From 540c0ba10c49ff92be1efca36d6a1294cbe997a9 Mon Sep 17 00:00:00 2001 From: barsa Date: Mon, 15 Dec 2025 17:55:54 +0900 Subject: [PATCH] Update dependencies and clean up package configurations - Upgraded `@eslint/js` and `eslint` to version 9.39.2 for improved linting capabilities. - Updated `zod` to version 4.2.0 in various dependencies to ensure compatibility and access to the latest features. - Standardized quotes in `pnpm-lock.yaml` and `pnpm-workspace.yaml` for consistency. - Removed obsolete `~$MPLETE-GUIDE.docx` file from the documentation directory. --- .github/dependabot.yml | 138 +++++---------- .github/workflows/dependency-update.yml | 42 +++++ .github/workflows/pr-checks.yml | 58 +++++++ .github/workflows/security.yml | 175 ++++++++++++++----- .gitignore | 5 + .husky/pre-push | 10 ++ SECURITY.md | 167 ++++++++++++++++++ apps/portal/package.json | 2 +- docs/SECURITY-MONITORING.md | 220 ++++++++++++++++++++++++ docs/portal-guides/~$MPLETE-GUIDE.docx | Bin 162 -> 0 bytes package.json | 9 +- pnpm-lock.yaml | 170 +++++++++--------- pnpm-workspace.yaml | 7 +- scripts/security-check.sh | 97 +++++++++++ 14 files changed, 869 insertions(+), 231 deletions(-) create mode 100644 .github/workflows/dependency-update.yml create mode 100644 .github/workflows/pr-checks.yml create mode 100755 .husky/pre-push create mode 100644 SECURITY.md create mode 100644 docs/SECURITY-MONITORING.md delete mode 100644 docs/portal-guides/~$MPLETE-GUIDE.docx create mode 100755 scripts/security-check.sh diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e645a535..444383d6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,126 +1,68 @@ -# Dependabot configuration for automated dependency updates -# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates - version: 2 updates: - # NPM dependencies for the monorepo + # Enable version updates for npm - package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" day: "monday" time: "09:00" - timezone: "UTC" open-pull-requests-limit: 10 + reviewers: + - "barsa" labels: - "dependencies" - - "automated" - commit-message: - prefix: "chore(deps):" + - "security" + # Group updates together to reduce PR noise groups: - # Group NestJS packages together - nestjs: - patterns: - - "@nestjs/*" + # Group all non-security updates + development-dependencies: + dependency-type: "development" update-types: - "minor" - "patch" - # Group React/Next.js packages together - react-next: - patterns: - - "react" - - "react-dom" - - "next" - - "@next/*" - update-types: - - "minor" - - "patch" - # Group TypeScript tooling - typescript-tooling: - patterns: - - "typescript" - - "typescript-eslint" - - "@types/*" - - "ts-*" - update-types: - - "minor" - - "patch" - # Group testing packages - testing: - patterns: - - "jest" - - "@jest/*" - - "supertest" - - "@types/jest" - update-types: - - "minor" - - "patch" - # Group linting/formatting - linting: - patterns: - - "eslint" - - "eslint-*" - - "@eslint/*" - - "prettier" - update-types: - - "minor" - - "patch" - # Group Tailwind CSS - tailwind: - patterns: - - "tailwindcss" - - "@tailwindcss/*" - - "tailwind-*" - update-types: - - "minor" - - "patch" - # Group Prisma - prisma: - patterns: - - "prisma" - - "@prisma/*" + production-dependencies: + dependency-type: "production" update-types: - "minor" - "patch" + # Auto-merge patch updates for dev dependencies + allow: + - dependency-type: "development" + update-types: ["patch"] + # Ignore specific packages if needed ignore: - # Ignore major version updates for critical packages (review manually) - - dependency-name: "next" - update-types: ["version-update:semver-major"] - - dependency-name: "react" - update-types: ["version-update:semver-major"] - - dependency-name: "react-dom" - update-types: ["version-update:semver-major"] - - dependency-name: "@prisma/client" - update-types: ["version-update:semver-major"] - - dependency-name: "prisma" - update-types: ["version-update:semver-major"] + # Example: ignore major version updates for specific packages + # - dependency-name: "next" + # update-types: ["version-update:semver-major"] + versioning-strategy: increase + commit-message: + prefix: "chore(deps)" + prefix-development: "chore(deps-dev)" + include: "scope" - # Docker base images - - package-ecosystem: "docker" - directory: "/apps/portal" - schedule: - interval: "weekly" - day: "monday" - labels: - - "dependencies" - - "docker" - - - package-ecosystem: "docker" - directory: "/apps/bff" - schedule: - interval: "weekly" - day: "monday" - labels: - - "dependencies" - - "docker" - - # GitHub Actions + # Monitor GitHub Actions - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" day: "monday" + time: "09:00" labels: - - "dependencies" - "github-actions" + - "security" + commit-message: + prefix: "ci" + # Monitor Docker dependencies if you're using Docker + - package-ecosystem: "docker" + directory: "/docker" + schedule: + interval: "weekly" + day: "monday" + time: "09:00" + labels: + - "docker" + - "security" + commit-message: + prefix: "chore(docker)" diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml new file mode 100644 index 00000000..e98ec812 --- /dev/null +++ b/.github/workflows/dependency-update.yml @@ -0,0 +1,42 @@ +name: Auto-merge Dependabot PRs + +on: + pull_request: + branches: + - main + - master + +permissions: + contents: write + pull-requests: write + +jobs: + dependabot: + name: Auto-merge Dependabot PRs + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + + steps: + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@v2 + with: + github-token: "${{ secrets.GITHUB_TOKEN }}" + + - name: Auto-approve patch and minor updates + if: | + steps.metadata.outputs.update-type == 'version-update:semver-patch' || + steps.metadata.outputs.update-type == 'version-update:semver-minor' + run: | + gh pr review --approve "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + + - name: Enable auto-merge for patch updates + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' + run: | + gh pr merge --auto --squash "$PR_URL" + env: + PR_URL: ${{github.event.pull_request.html_url}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml new file mode 100644 index 00000000..01286ba2 --- /dev/null +++ b/.github/workflows/pr-checks.yml @@ -0,0 +1,58 @@ +name: Pull Request Checks + +on: + pull_request: + branches: + - main + - master + +jobs: + quality-checks: + name: Code Quality & Security + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: "22" + + - name: Setup pnpm + uses: pnpm/action-setup@v4 + with: + version: "10.25.0" + + - name: Get pnpm store directory + id: pnpm-cache + shell: bash + run: | + echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT + + - name: Setup pnpm cache + uses: actions/cache@v4 + with: + path: ${{ steps.pnpm-cache.outputs.STORE_PATH }} + key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} + restore-keys: | + ${{ runner.os }}-pnpm-store- + + - name: Install dependencies + run: pnpm install --frozen-lockfile + + - name: Run linter + run: pnpm lint + + - name: Run type check + run: pnpm type-check + + - name: Run security audit + run: pnpm security:check + + - name: Run tests + run: pnpm test + + - name: Check formatting + run: pnpm format:check diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 0f967160..3559a8ce 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -1,86 +1,173 @@ name: Security Audit on: + # Run on every push to main/master push: - branches: [main, develop] + branches: + - main + - master + # Run on all pull requests pull_request: - branches: [main, develop] + # Run daily at 9 AM UTC schedule: - # Run every Monday at 9:00 AM UTC - - cron: "0 9 * * 1" + - cron: "0 9 * * *" + # Allow manual trigger workflow_dispatch: jobs: - audit: - name: Security Audit + security-audit: + name: Security Vulnerability Audit runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - - name: Setup pnpm - uses: pnpm/action-setup@v4 - with: - version: 10.25.0 - - name: Setup Node.js uses: actions/setup-node@v4 with: - node-version: 22 - cache: "pnpm" + node-version: "22" + + - name: Setup pnpm + uses: pnpm/action-setup@v4 + with: + version: "10.25.0" + + - name: Get pnpm store directory + id: pnpm-cache + shell: bash + run: | + echo "STORE_PATH=$(pnpm store path)" >> $GITHUB_OUTPUT + + - name: Setup pnpm cache + uses: actions/cache@v4 + with: + path: ${{ steps.pnpm-cache.outputs.STORE_PATH }} + key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} + restore-keys: | + ${{ runner.os }}-pnpm-store- - name: Install dependencies run: pnpm install --frozen-lockfile - name: Run security audit + id: audit run: | - echo "## 🔒 Security Audit Results" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY + # Run audit and capture exit code + pnpm audit --audit-level=high || echo "AUDIT_FAILED=true" >> $GITHUB_OUTPUT - # Run audit and capture output - if pnpm audit --audit-level=high 2>&1 | tee audit-output.txt; then - echo "✅ No high or critical vulnerabilities found!" >> $GITHUB_STEP_SUMMARY - else - echo "⚠ī¸ Vulnerabilities detected. See details below." >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "\`\`\`" >> $GITHUB_STEP_SUMMARY - cat audit-output.txt >> $GITHUB_STEP_SUMMARY - echo "\`\`\`" >> $GITHUB_STEP_SUMMARY - # Fail the workflow for high/critical vulnerabilities - exit 1 - fi + # Generate detailed report + pnpm audit --json > audit-report.json || true - - name: Check for outdated packages - if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + - name: Parse audit results + if: steps.audit.outputs.AUDIT_FAILED == 'true' run: | - echo "" >> $GITHUB_STEP_SUMMARY - echo "## đŸ“Ļ Outdated Packages" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "\`\`\`" >> $GITHUB_STEP_SUMMARY - pnpm outdated --recursive 2>&1 | head -100 >> $GITHUB_STEP_SUMMARY || true - echo "\`\`\`" >> $GITHUB_STEP_SUMMARY + echo "⚠ī¸ Security vulnerabilities detected!" + echo "Please review the audit report and update vulnerable packages." + pnpm audit + exit 1 - codeql: - name: CodeQL Analysis + - name: Upload audit report + if: always() + uses: actions/upload-artifact@v4 + with: + name: security-audit-report + path: audit-report.json + retention-days: 30 + + dependency-review: + name: Dependency Review runs-on: ubuntu-latest - permissions: - security-events: write - actions: read - contents: read + # Only run on pull requests + if: github.event_name == 'pull_request' steps: - - name: Checkout repository + - name: Checkout code + uses: actions/checkout@v4 + + - name: Dependency Review + uses: actions/dependency-review-action@v4 + with: + fail-on-severity: high + deny-licenses: GPL-2.0, GPL-3.0 + + codeql-analysis: + name: CodeQL Security Analysis + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["javascript", "typescript"] + + steps: + - name: Checkout code uses: actions/checkout@v4 - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: - languages: javascript-typescript + languages: ${{ matrix.language }} queries: security-and-quality + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 with: - category: "/language:javascript-typescript" + category: "/language:${{matrix.language}}" + outdated-dependencies: + name: Check Outdated Dependencies + runs-on: ubuntu-latest + # Only run on schedule or manual trigger + if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: "22" + + - name: Setup pnpm + uses: pnpm/action-setup@v4 + with: + version: "10.25.0" + + - name: Check for outdated dependencies + run: | + pnpm outdated --recursive || true + pnpm outdated --recursive > outdated-report.txt || true + + - name: Upload outdated report + uses: actions/upload-artifact@v4 + with: + name: outdated-dependencies-report + path: outdated-report.txt + retention-days: 7 + + - name: Create issue for outdated dependencies + if: github.event_name == 'schedule' + uses: actions/github-script@v7 + with: + script: | + const fs = require('fs'); + const report = fs.readFileSync('outdated-report.txt', 'utf8'); + + if (report.trim()) { + await github.rest.issues.create({ + owner: context.repo.owner, + repo: context.repo.repo, + title: `Outdated Dependencies Report - ${new Date().toISOString().split('T')[0]}`, + body: `## đŸ“Ļ Outdated Dependencies Report\n\nThe following dependencies are outdated:\n\n\`\`\`\n${report}\n\`\`\`\n\nPlease review and update as needed.