + hasBin: true - '@tanstack/devtools-vite@0.3.11': - resolution: {integrity: sha512-t5jaWJNgkXOQTxuNrwkz71cN86zPZnLJY2Rz0IaMDgjb0ib1EKHeRgdqHMR/2YL96yhCHHDCHroBQXsw5Da4dg==} + '@tanstack/devtools-vite@0.3.12': + resolution: {integrity: sha512-fGJgu4xUhKmGk+a+/aHD8l5HKVk6+ObA+6D3YC3xCXbai/YmaGhztqcZf1tKUqjZyYyQLHsjqmKzvJgVpQP1jw==} engines: {node: '>=18'} peerDependencies: vite: ^6.0.0 || ^7.0.0 @@ -384,17 +413,18 @@ packages: '@types/estree@1.0.8': resolution: {integrity: sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==} - baseline-browser-mapping@2.8.21: - resolution: {integrity: sha512-JU0h5APyQNsHOlAM7HnQnPToSDQoEBZqzu/YBlqDnEeymPnZDREeXJA3KBMQee+dKteAxZ2AtvQEvVYdZf241Q==} + baseline-browser-mapping@2.10.21: + resolution: {integrity: sha512-Q+rUQ7Uz8AHM7DEaNdwvfFCTq7a43lNTzuS94eiWqwyxfV/wJv+oUivef51T91mmRY4d4A1u9rcSvkeufCVXlA==} + engines: {node: '>=6.0.0'} hasBin: true - browserslist@4.27.0: - resolution: {integrity: sha512-AXVQwdhot1eqLihwasPElhX2tAZiBjWdJ9i/Zcj2S6QYIjkx62OKSfnobkriB81C3l4w0rVy3Nt4jaTBltYEpw==} + browserslist@4.28.2: + resolution: {integrity: sha512-48xSriZYYg+8qXna9kwqjIVzuQxi+KYWp2+5nCYnYKPTr0LvD89Jqk2Or5ogxz0NUMfIjhh2lIUX/LyX9B4oIg==} engines: {node: ^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7} hasBin: true - caniuse-lite@1.0.30001751: - resolution: {integrity: sha512-A0QJhug0Ly64Ii3eIqHu5X51ebln3k4yTUkY1j8drqpWHVreg/VLijN48cZ1bYPiqOQuqpkIKnzr/Ul8V+p6Cw==} + caniuse-lite@1.0.30001790: + resolution: {integrity: sha512-bOoxfJPyYo+ds6W0YfptaCWbFnJYjh2Y1Eow5lRv+vI2u8ganPZqNm1JwNh0t2ELQCqIWg4B3dWEusgAmsoyOw==} chalk@5.6.2: resolution: {integrity: sha512-7NzBL0rN6fMUW+f7A6Io4h40qQlG+xGmtMxfbnH/K7TAtt8JQWVQK+6g0UXKMeVJoyV5EkkNsErQ8pVD3bLHbA==} @@ -412,11 +442,11 @@ packages: supports-color: optional: true - electron-to-chromium@1.5.243: - resolution: {integrity: sha512-ZCphxFW3Q1TVhcgS9blfut1PX8lusVi2SvXQgmEEnK4TCmE1JhH2JkjJN+DNt0pJJwfBri5AROBnz2b/C+YU9g==} + electron-to-chromium@1.5.344: + resolution: {integrity: sha512-4MxfbmNDm+KPh066EZy+eUnkcDPcZ35wNmOWzFuh/ijvHsve6kbLTLURy88uCNK5FbpN+yk2nQY6BYh1GEt+wg==} - esbuild@0.25.11: - resolution: {integrity: sha512-KohQwyzrKTQmhXDW1PjCv3Tyspn9n5GcY2RTDqeORIdIJY8yKIF7sTSopFmn/wpMPW4rdPXI0UE5LJLuq3bx0Q==} + esbuild@0.25.12: + resolution: {integrity: sha512-bbPBYYrtZbkt6Os6FiTLCTFxvq4tt3JKall1vRwshA3fdVztsLAatFaZobhkBC8/BrPetoa0oksYoKXoG4ryJg==} engines: {node: '>=18'} hasBin: true @@ -455,8 +485,8 @@ packages: engines: {node: '>=6'} hasBin: true - launch-editor@2.12.0: - resolution: {integrity: sha512-giOHXoOtifjdHqUamwKq6c49GzBdLjvxrd2D+Q4V6uOHopJv7p9VJxikDsQ/CBXZbEITgUqSVHXLTG3VhPP1Dg==} + launch-editor@2.13.2: + resolution: {integrity: sha512-4VVDnbOpLXy/s8rdRCSXb+zfMeFR0WlJWpET1iA9CQdlZDfwyLjUuGQzXU4VeOoey6AicSAluWan7Etga6Kcmg==} lru-cache@5.1.1: resolution: {integrity: sha512-KpNARQA3Iwv+jTA0utUVVbrh+Jlrr1Fv0e56GGzAFOXN7dk/FviaDW8LHmK52DlcH4WP2n6gI8vN1aesBFgo9w==} @@ -469,22 +499,22 @@ packages: engines: {node: ^10 || ^12 || ^13.7 || ^14 || >=15.0.1} hasBin: true - node-releases@2.0.27: - resolution: {integrity: sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA==} + node-releases@2.0.38: + resolution: {integrity: sha512-3qT/88Y3FbH/Kx4szpQQ4HzUbVrHPKTLVpVocKiLfoYvw9XSGOX2FmD2d6DrXbVYyAQTF2HeF6My8jmzx7/CRw==} picocolors@1.1.1: resolution: {integrity: sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA==} - picomatch@4.0.3: - resolution: {integrity: sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==} + picomatch@4.0.4: + resolution: {integrity: sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==} engines: {node: '>=12'} - postcss@8.5.6: - resolution: {integrity: sha512-3Ybi1tAuwAP9s0r1UQ2J4n5Y0G05bJkpUIO0/bI9MhwmD70S5aTWbXGBwxHrelT+XM1k6dM0pk+SwNkpTRN7Pg==} + postcss@8.5.10: + resolution: {integrity: sha512-pMMHxBOZKFU6HgAZ4eyGnwXF/EvPGGqUr0MnZ5+99485wwW41kW91A4LOGxSHhgugZmSChL5AlElNdwlNgcnLQ==} engines: {node: ^10 || ^12 || >=14} - rollup@4.52.5: - resolution: {integrity: sha512-3GuObel8h7Kqdjt0gxkEzaifHTqLVW56Y/bjN7PSQtkKr0w3V/QYSdt6QWYtd7A1xUtYQigtdUfgj1RvWVtorw==} + rollup@4.60.2: + resolution: {integrity: sha512-J9qZyW++QK/09NyN/zeO0dG/1GdGfyp9lV8ajHnRVLfo/uFsbji5mHnDgn/qYdUHyCkM2N+8VyspgZclfAh0eQ==} engines: {node: '>=18.0.0', npm: '>=8.0.0'} hasBin: true @@ -500,12 +530,12 @@ packages: resolution: {integrity: sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==} engines: {node: '>=0.10.0'} - tinyglobby@0.2.15: - resolution: {integrity: sha512-j2Zq4NyQYG5XMST4cbs02Ak8iJUdxRM0XI5QyxXuZOzKOINmWurp3smXu3y5wDcJrptwpSjgXHzIQxR0omXljQ==} + tinyglobby@0.2.16: + resolution: {integrity: sha512-pn99VhoACYR8nFHhxqix+uvsbXineAasWm5ojXoN8xEwK5Kd3/TrhNn1wByuD52UxWRLy8pu+kRMniEi6Eq9Zg==} engines: {node: '>=12.0.0'} - update-browserslist-db@1.1.4: - resolution: {integrity: sha512-q0SPT4xyU84saUX+tomz1WLkxUbuaJnR1xWt17M7fJtEJigJeWUNGUqrauFXsHnqev9y9JTRGwk13tFBuKby4A==} + update-browserslist-db@1.2.3: + resolution: {integrity: sha512-Js0m9cx+qOgDxo0eMiFGEueWztz+d4+M3rGlmKPT+T4IS/jP4ylw3Nwpu6cpTTP8R1MAC1kF4VbdLt3ARf209w==} hasBin: true peerDependencies: browserslist: '>= 4.21.0' @@ -550,8 +580,8 @@ packages: yaml: optional: true - ws@8.18.3: - resolution: {integrity: sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==} + ws@8.20.0: + resolution: {integrity: sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==} engines: {node: '>=10.0.0'} peerDependencies: bufferutil: ^4.0.1 @@ -567,25 +597,25 @@ packages: snapshots: - '@babel/code-frame@7.27.1': + '@babel/code-frame@7.29.0': dependencies: '@babel/helper-validator-identifier': 7.28.5 js-tokens: 4.0.0 picocolors: 1.1.1 - '@babel/compat-data@7.28.5': {} + '@babel/compat-data@7.29.0': {} - '@babel/core@7.28.5': + '@babel/core@7.29.0': dependencies: - '@babel/code-frame': 7.27.1 - '@babel/generator': 7.28.5 - '@babel/helper-compilation-targets': 7.27.2 - '@babel/helper-module-transforms': 7.28.3(@babel/core@7.28.5) - '@babel/helpers': 7.28.4 - '@babel/parser': 7.28.5 - '@babel/template': 7.27.2 - '@babel/traverse': 7.28.5 - '@babel/types': 7.28.5 + '@babel/code-frame': 7.29.0 + '@babel/generator': 7.29.1 + '@babel/helper-compilation-targets': 7.28.6 + '@babel/helper-module-transforms': 7.28.6(@babel/core@7.29.0) + '@babel/helpers': 7.29.2 + '@babel/parser': 7.29.2 + '@babel/template': 7.28.6 + '@babel/traverse': 7.29.0 + '@babel/types': 7.29.0 '@jridgewell/remapping': 2.3.5 convert-source-map: 2.0.0 debug: 4.4.3 @@ -595,37 +625,37 @@ snapshots: transitivePeerDependencies: - supports-color - '@babel/generator@7.28.5': + '@babel/generator@7.29.1': dependencies: - '@babel/parser': 7.28.5 - '@babel/types': 7.28.5 + '@babel/parser': 7.29.2 + '@babel/types': 7.29.0 '@jridgewell/gen-mapping': 0.3.13 '@jridgewell/trace-mapping': 0.3.31 jsesc: 3.1.0 - '@babel/helper-compilation-targets@7.27.2': + '@babel/helper-compilation-targets@7.28.6': dependencies: - '@babel/compat-data': 7.28.5 + '@babel/compat-data': 7.29.0 '@babel/helper-validator-option': 7.27.1 - browserslist: 4.27.0 + browserslist: 4.28.2 lru-cache: 5.1.1 semver: 6.3.1 '@babel/helper-globals@7.28.0': {} - '@babel/helper-module-imports@7.27.1': + '@babel/helper-module-imports@7.28.6': dependencies: - '@babel/traverse': 7.28.5 - '@babel/types': 7.28.5 + '@babel/traverse': 7.29.0 + '@babel/types': 7.29.0 transitivePeerDependencies: - supports-color - '@babel/helper-module-transforms@7.28.3(@babel/core@7.28.5)': + '@babel/helper-module-transforms@7.28.6(@babel/core@7.29.0)': dependencies: - '@babel/core': 7.28.5 - '@babel/helper-module-imports': 7.27.1 + '@babel/core': 7.29.0 + '@babel/helper-module-imports': 7.28.6 '@babel/helper-validator-identifier': 7.28.5 - '@babel/traverse': 7.28.5 + '@babel/traverse': 7.29.0 transitivePeerDependencies: - supports-color @@ -635,114 +665,114 @@ snapshots: '@babel/helper-validator-option@7.27.1': {} - '@babel/helpers@7.28.4': + '@babel/helpers@7.29.2': dependencies: - '@babel/template': 7.27.2 - '@babel/types': 7.28.5 + '@babel/template': 7.28.6 + '@babel/types': 7.29.0 - '@babel/parser@7.28.5': + '@babel/parser@7.29.2': dependencies: - '@babel/types': 7.28.5 + '@babel/types': 7.29.0 - '@babel/template@7.27.2': + '@babel/template@7.28.6': dependencies: - '@babel/code-frame': 7.27.1 - '@babel/parser': 7.28.5 - '@babel/types': 7.28.5 + '@babel/code-frame': 7.29.0 + '@babel/parser': 7.29.2 + '@babel/types': 7.29.0 - '@babel/traverse@7.28.5': + '@babel/traverse@7.29.0': dependencies: - '@babel/code-frame': 7.27.1 - '@babel/generator': 7.28.5 + '@babel/code-frame': 7.29.0 + '@babel/generator': 7.29.1 '@babel/helper-globals': 7.28.0 - '@babel/parser': 7.28.5 - '@babel/template': 7.27.2 - '@babel/types': 7.28.5 + '@babel/parser': 7.29.2 + '@babel/template': 7.28.6 + '@babel/types': 7.29.0 debug: 4.4.3 transitivePeerDependencies: - supports-color - '@babel/types@7.28.5': + '@babel/types@7.29.0': dependencies: '@babel/helper-string-parser': 7.27.1 '@babel/helper-validator-identifier': 7.28.5 - '@esbuild/aix-ppc64@0.25.11': + '@esbuild/aix-ppc64@0.25.12': optional: true - '@esbuild/android-arm64@0.25.11': + '@esbuild/android-arm64@0.25.12': optional: true - '@esbuild/android-arm@0.25.11': + '@esbuild/android-arm@0.25.12': optional: true - '@esbuild/android-x64@0.25.11': + '@esbuild/android-x64@0.25.12': optional: true - '@esbuild/darwin-arm64@0.25.11': + '@esbuild/darwin-arm64@0.25.12': optional: true - '@esbuild/darwin-x64@0.25.11': + '@esbuild/darwin-x64@0.25.12': optional: true - '@esbuild/freebsd-arm64@0.25.11': + '@esbuild/freebsd-arm64@0.25.12': optional: true - '@esbuild/freebsd-x64@0.25.11': + '@esbuild/freebsd-x64@0.25.12': optional: true - '@esbuild/linux-arm64@0.25.11': + '@esbuild/linux-arm64@0.25.12': optional: true - '@esbuild/linux-arm@0.25.11': + '@esbuild/linux-arm@0.25.12': optional: true - '@esbuild/linux-ia32@0.25.11': + '@esbuild/linux-ia32@0.25.12': optional: true - '@esbuild/linux-loong64@0.25.11': + '@esbuild/linux-loong64@0.25.12': optional: true - '@esbuild/linux-mips64el@0.25.11': + '@esbuild/linux-mips64el@0.25.12': optional: true - '@esbuild/linux-ppc64@0.25.11': + '@esbuild/linux-ppc64@0.25.12': optional: true - '@esbuild/linux-riscv64@0.25.11': + '@esbuild/linux-riscv64@0.25.12': optional: true - '@esbuild/linux-s390x@0.25.11': + '@esbuild/linux-s390x@0.25.12': optional: true - '@esbuild/linux-x64@0.25.11': + '@esbuild/linux-x64@0.25.12': optional: true - '@esbuild/netbsd-arm64@0.25.11': + '@esbuild/netbsd-arm64@0.25.12': optional: true - '@esbuild/netbsd-x64@0.25.11': + '@esbuild/netbsd-x64@0.25.12': optional: true - '@esbuild/openbsd-arm64@0.25.11': + '@esbuild/openbsd-arm64@0.25.12': optional: true - '@esbuild/openbsd-x64@0.25.11': + '@esbuild/openbsd-x64@0.25.12': optional: true - '@esbuild/openharmony-arm64@0.25.11': + '@esbuild/openharmony-arm64@0.25.12': optional: true - '@esbuild/sunos-x64@0.25.11': + '@esbuild/sunos-x64@0.25.12': optional: true - '@esbuild/win32-arm64@0.25.11': + '@esbuild/win32-arm64@0.25.12': optional: true - '@esbuild/win32-ia32@0.25.11': + '@esbuild/win32-ia32@0.25.12': optional: true - '@esbuild/win32-x64@0.25.11': + '@esbuild/win32-x64@0.25.12': optional: true '@jridgewell/gen-mapping@0.3.13': @@ -764,97 +794,106 @@ snapshots: '@jridgewell/resolve-uri': 3.1.2 '@jridgewell/sourcemap-codec': 1.5.5 - '@rollup/rollup-android-arm-eabi@4.52.5': + '@rollup/rollup-android-arm-eabi@4.60.2': + optional: true + + '@rollup/rollup-android-arm64@4.60.2': + optional: true + + '@rollup/rollup-darwin-arm64@4.60.2': + optional: true + + '@rollup/rollup-darwin-x64@4.60.2': optional: true - '@rollup/rollup-android-arm64@4.52.5': + '@rollup/rollup-freebsd-arm64@4.60.2': optional: true - '@rollup/rollup-darwin-arm64@4.52.5': + '@rollup/rollup-freebsd-x64@4.60.2': optional: true - '@rollup/rollup-darwin-x64@4.52.5': + '@rollup/rollup-linux-arm-gnueabihf@4.60.2': optional: true - '@rollup/rollup-freebsd-arm64@4.52.5': + '@rollup/rollup-linux-arm-musleabihf@4.60.2': optional: true - '@rollup/rollup-freebsd-x64@4.52.5': + '@rollup/rollup-linux-arm64-gnu@4.60.2': optional: true - '@rollup/rollup-linux-arm-gnueabihf@4.52.5': + '@rollup/rollup-linux-arm64-musl@4.60.2': optional: true - '@rollup/rollup-linux-arm-musleabihf@4.52.5': + '@rollup/rollup-linux-loong64-gnu@4.60.2': optional: true - '@rollup/rollup-linux-arm64-gnu@4.52.5': + '@rollup/rollup-linux-loong64-musl@4.60.2': optional: true - '@rollup/rollup-linux-arm64-musl@4.52.5': + '@rollup/rollup-linux-ppc64-gnu@4.60.2': optional: true - '@rollup/rollup-linux-loong64-gnu@4.52.5': + '@rollup/rollup-linux-ppc64-musl@4.60.2': optional: true - '@rollup/rollup-linux-ppc64-gnu@4.52.5': + '@rollup/rollup-linux-riscv64-gnu@4.60.2': optional: true - '@rollup/rollup-linux-riscv64-gnu@4.52.5': + '@rollup/rollup-linux-riscv64-musl@4.60.2': optional: true - '@rollup/rollup-linux-riscv64-musl@4.52.5': + '@rollup/rollup-linux-s390x-gnu@4.60.2': optional: true - '@rollup/rollup-linux-s390x-gnu@4.52.5': + '@rollup/rollup-linux-x64-gnu@4.60.2': optional: true - '@rollup/rollup-linux-x64-gnu@4.52.5': + '@rollup/rollup-linux-x64-musl@4.60.2': optional: true - '@rollup/rollup-linux-x64-musl@4.52.5': + '@rollup/rollup-openbsd-x64@4.60.2': optional: true - '@rollup/rollup-openharmony-arm64@4.52.5': + '@rollup/rollup-openharmony-arm64@4.60.2': optional: true - '@rollup/rollup-win32-arm64-msvc@4.52.5': + '@rollup/rollup-win32-arm64-msvc@4.60.2': optional: true - '@rollup/rollup-win32-ia32-msvc@4.52.5': + '@rollup/rollup-win32-ia32-msvc@4.60.2': optional: true - '@rollup/rollup-win32-x64-gnu@4.52.5': + '@rollup/rollup-win32-x64-gnu@4.60.2': optional: true - '@rollup/rollup-win32-x64-msvc@4.52.5': + '@rollup/rollup-win32-x64-msvc@4.60.2': optional: true - '@tanstack/devtools-client@0.0.4': + '@tanstack/devtools-client@0.0.5': dependencies: - '@tanstack/devtools-event-client': 0.3.4 + '@tanstack/devtools-event-client': 0.4.3 '@tanstack/devtools-event-bus@0.3.3': dependencies: - ws: 8.18.3 + ws: 8.20.0 transitivePeerDependencies: - bufferutil - utf-8-validate - '@tanstack/devtools-event-client@0.3.4': {} + '@tanstack/devtools-event-client@0.4.3': {} - '@tanstack/devtools-vite@0.3.11(vite@7.1.12)': + '@tanstack/devtools-vite@0.3.12(vite@7.1.12)': dependencies: - '@babel/core': 7.28.5 - '@babel/generator': 7.28.5 - '@babel/parser': 7.28.5 - '@babel/traverse': 7.28.5 - '@babel/types': 7.28.5 - '@tanstack/devtools-client': 0.0.4 + '@babel/core': 7.29.0 + '@babel/generator': 7.29.1 + '@babel/parser': 7.29.2 + '@babel/traverse': 7.29.0 + '@babel/types': 7.29.0 + '@tanstack/devtools-client': 0.0.5 '@tanstack/devtools-event-bus': 0.3.3 chalk: 5.6.2 - launch-editor: 2.12.0 - picomatch: 4.0.3 + launch-editor: 2.13.2 + picomatch: 4.0.4 vite: 7.1.12 transitivePeerDependencies: - bufferutil @@ -863,17 +902,17 @@ snapshots: '@types/estree@1.0.8': {} - baseline-browser-mapping@2.8.21: {} + baseline-browser-mapping@2.10.21: {} - browserslist@4.27.0: + browserslist@4.28.2: dependencies: - baseline-browser-mapping: 2.8.21 - caniuse-lite: 1.0.30001751 - electron-to-chromium: 1.5.243 - node-releases: 2.0.27 - update-browserslist-db: 1.1.4(browserslist@4.27.0) + baseline-browser-mapping: 2.10.21 + caniuse-lite: 1.0.30001790 + electron-to-chromium: 1.5.344 + node-releases: 2.0.38 + update-browserslist-db: 1.2.3(browserslist@4.28.2) - caniuse-lite@1.0.30001751: {} + caniuse-lite@1.0.30001790: {} chalk@5.6.2: {} @@ -883,42 +922,42 @@ snapshots: dependencies: ms: 2.1.3 - electron-to-chromium@1.5.243: {} + electron-to-chromium@1.5.344: {} - esbuild@0.25.11: + esbuild@0.25.12: optionalDependencies: - '@esbuild/aix-ppc64': 0.25.11 - '@esbuild/android-arm': 0.25.11 - '@esbuild/android-arm64': 0.25.11 - '@esbuild/android-x64': 0.25.11 - '@esbuild/darwin-arm64': 0.25.11 - '@esbuild/darwin-x64': 0.25.11 - '@esbuild/freebsd-arm64': 0.25.11 - '@esbuild/freebsd-x64': 0.25.11 - '@esbuild/linux-arm': 0.25.11 - '@esbuild/linux-arm64': 0.25.11 - '@esbuild/linux-ia32': 0.25.11 - '@esbuild/linux-loong64': 0.25.11 - '@esbuild/linux-mips64el': 0.25.11 - '@esbuild/linux-ppc64': 0.25.11 - '@esbuild/linux-riscv64': 0.25.11 - '@esbuild/linux-s390x': 0.25.11 - '@esbuild/linux-x64': 0.25.11 - '@esbuild/netbsd-arm64': 0.25.11 - '@esbuild/netbsd-x64': 0.25.11 - '@esbuild/openbsd-arm64': 0.25.11 - '@esbuild/openbsd-x64': 0.25.11 - '@esbuild/openharmony-arm64': 0.25.11 - '@esbuild/sunos-x64': 0.25.11 - '@esbuild/win32-arm64': 0.25.11 - '@esbuild/win32-ia32': 0.25.11 - '@esbuild/win32-x64': 0.25.11 + '@esbuild/aix-ppc64': 0.25.12 + '@esbuild/android-arm': 0.25.12 + '@esbuild/android-arm64': 0.25.12 + '@esbuild/android-x64': 0.25.12 + '@esbuild/darwin-arm64': 0.25.12 + '@esbuild/darwin-x64': 0.25.12 + '@esbuild/freebsd-arm64': 0.25.12 + '@esbuild/freebsd-x64': 0.25.12 + '@esbuild/linux-arm': 0.25.12 + '@esbuild/linux-arm64': 0.25.12 + '@esbuild/linux-ia32': 0.25.12 + '@esbuild/linux-loong64': 0.25.12 + '@esbuild/linux-mips64el': 0.25.12 + '@esbuild/linux-ppc64': 0.25.12 + '@esbuild/linux-riscv64': 0.25.12 + '@esbuild/linux-s390x': 0.25.12 + '@esbuild/linux-x64': 0.25.12 + '@esbuild/netbsd-arm64': 0.25.12 + '@esbuild/netbsd-x64': 0.25.12 + '@esbuild/openbsd-arm64': 0.25.12 + '@esbuild/openbsd-x64': 0.25.12 + '@esbuild/openharmony-arm64': 0.25.12 + '@esbuild/sunos-x64': 0.25.12 + '@esbuild/win32-arm64': 0.25.12 + '@esbuild/win32-ia32': 0.25.12 + '@esbuild/win32-x64': 0.25.12 escalade@3.2.0: {} - fdir@6.5.0(picomatch@4.0.3): + fdir@6.5.0(picomatch@4.0.4): optionalDependencies: - picomatch: 4.0.3 + picomatch: 4.0.4 fsevents@2.3.3: optional: true @@ -931,7 +970,7 @@ snapshots: json5@2.2.3: {} - launch-editor@2.12.0: + launch-editor@2.13.2: dependencies: picocolors: 1.1.1 shell-quote: 1.8.3 @@ -944,44 +983,47 @@ snapshots: nanoid@3.3.11: {} - node-releases@2.0.27: {} + node-releases@2.0.38: {} picocolors@1.1.1: {} - picomatch@4.0.3: {} + picomatch@4.0.4: {} - postcss@8.5.6: + postcss@8.5.10: dependencies: nanoid: 3.3.11 picocolors: 1.1.1 source-map-js: 1.2.1 - rollup@4.52.5: + rollup@4.60.2: dependencies: '@types/estree': 1.0.8 optionalDependencies: - '@rollup/rollup-android-arm-eabi': 4.52.5 - '@rollup/rollup-android-arm64': 4.52.5 - '@rollup/rollup-darwin-arm64': 4.52.5 - '@rollup/rollup-darwin-x64': 4.52.5 - '@rollup/rollup-freebsd-arm64': 4.52.5 - '@rollup/rollup-freebsd-x64': 4.52.5 - '@rollup/rollup-linux-arm-gnueabihf': 4.52.5 - '@rollup/rollup-linux-arm-musleabihf': 4.52.5 - '@rollup/rollup-linux-arm64-gnu': 4.52.5 - '@rollup/rollup-linux-arm64-musl': 4.52.5 - '@rollup/rollup-linux-loong64-gnu': 4.52.5 - '@rollup/rollup-linux-ppc64-gnu': 4.52.5 - '@rollup/rollup-linux-riscv64-gnu': 4.52.5 - '@rollup/rollup-linux-riscv64-musl': 4.52.5 - '@rollup/rollup-linux-s390x-gnu': 4.52.5 - '@rollup/rollup-linux-x64-gnu': 4.52.5 - '@rollup/rollup-linux-x64-musl': 4.52.5 - '@rollup/rollup-openharmony-arm64': 4.52.5 - '@rollup/rollup-win32-arm64-msvc': 4.52.5 - '@rollup/rollup-win32-ia32-msvc': 4.52.5 - '@rollup/rollup-win32-x64-gnu': 4.52.5 - '@rollup/rollup-win32-x64-msvc': 4.52.5 + '@rollup/rollup-android-arm-eabi': 4.60.2 + '@rollup/rollup-android-arm64': 4.60.2 + '@rollup/rollup-darwin-arm64': 4.60.2 + '@rollup/rollup-darwin-x64': 4.60.2 + '@rollup/rollup-freebsd-arm64': 4.60.2 + '@rollup/rollup-freebsd-x64': 4.60.2 + '@rollup/rollup-linux-arm-gnueabihf': 4.60.2 + '@rollup/rollup-linux-arm-musleabihf': 4.60.2 + '@rollup/rollup-linux-arm64-gnu': 4.60.2 + '@rollup/rollup-linux-arm64-musl': 4.60.2 + '@rollup/rollup-linux-loong64-gnu': 4.60.2 + '@rollup/rollup-linux-loong64-musl': 4.60.2 + '@rollup/rollup-linux-ppc64-gnu': 4.60.2 + '@rollup/rollup-linux-ppc64-musl': 4.60.2 + '@rollup/rollup-linux-riscv64-gnu': 4.60.2 + '@rollup/rollup-linux-riscv64-musl': 4.60.2 + '@rollup/rollup-linux-s390x-gnu': 4.60.2 + '@rollup/rollup-linux-x64-gnu': 4.60.2 + '@rollup/rollup-linux-x64-musl': 4.60.2 + '@rollup/rollup-openbsd-x64': 4.60.2 + '@rollup/rollup-openharmony-arm64': 4.60.2 + '@rollup/rollup-win32-arm64-msvc': 4.60.2 + '@rollup/rollup-win32-ia32-msvc': 4.60.2 + '@rollup/rollup-win32-x64-gnu': 4.60.2 + '@rollup/rollup-win32-x64-msvc': 4.60.2 fsevents: 2.3.3 semver@6.3.1: {} @@ -990,28 +1032,28 @@ snapshots: source-map-js@1.2.1: {} - tinyglobby@0.2.15: + tinyglobby@0.2.16: dependencies: - fdir: 6.5.0(picomatch@4.0.3) - picomatch: 4.0.3 + fdir: 6.5.0(picomatch@4.0.4) + picomatch: 4.0.4 - update-browserslist-db@1.1.4(browserslist@4.27.0): + update-browserslist-db@1.2.3(browserslist@4.28.2): dependencies: - browserslist: 4.27.0 + browserslist: 4.28.2 escalade: 3.2.0 picocolors: 1.1.1 vite@7.1.12: dependencies: - esbuild: 0.25.11 - fdir: 6.5.0(picomatch@4.0.3) - picomatch: 4.0.3 - postcss: 8.5.6 - rollup: 4.52.5 - tinyglobby: 0.2.15 + esbuild: 0.25.12 + fdir: 6.5.0(picomatch@4.0.4) + picomatch: 4.0.4 + postcss: 8.5.10 + rollup: 4.60.2 + tinyglobby: 0.2.16 optionalDependencies: fsevents: 2.3.3 - ws@8.18.3: {} + ws@8.20.0: {} yallist@3.1.1: {} diff --git a/web/package.json b/web/package.json index 5295a3c..1172771 100644 --- a/web/package.json +++ b/web/package.json @@ -53,7 +53,7 @@ "prettier": "^3.8.3", "sass": "^1.99.0", "sharp": "^0.34.5", - "stylelint": "^17.8.0", + "stylelint": "^17.9.0", "stylelint-config-standard-scss": "^17.0.0", "stylelint-scss": "^7.0.0", "typescript": "~5.9.3", @@ -64,7 +64,8 @@ "pnpm": { "overrides": { "seroval": "^1.4.1", - "kysely": "^0.28.12" + "kysely": "^0.28.12", + "uuid": "^14.0.0" } } } diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index 6e9d4c8..f869044 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -7,6 +7,7 @@ settings: overrides: seroval: ^1.4.1 kysely: ^0.28.12 + uuid: ^14.0.0 importers: @@ -125,14 +126,14 @@ importers: specifier: ^0.34.5 version: 0.34.5 stylelint: - specifier: ^17.8.0 - version: 17.8.0(typescript@5.9.3) + specifier: ^17.9.0 + version: 17.9.0(typescript@5.9.3) stylelint-config-standard-scss: specifier: ^17.0.0 - version: 17.0.0(postcss@8.5.10)(stylelint@17.8.0(typescript@5.9.3)) + version: 17.0.0(postcss@8.5.10)(stylelint@17.9.0(typescript@5.9.3)) stylelint-scss: specifier: ^7.0.0 - version: 7.0.0(stylelint@17.8.0(typescript@5.9.3)) + version: 7.0.0(stylelint@17.9.0(typescript@5.9.3)) typescript: specifier: ~5.9.3 version: 5.9.3 @@ -1505,8 +1506,8 @@ packages: resolution: {integrity: sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==} engines: {node: 18 || 20 || >=22} - baseline-browser-mapping@2.10.20: - resolution: {integrity: sha512-1AaXxEPfXT+GvTBJFuy4yXVHWJBXa4OdbIebGN/wX5DlsIkU0+wzGnd2lOzokSk51d5LUmqjgBLRLlypLUqInQ==} + baseline-browser-mapping@2.10.21: + resolution: {integrity: sha512-Q+rUQ7Uz8AHM7DEaNdwvfFCTq7a43lNTzuS94eiWqwyxfV/wJv+oUivef51T91mmRY4d4A1u9rcSvkeufCVXlA==} engines: {node: '>=6.0.0'} hasBin: true @@ -1702,8 +1703,8 @@ packages: resolution: {integrity: sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==} engines: {node: '>= 0.4'} - electron-to-chromium@1.5.343: - resolution: {integrity: sha512-YHnQ3MXI08icvL9ZKnEBy05F2EQ8ob01UaMOuMbM8l+4UcAq6MPPbBTJBbsBUg3H8JeZNt+O4fjsoWth3p6IFg==} + electron-to-chromium@1.5.344: + resolution: {integrity: sha512-4MxfbmNDm+KPh066EZy+eUnkcDPcZ35wNmOWzFuh/ijvHsve6kbLTLURy88uCNK5FbpN+yk2nQY6BYh1GEt+wg==} emoji-regex@8.0.0: resolution: {integrity: sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==} @@ -2661,8 +2662,8 @@ packages: peerDependencies: stylelint: ^16.8.2 || ^17.0.0 - stylelint@17.8.0: - resolution: {integrity: sha512-oHkld9T60LDSaUQ4CSVc+tlt9eUoDlxhaGWShsUCKyIL14boZfmK5bSphZqx64aiC5tCqX+BsQMTMoSz8D1zIg==} + stylelint@17.9.0: + resolution: {integrity: sha512-xO0jeY6z1/urFL5L/BZLmB1yYlbRiRMQnYH6ArZIDWJ+SZXGssOY7XoYb1JIv/L220+EBnwwJXJS4Mt/F96SvA==} engines: {node: '>=20.19.0'} hasBin: true @@ -2781,12 +2782,8 @@ packages: util-deprecate@1.0.2: resolution: {integrity: sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==} - uuid@10.0.0: - resolution: {integrity: sha512-8XkAphELsDnEGrDxUOHB3RGvXz6TeuYSGEZBOjtTtPm2lwhGBjLgOzLHB63IUWfBpNucQjND6d3AOudO+H3RWQ==} - hasBin: true - - uuid@13.0.0: - resolution: {integrity: sha512-XQegIaBTVUjSHliKqcnFqYypAd4S+WCYt5NIeRs6w/UAry7z8Y9j5ZwRRL4kzq9U3sD6v+85er9FvkEaBpji2w==} + uuid@14.0.0: + resolution: {integrity: sha512-Qo+uWgilfSmAhXCMav1uYFynlQO7fMFiMVZsQqZRMIXp0O7rR7qjkj+cPvBHLgBqi960QCoo/PH2/6ZtVqKvrg==} hasBin: true vfile-message@4.0.3: @@ -3400,7 +3397,7 @@ snapshots: '@sinclair/typebox': 0.31.28 kysely: 0.28.16 sqlite-wasm-kysely: 0.3.0(kysely@0.28.16) - uuid: 13.0.0 + uuid: 14.0.0 transitivePeerDependencies: - babel-plugin-macros @@ -3439,7 +3436,7 @@ snapshots: js-sha256: 0.11.1 kysely: 0.28.16 sqlite-wasm-kysely: 0.3.0(kysely@0.28.16) - uuid: 10.0.0 + uuid: 14.0.0 transitivePeerDependencies: - babel-plugin-macros @@ -4111,7 +4108,7 @@ snapshots: balanced-match@4.0.4: {} - baseline-browser-mapping@2.10.20: {} + baseline-browser-mapping@2.10.21: {} binary-extensions@2.3.0: {} @@ -4130,9 +4127,9 @@ snapshots: browserslist@4.28.2: dependencies: - baseline-browser-mapping: 2.10.20 + baseline-browser-mapping: 2.10.21 caniuse-lite: 1.0.30001790 - electron-to-chromium: 1.5.343 + electron-to-chromium: 1.5.344 node-releases: 2.0.38 update-browserslist-db: 1.2.3(browserslist@4.28.2) @@ -4282,7 +4279,7 @@ snapshots: es-errors: 1.3.0 gopd: 1.2.0 - electron-to-chromium@1.5.343: {} + electron-to-chromium@1.5.344: {} emoji-regex@8.0.0: {} @@ -5361,33 +5358,33 @@ snapshots: dependencies: inline-style-parser: 0.2.7 - stylelint-config-recommended-scss@17.0.1(postcss@8.5.10)(stylelint@17.8.0(typescript@5.9.3)): + stylelint-config-recommended-scss@17.0.1(postcss@8.5.10)(stylelint@17.9.0(typescript@5.9.3)): dependencies: postcss-scss: 4.0.9(postcss@8.5.10) - stylelint: 17.8.0(typescript@5.9.3) - stylelint-config-recommended: 18.0.0(stylelint@17.8.0(typescript@5.9.3)) - stylelint-scss: 7.0.0(stylelint@17.8.0(typescript@5.9.3)) + stylelint: 17.9.0(typescript@5.9.3) + stylelint-config-recommended: 18.0.0(stylelint@17.9.0(typescript@5.9.3)) + stylelint-scss: 7.0.0(stylelint@17.9.0(typescript@5.9.3)) optionalDependencies: postcss: 8.5.10 - stylelint-config-recommended@18.0.0(stylelint@17.8.0(typescript@5.9.3)): + stylelint-config-recommended@18.0.0(stylelint@17.9.0(typescript@5.9.3)): dependencies: - stylelint: 17.8.0(typescript@5.9.3) + stylelint: 17.9.0(typescript@5.9.3) - stylelint-config-standard-scss@17.0.0(postcss@8.5.10)(stylelint@17.8.0(typescript@5.9.3)): + stylelint-config-standard-scss@17.0.0(postcss@8.5.10)(stylelint@17.9.0(typescript@5.9.3)): dependencies: - stylelint: 17.8.0(typescript@5.9.3) - stylelint-config-recommended-scss: 17.0.1(postcss@8.5.10)(stylelint@17.8.0(typescript@5.9.3)) - stylelint-config-standard: 40.0.0(stylelint@17.8.0(typescript@5.9.3)) + stylelint: 17.9.0(typescript@5.9.3) + stylelint-config-recommended-scss: 17.0.1(postcss@8.5.10)(stylelint@17.9.0(typescript@5.9.3)) + stylelint-config-standard: 40.0.0(stylelint@17.9.0(typescript@5.9.3)) optionalDependencies: postcss: 8.5.10 - stylelint-config-standard@40.0.0(stylelint@17.8.0(typescript@5.9.3)): + stylelint-config-standard@40.0.0(stylelint@17.9.0(typescript@5.9.3)): dependencies: - stylelint: 17.8.0(typescript@5.9.3) - stylelint-config-recommended: 18.0.0(stylelint@17.8.0(typescript@5.9.3)) + stylelint: 17.9.0(typescript@5.9.3) + stylelint-config-recommended: 18.0.0(stylelint@17.9.0(typescript@5.9.3)) - stylelint-scss@7.0.0(stylelint@17.8.0(typescript@5.9.3)): + stylelint-scss@7.0.0(stylelint@17.9.0(typescript@5.9.3)): dependencies: css-tree: 3.2.1 is-plain-object: 5.0.0 @@ -5397,9 +5394,9 @@ snapshots: postcss-resolve-nested-selector: 0.1.6 postcss-selector-parser: 7.1.1 postcss-value-parser: 4.2.0 - stylelint: 17.8.0(typescript@5.9.3) + stylelint: 17.9.0(typescript@5.9.3) - stylelint@17.8.0(typescript@5.9.3): + stylelint@17.9.0(typescript@5.9.3): dependencies: '@csstools/css-calc': 3.2.0(@csstools/css-parser-algorithms@4.0.0(@csstools/css-tokenizer@4.0.0))(@csstools/css-tokenizer@4.0.0) '@csstools/css-parser-algorithms': 4.0.0(@csstools/css-tokenizer@4.0.0) @@ -5569,9 +5566,7 @@ snapshots: util-deprecate@1.0.2: {} - uuid@10.0.0: {} - - uuid@13.0.0: {} + uuid@14.0.0: {} vfile-message@4.0.3: dependencies: From a557a2f24ff1a01827c61f55100af9d5431c66b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 23 Apr 2026 12:55:42 +0200 Subject: [PATCH 13/16] remove override --- web/package.json | 3 +-- web/pnpm-lock.yaml | 17 +++++++++++------ 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/web/package.json b/web/package.json index 1172771..2de53a0 100644 --- a/web/package.json +++ b/web/package.json @@ -64,8 +64,7 @@ "pnpm": { "overrides": { "seroval": "^1.4.1", - "kysely": "^0.28.12", - "uuid": "^14.0.0" + "kysely": "^0.28.12" } } } diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml index f869044..20dad83 100644 --- a/web/pnpm-lock.yaml +++ b/web/pnpm-lock.yaml @@ -7,7 +7,6 @@ settings: overrides: seroval: ^1.4.1 kysely: ^0.28.12 - uuid: ^14.0.0 importers: @@ -2782,8 +2781,12 @@ packages: util-deprecate@1.0.2: resolution: {integrity: sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==} - uuid@14.0.0: - resolution: {integrity: sha512-Qo+uWgilfSmAhXCMav1uYFynlQO7fMFiMVZsQqZRMIXp0O7rR7qjkj+cPvBHLgBqi960QCoo/PH2/6ZtVqKvrg==} + uuid@10.0.0: + resolution: {integrity: sha512-8XkAphELsDnEGrDxUOHB3RGvXz6TeuYSGEZBOjtTtPm2lwhGBjLgOzLHB63IUWfBpNucQjND6d3AOudO+H3RWQ==} + hasBin: true + + uuid@13.0.0: + resolution: {integrity: sha512-XQegIaBTVUjSHliKqcnFqYypAd4S+WCYt5NIeRs6w/UAry7z8Y9j5ZwRRL4kzq9U3sD6v+85er9FvkEaBpji2w==} hasBin: true vfile-message@4.0.3: @@ -3397,7 +3400,7 @@ snapshots: '@sinclair/typebox': 0.31.28 kysely: 0.28.16 sqlite-wasm-kysely: 0.3.0(kysely@0.28.16) - uuid: 14.0.0 + uuid: 13.0.0 transitivePeerDependencies: - babel-plugin-macros @@ -3436,7 +3439,7 @@ snapshots: js-sha256: 0.11.1 kysely: 0.28.16 sqlite-wasm-kysely: 0.3.0(kysely@0.28.16) - uuid: 14.0.0 + uuid: 10.0.0 transitivePeerDependencies: - babel-plugin-macros @@ -5566,7 +5569,9 @@ snapshots: util-deprecate@1.0.2: {} - uuid@14.0.0: {} + uuid@10.0.0: {} + + uuid@13.0.0: {} vfile-message@4.0.3: dependencies: From 403085fd445b273fc346f7829111d198dad629a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 23 Apr 2026 12:56:47 +0200 Subject: [PATCH 14/16] install trivy in nix shell --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index de0cd7d..cd51fbc 100644 --- a/flake.nix +++ b/flake.nix @@ -40,6 +40,7 @@ buf # image signarute verification cosign + trivy ]; # Specify the rust-src path (many editors rely on this) From d1efd6caaa655672acf83c409b8e18de6e4ba2b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 23 Apr 2026 12:56:56 +0200 Subject: [PATCH 15/16] setup trivyignore --- .github/workflows/build-docker.yml | 3 +++ .github/workflows/sbom.yml | 12 ++++++++++++ .github/workflows/test.yml | 3 +++ .trivyignore.yaml | 4 ++++ 4 files changed, 22 insertions(+) create mode 100644 .trivyignore.yaml diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index c2b99e5..cc29260 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -70,6 +70,9 @@ jobs: - name: Scan image with Trivy uses: aquasecurity/trivy-action@0.35.0 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}" format: "table" diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 5afa8f4..38b2e41 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -34,6 +34,9 @@ jobs: - name: Create SBOM with Trivy uses: aquasecurity/trivy-action@0.35.0 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: scan-type: 'fs' format: 'spdx-json' @@ -44,6 +47,9 @@ jobs: - name: Create Docker image SBOM with Trivy uses: aquasecurity/trivy-action@0.35.0 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: image-ref: "ghcr.io/defguard/defguard-proxy:${{ steps.vars.outputs.VERSION }}" scan-type: 'image' @@ -54,6 +60,9 @@ jobs: - name: Create security advisory file with Trivy uses: aquasecurity/trivy-action@0.35.0 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: scan-type: 'fs' format: 'json' @@ -64,6 +73,9 @@ jobs: - name: Create Docker image security advisory file with Trivy uses: aquasecurity/trivy-action@0.35.0 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: image-ref: "ghcr.io/defguard/defguard-proxy:${{ steps.vars.outputs.VERSION }}" scan-type: 'image' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 9a63987..d39782f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -38,6 +38,9 @@ jobs: - name: Scan code with Trivy uses: aquasecurity/trivy-action@0.35.0 + env: + TRIVY_SHOW_SUPPRESSED: 1 + TRIVY_IGNOREFILE: "./.trivyignore.yaml" with: scan-type: 'fs' scan-ref: '.' diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 0000000..4b61f17 --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,4 @@ +vulnerabilities: + - id: GHSA-w5hq-g745-h8pq + expired_at: 2026-05-23 + statement: "Waiting for upstream patch in paraglide" From 13529a32f465a03f8f768fd20545530ea80d3cbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 23 Apr 2026 14:39:53 +0200 Subject: [PATCH 16/16] fix action tag --- .github/workflows/build-docker.yml | 2 +- .github/workflows/sbom.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index e6f7db6..63b054c 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -69,7 +69,7 @@ jobs: cache-to: type=gha,mode=max - name: Scan image with Trivy - uses: aquasecurity/trivy-action@0.36.0 + uses: aquasecurity/trivy-action@v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml" diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index a6628bb..9525ad9 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -72,7 +72,7 @@ jobs: scanners: "vuln" - name: Create Docker image security advisory file with Trivy - uses: aquasecurity/trivy-action@0.36.0 + uses: aquasecurity/trivy-action@v0.36.0 env: TRIVY_SHOW_SUPPRESSED: 1 TRIVY_IGNOREFILE: "./.trivyignore.yaml"