`, + labels: ['dependencies', 'security'] + }); + } diff --git a/.gitignore b/.gitignore index 9a474469..466d4496 100644 --- a/.gitignore +++ b/.gitignore @@ -161,3 +161,8 @@ prisma/migrations/dev.db* # API Documentation (contains sensitive API details) docs/freebit-apis/ + +# Security reports +security-report.json +audit-report.json +outdated-report.txt diff --git a/.husky/pre-push b/.husky/pre-push new file mode 100755 index 00000000..bd10d240 --- /dev/null +++ b/.husky/pre-push @@ -0,0 +1,10 @@ +#!/usr/bin/env sh +. "$(dirname -- "$0")/_/husky.sh" + +# Optional: Run security audit before pushing +# Uncomment to enable strict security checks before push +# echo "🔍 Running security audit..." +# pnpm security:check + +echo "✅ Pre-push checks passed" + diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..17ee66e5 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,167 @@ +# Security Policy + +## 🔒 Security Overview + +This document outlines the security practices and policies for the Customer Portal project. + +## 🚨 Reporting a Vulnerability + +If you discover a security vulnerability, please follow these steps: + +1. **DO NOT** open a public issue +2. Email the security team directly at: [your-security-email@example.com] +3. Include detailed information about the vulnerability: + - Type of vulnerability + - Steps to reproduce + - Potential impact + - Suggested fix (if available) + +We will acknowledge receipt within 48 hours and provide a detailed response within 7 days. + +## 🛡ī¸ Security Measures + +### Automated Security Checks + +We use multiple layers of automated security scanning: + +#### 1. **Continuous Monitoring** + +- **Daily Security Audits**: Automated checks run daily at 9 AM UTC +- **Pull Request Scans**: Every PR is scanned for vulnerabilities +- **Dependency Review**: All dependency changes are reviewed automatically + +#### 2. **Dependency Management** + +- **Dependabot**: Automatically creates PRs for security updates +- **Weekly Dependency Checks**: Reviews for outdated packages +- **Auto-merge**: Low-risk patches are auto-merged after CI passes + +#### 3. **Code Analysis** + +- **CodeQL**: Static analysis for security vulnerabilities +- **Linting**: ESLint with security rules +- **Type Safety**: TypeScript for compile-time safety + +### Local Security Checks + +#### Run Security Audit + +```bash +# Check for high and critical vulnerabilities +pnpm security:check + +# Full audit report +pnpm security:audit +``` + +#### Check for Outdated Dependencies + +```bash +# View outdated packages +pnpm update:check + +# Safe update with verification +pnpm update:safe +``` + +#### Pre-commit Checks + +Security audits are automatically run on: + +- Pre-commit (type checking and linting) +- Pre-push (optional security audit - see `.husky/pre-push`) + +## 📋 Security Checklist + +### For Developers + +- [ ] Run `pnpm security:check` before committing +- [ ] Keep dependencies up to date +- [ ] Review Dependabot PRs promptly +- [ ] Never commit secrets or sensitive data +- [ ] Use environment variables for configuration +- [ ] Follow secure coding practices +- [ ] Review security warnings in CI/CD + +### For Maintainers + +- [ ] Review security audit reports weekly +- [ ] Update vulnerable dependencies immediately +- [ ] Monitor GitHub Security Advisories +- [ ] Review and merge Dependabot PRs +- [ ] Conduct security reviews for major changes +- [ ] Keep documentation up to date + +## 🔐 Secret Management + +### Never Commit: + +- API keys +- Database credentials +- Private keys +- Tokens or passwords +- Configuration with sensitive data + +### Use Instead: + +- Environment variables (`.env` files - gitignored) +- Secret management services +- Encrypted secrets in CI/CD +- The `secrets/` folder (gitignored) + +## 🏷ī¸ Supported Versions + +| Version | Supported | +| ------- | ------------------ | +| 1.x.x | :white_check_mark: | + +## 📚 Security Resources + +### Internal Documentation + +- [Environment Configuration](./docs/portal-guides/COMPLETE-GUIDE.md) +- [Deployment Guide](./docs/portal-guides/) + +### External Resources + +- [OWASP Top 10](https://owasp.org/www-project-top-ten/) +- [Node.js Security Best Practices](https://nodejs.org/en/docs/guides/security/) +- [npm Security Best Practices](https://docs.npmjs.com/security) + +## 🔄 Security Update Process + +1. **Vulnerability Detected** + - Automated scan identifies issue + - GitHub Security Advisory created + - Team notified + +2. **Assessment** + - Severity evaluated + - Impact assessed + - Priority assigned + +3. **Remediation** + - Fix developed and tested + - Security patch released + - Dependabot creates PR + +4. **Deployment** + - PR reviewed and approved + - Changes deployed to production + - Verification performed + +5. **Communication** + - Team notified of fix + - Documentation updated + - Incident logged + +## 📞 Contact + +For security concerns, contact: + +- **Email**: [your-security-email@example.com] +- **Emergency**: [emergency-contact] + +--- + +Last updated: December 2025 diff --git a/apps/portal/package.json b/apps/portal/package.json index bfc7fce2..f47fea34 100644 --- a/apps/portal/package.json +++ b/apps/portal/package.json @@ -24,7 +24,7 @@ "class-variance-authority": "^0.7.1", "clsx": "^2.1.1", "date-fns": "^4.1.0", - "next": "16.0.9", + "next": "16.0.10", "react": "19.2.1", "react-dom": "19.2.1", "tailwind-merge": "^3.4.0", diff --git a/docs/SECURITY-MONITORING.md b/docs/SECURITY-MONITORING.md new file mode 100644 index 00000000..c87e76f3 --- /dev/null +++ b/docs/SECURITY-MONITORING.md @@ -0,0 +1,220 @@ +# Security Monitoring Setup + +## đŸŽ¯ Quick Start + +Your project now has comprehensive security monitoring! Here's what was set up: + +## đŸ“Ļ What's Included + +### 1. **GitHub Actions Workflows** (`.github/workflows/`) + +#### `security.yml` - Main Security Pipeline + +- **Daily scans** at 9 AM UTC +- **Pull request** security checks +- **Manual trigger** available +- Includes: + - Dependency vulnerability audit + - Dependency review (for PRs) + - CodeQL security analysis + - Outdated dependencies check + +#### `pr-checks.yml` - Pull Request Quality Gate + +- Runs on every PR +- Checks: linting, type safety, security audit, tests, formatting + +#### `dependency-update.yml` - Auto-merge Helper + +- Auto-approves safe dependency updates +- Auto-merges patch updates +- Works with Dependabot + +### 2. **Dependabot Configuration** (`.github/dependabot.yml`) + +- **Weekly** dependency updates (Mondays at 9 AM) +- Groups updates to reduce PR noise +- Monitors: npm, GitHub Actions, Docker +- Auto-labels PRs for easy tracking + +### 3. **Git Hooks** (`.husky/`) + +- **pre-commit**: Runs linting and type checks +- **pre-push**: Optional security audit (commented out by default) + +### 4. **NPM Scripts** (Enhanced) + +```bash +pnpm security:audit # Full security audit +pnpm security:check # Check high/critical vulnerabilities +pnpm security:fix # Auto-fix vulnerabilities when possible +pnpm security:report # Generate JSON report +pnpm update:check # Check for outdated packages +pnpm update:safe # Safe update with verification +``` + +## 🚀 Getting Started + +### 1. Fix Current Vulnerability + +```bash +# Update Next.js to fix the current high-severity issue +cd /home/barsa/projects/customer_portal/customer-portal +pnpm add next@latest --filter @customer-portal/portal +pnpm security:check +``` + +### 2. Enable GitHub Actions + +- Push these changes to GitHub +- Go to **Settings → Actions → General** +- Enable **Read and write permissions** for workflows +- Go to **Settings → Code security → Dependabot** +- Enable **Dependabot alerts** and **security updates** + +### 3. Optional: Enable Stricter Pre-push Checks + +Edit `.husky/pre-push` and uncomment the security check lines to run audits before every push. + +## 📊 Monitoring Dashboard + +### View Security Status + +1. **GitHub Actions**: Check `.github/workflows/security.yml` runs +2. **Dependabot**: View PRs in **Pull requests** tab +3. **Security Advisories**: Check **Security** tab +4. **Artifacts**: Download audit reports from workflow runs + +### Email Notifications + +GitHub will automatically notify you about: + +- Security vulnerabilities +- Failed workflow runs +- Dependabot PRs + +### Configure Notifications + +1. Go to **Settings → Notifications** +2. Enable **Actions** and **Dependabot** notifications +3. Choose **Email** or **Web** notifications + +## 🔄 Workflow Triggers + +### Automatic + +- **Daily**: Full security scan at 9 AM UTC +- **On Push**: Security checks when pushing to main/master +- **On PR**: Comprehensive checks including dependency review +- **Weekly**: Dependabot checks for updates (Mondays) + +### Manual + +```bash +# Trigger from GitHub UI +1. Go to Actions → Security Audit +2. Click "Run workflow" +3. Select branch and run + +# Or use GitHub CLI +gh workflow run security.yml +``` + +## 🛠ī¸ Local Development + +### Before Committing + +```bash +pnpm lint # Check code quality +pnpm type-check # Verify types +pnpm security:check # Check vulnerabilities +pnpm test # Run tests +``` + +### Weekly Maintenance + +```bash +pnpm update:check # See what's outdated +pnpm update:safe # Update safely +``` + +### Generate Security Report + +```bash +pnpm security:report +# Creates security-report.json with detailed findings +``` + +## 📋 Best Practices + +### For Daily Development + +- ✅ Run `pnpm security:check` weekly +- ✅ Review Dependabot PRs within 48 hours +- ✅ Keep dependencies up to date +- ✅ Never commit secrets (use `.env` files) + +### For Security Issues + +- 🚨 **High/Critical**: Fix within 24 hours +- ⚠ī¸ **Medium**: Fix within 1 week +- ℹī¸ **Low**: Fix in next maintenance window + +### For Dependency Updates + +- ✅ **Patch versions**: Auto-merge after CI passes +- ⚠ī¸ **Minor versions**: Review and test +- 🚨 **Major versions**: Careful review and thorough testing + +## 🔍 Troubleshooting + +### If Security Scan Fails + +```bash +# View detailed audit +pnpm audit + +# Try to auto-fix +pnpm security:fix + +# If auto-fix doesn't work, update manually +pnpm update [package-name]@latest +``` + +### If Workflow Fails + +1. Check workflow logs in GitHub Actions +2. Run the same commands locally +3. Ensure all secrets are configured +4. Verify permissions are set correctly + +## 📚 Additional Resources + +- **Security Policy**: See `SECURITY.md` +- **Complete Guide**: See `docs/portal-guides/COMPLETE-GUIDE.md` +- **GitHub Security**: [https://docs.github.com/en/code-security](https://docs.github.com/en/code-security) +- **npm Security**: [https://docs.npmjs.com/security](https://docs.npmjs.com/security) + +## 🎉 Next Steps + +1. **Fix the current vulnerability**: + + ```bash + pnpm add next@16.0.10 --filter @customer-portal/portal + ``` + +2. **Push to GitHub** to activate workflows: + + ```bash + git add . + git commit -m "feat: add comprehensive security monitoring" + git push + ``` + +3. **Enable Dependabot** in GitHub repository settings + +4. **Review first security scan** in GitHub Actions + +--- + +**Need Help?** Check `SECURITY.md` for detailed security policies and contact information. diff --git a/docs/portal-guides/~$MPLETE-GUIDE.docx b/docs/portal-guides/~$MPLETE-GUIDE.docx deleted file mode 100644 index 2ab65705e41a590ce9b2308a960b8bf52cc94dd0..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 162 zcmWd*Da|b{N=hs$R`5$KO3W)MtxRMf2!t6z7)lv(fw+hvi6Ie47BeU?_<>o840#MC zK$%J)4;?T;1-zmmjOjD7l&9t1VdM~OI#v6Efnn0*(hv}zfuVs3NHBE1JG}z{RV5v- diff --git a/package.json b/package.json index b1c8f496..9f175338 100644 --- a/package.json +++ b/package.json @@ -45,20 +45,23 @@ "db:reset": "pnpm --filter @customer-portal/bff run db:reset", "security:audit": "pnpm audit", "security:check": "pnpm audit --audit-level=high", + "security:fix": "pnpm audit --fix", + "security:report": "pnpm audit --json > security-report.json && echo 'Report saved to security-report.json'", + "security:scan": "bash ./scripts/security-check.sh", "update:check": "pnpm outdated --recursive", "update:safe": "pnpm update --recursive && pnpm audit && pnpm type-check", "analyze": "pnpm --filter @customer-portal/portal run analyze", "plesk:images": "bash ./scripts/plesk/build-images.sh" }, "devDependencies": { + "@eslint/js": "^9.39.2", "@next/eslint-plugin-next": "16.0.9", - "@eslint/js": "^9.39.1", "@types/node": "catalog:", - "eslint": "^9.39.1", - "lint-staged": "^16.2.7", + "eslint": "^9.39.2", "eslint-plugin-react-hooks": "^7.0.1", "globals": "^16.5.0", "husky": "^9.1.7", + "lint-staged": "^16.2.7", "prettier": "^3.7.4", "tsx": "^4.21.0", "typescript": "catalog:", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index b3ac5fcb..efb8eb76 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -24,8 +24,8 @@ importers: .: devDependencies: "@eslint/js": - specifier: ^9.39.1 - version: 9.39.1 + specifier: ^9.39.2 + version: 9.39.2 "@next/eslint-plugin-next": specifier: 16.0.9 version: 16.0.9 @@ -33,11 +33,11 @@ importers: specifier: "catalog:" version: 24.10.3 eslint: - specifier: ^9.39.1 - version: 9.39.1(jiti@2.6.1) + specifier: ^9.39.2 + version: 9.39.2(jiti@2.6.1) eslint-plugin-react-hooks: specifier: ^7.0.1 - version: 7.0.1(eslint@9.39.1(jiti@2.6.1)) + version: 7.0.1(eslint@9.39.2(jiti@2.6.1)) globals: specifier: ^16.5.0 version: 16.5.0 @@ -58,7 +58,7 @@ importers: version: 5.9.3 typescript-eslint: specifier: ^8.49.0 - version: 8.49.0(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3) + version: 8.49.0(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3) apps/bff: dependencies: @@ -196,8 +196,8 @@ importers: specifier: ^4.1.0 version: 4.1.0 next: - specifier: 16.0.9 - version: 16.0.9(@babel/core@7.28.5)(react-dom@19.2.1(react@19.2.1))(react@19.2.1) + specifier: 16.0.10 + version: 16.0.10(@babel/core@7.28.5)(react-dom@19.2.1(react@19.2.1))(react@19.2.1) react: specifier: 19.2.1 version: 19.2.1 @@ -813,10 +813,10 @@ packages: } engines: { node: ^18.18.0 || ^20.9.0 || >=21.1.0 } - "@eslint/js@9.39.1": + "@eslint/js@9.39.2": resolution: { - integrity: sha512-S26Stp4zCy88tH94QbBv3XCuzRQiZ9yXofEILmglYTh/Ug/a9/umqvgFtYBAo3Lp0nsI/5/qH1CCrbdK3AP1Tw==, + integrity: sha512-q1mjIoW1VX4IvSocvM/vbTiveKC4k9eLrajNEuSsmjymSDEbpGddtpfOoN7YGAqBK3NG+uqo8ia4PDTt8buCYA==, } engines: { node: ^18.18.0 || ^20.9.0 || >=21.1.0 } @@ -1747,10 +1747,10 @@ packages: integrity: sha512-AHA6ZomhQuRsJtkoRvsq+hIuwA6F26mQzQT8ICcc2dL3BvHRcWOA+EiFr+BgWFY++EE957xVDqMIJjLApyxnwA==, } - "@next/env@16.0.9": + "@next/env@16.0.10": resolution: { - integrity: sha512-6284pl8c8n9PQidN63qjPVEu1uXXKjnmbmaLebOzIfTrSXdGiAPsIMRi4pk/+v/ezqweE1/B8bFqiAAfC6lMXg==, + integrity: sha512-8tuaQkyDVgeONQ1MeT9Mkk8pQmZapMKFh5B+OrFUlG3rVmYTXcXlBetBgTurKXGaIZvkoqRT9JL5K3phXcgang==, } "@next/eslint-plugin-next@16.0.9": @@ -1759,73 +1759,73 @@ packages: integrity: sha512-ea6F0Towc70S+5y0HfkmMeNvWXHH+5yQUhovmed5qHu9WxJRW0oE26+OU6z4u0hR5WHYec7KwwHZCyWlnwdpOg==, } - "@next/swc-darwin-arm64@16.0.9": + "@next/swc-darwin-arm64@16.0.10": resolution: { - integrity: sha512-j06fWg/gPqiWjK+sEpCDsh5gX+Bdy9gnPYjFqMBvBEOIcCFy1/ecF6pY6XAce7WyCJAbBPVb+6GvpmUZKNq0oQ==, + integrity: sha512-4XgdKtdVsaflErz+B5XeG0T5PeXKDdruDf3CRpnhN+8UebNa5N2H58+3GDgpn/9GBurrQ1uWW768FfscwYkJRg==, } engines: { node: ">= 10" } cpu: [arm64] os: [darwin] - "@next/swc-darwin-x64@16.0.9": + "@next/swc-darwin-x64@16.0.10": resolution: { - integrity: sha512-FRYYz5GSKUkfvDSjd5hgHME2LgYjfOLBmhRVltbs3oRNQQf9n5UTQMmIu/u5vpkjJFV4L2tqo8duGqDxdQOFwg==, + integrity: sha512-spbEObMvRKkQ3CkYVOME+ocPDFo5UqHb8EMTS78/0mQ+O1nqE8toHJVioZo4TvebATxgA8XMTHHrScPrn68OGw==, } engines: { node: ">= 10" } cpu: [x64] os: [darwin] - "@next/swc-linux-arm64-gnu@16.0.9": + "@next/swc-linux-arm64-gnu@16.0.10": resolution: { - integrity: sha512-EI2klFVL8tOyEIX5J1gXXpm1YuChmDy4R+tHoNjkCHUmBJqXioYErX/O2go4pEhjxkAxHp2i8y5aJcRz2m5NqQ==, + integrity: sha512-uQtWE3X0iGB8apTIskOMi2w/MKONrPOUCi5yLO+v3O8Mb5c7K4Q5KD1jvTpTF5gJKa3VH/ijKjKUq9O9UhwOYw==, } engines: { node: ">= 10" } cpu: [arm64] os: [linux] - "@next/swc-linux-arm64-musl@16.0.9": + "@next/swc-linux-arm64-musl@16.0.10": resolution: { - integrity: sha512-vq/5HeGvowhDPMrpp/KP4GjPVhIXnwNeDPF5D6XK6ta96UIt+C0HwJwuHYlwmn0SWyNANqx1Mp6qSVDXwbFKsw==, + integrity: sha512-llA+hiDTrYvyWI21Z0L1GiXwjQaanPVQQwru5peOgtooeJ8qx3tlqRV2P7uH2pKQaUfHxI/WVarvI5oYgGxaTw==, } engines: { node: ">= 10" } cpu: [arm64] os: [linux] - "@next/swc-linux-x64-gnu@16.0.9": + "@next/swc-linux-x64-gnu@16.0.10": resolution: { - integrity: sha512-GlUdJwy2leA/HnyRYxJ1ZJLCJH+BxZfqV4E0iYLrJipDKxWejWpPtZUdccPmCfIEY9gNBO7bPfbG6IIgkt0qXg==, + integrity: sha512-AK2q5H0+a9nsXbeZ3FZdMtbtu9jxW4R/NgzZ6+lrTm3d6Zb7jYrWcgjcpM1k8uuqlSy4xIyPR2YiuUr+wXsavA==, } engines: { node: ">= 10" } cpu: [x64] os: [linux] - "@next/swc-linux-x64-musl@16.0.9": + "@next/swc-linux-x64-musl@16.0.10": resolution: { - integrity: sha512-UCtOVx4N8AHF434VPwg4L0KkFLAd7pgJShzlX/hhv9+FDrT7/xCuVdlBsCXH7l9yCA/wHl3OqhMbIkgUluriWA==, + integrity: sha512-1TDG9PDKivNw5550S111gsO4RGennLVl9cipPhtkXIFVwo31YZ73nEbLjNC8qG3SgTz/QZyYyaFYMeY4BKZR/g==, } engines: { node: ">= 10" } cpu: [x64] os: [linux] - "@next/swc-win32-arm64-msvc@16.0.9": + "@next/swc-win32-arm64-msvc@16.0.10": resolution: { - integrity: sha512-tQjtDGtv63mV3n/cZ4TH8BgUvKTSFlrF06yT5DyRmgQuj5WEjBUDy0W3myIW5kTRYMPrLn42H3VfCNwBH6YYiA==, + integrity: sha512-aEZIS4Hh32xdJQbHz121pyuVZniSNoqDVx1yIr2hy+ZwJGipeqnMZBJHyMxv2tiuAXGx6/xpTcQJ6btIiBjgmg==, } engines: { node: ">= 10" } cpu: [arm64] os: [win32] - "@next/swc-win32-x64-msvc@16.0.9": + "@next/swc-win32-x64-msvc@16.0.10": resolution: { - integrity: sha512-y9AGACHTBwnWFLq5B5Fiv3FEbXBusdPb60pgoerB04CV/pwjY1xQNdoTNxAv7eUhU2k1CKnkN4XWVuiK07uOqA==, + integrity: sha512-E+njfCoFLb01RAFEnGZn6ERoOqhK1Gl3Lfz1Kjnj0Ulfu7oJbuMyvBKNj/bw8XZnenHDASlygTjZICQW+rYW1Q==, } engines: { node: ">= 10" } cpu: [x64] @@ -4001,10 +4001,10 @@ packages: } engines: { node: ^18.18.0 || ^20.9.0 || >=21.1.0 } - eslint@9.39.1: + eslint@9.39.2: resolution: { - integrity: sha512-BhHmn2yNOFA9H9JmmIVKJmd288g9hrVRDkdoIgRCRuSySRUHH7r/DI6aAXW9T1WwUuY3DFgrcaqB+deURBLR5g==, + integrity: sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==, } engines: { node: ^18.18.0 || ^20.9.0 || >=21.1.0 } hasBin: true @@ -5523,10 +5523,10 @@ packages: "@nestjs/swagger": optional: true - next@16.0.9: + next@16.0.10: resolution: { - integrity: sha512-Xk5x/wEk6ADIAtQECLo1uyE5OagbQCiZ+gW4XEv24FjQ3O2PdSkvgsn22aaseSXC7xg84oONvQjFbSTX5YsMhQ==, + integrity: sha512-RtWh5PUgI+vxlV3HdR+IfWA1UUHu0+Ram/JBO4vWB54cVPentCD0e+lxyAYEsDTqGGMg7qpjhKh6dc6aW7W/sA==, } engines: { node: ">=20.9.0" } hasBin: true @@ -7433,6 +7433,12 @@ packages: integrity: sha512-AvvthqfqrAhNH9dnfmrfKzX5upOdjUVJYFqNSlkmGf64gRaTzlPwz99IHYnVs28qYAybvAlBV+H7pn0saFY4Ig==, } + zod@4.2.0: + resolution: + { + integrity: sha512-Bd5fw9wlIhtqCCxotZgdTOMwGm1a0u75wARVEY9HMs1X17trvA/lMi4+MGK5EUfYkXVTbX8UDiDKW4OgzHVUZw==, + } + zustand@5.0.9: resolution: { @@ -7734,9 +7740,9 @@ snapshots: "@esbuild/win32-x64@0.27.1": optional: true - "@eslint-community/eslint-utils@4.9.0(eslint@9.39.1(jiti@2.6.1))": + "@eslint-community/eslint-utils@4.9.0(eslint@9.39.2(jiti@2.6.1))": dependencies: - eslint: 9.39.1(jiti@2.6.1) + eslint: 9.39.2(jiti@2.6.1) eslint-visitor-keys: 3.4.3 "@eslint-community/regexpp@4.12.2": {} @@ -7771,7 +7777,7 @@ snapshots: transitivePeerDependencies: - supports-color - "@eslint/js@9.39.1": {} + "@eslint/js@9.39.2": {} "@eslint/object-schema@2.1.7": {} @@ -8325,34 +8331,34 @@ snapshots: - bufferutil - utf-8-validate - "@next/env@16.0.9": {} + "@next/env@16.0.10": {} "@next/eslint-plugin-next@16.0.9": dependencies: fast-glob: 3.3.1 - "@next/swc-darwin-arm64@16.0.9": + "@next/swc-darwin-arm64@16.0.10": optional: true - "@next/swc-darwin-x64@16.0.9": + "@next/swc-darwin-x64@16.0.10": optional: true - "@next/swc-linux-arm64-gnu@16.0.9": + "@next/swc-linux-arm64-gnu@16.0.10": optional: true - "@next/swc-linux-arm64-musl@16.0.9": + "@next/swc-linux-arm64-musl@16.0.10": optional: true - "@next/swc-linux-x64-gnu@16.0.9": + "@next/swc-linux-x64-gnu@16.0.10": optional: true - "@next/swc-linux-x64-musl@16.0.9": + "@next/swc-linux-x64-musl@16.0.10": optional: true - "@next/swc-win32-arm64-msvc@16.0.9": + "@next/swc-win32-arm64-msvc@16.0.10": optional: true - "@next/swc-win32-x64-msvc@16.0.9": + "@next/swc-win32-x64-msvc@16.0.10": optional: true "@nodelib/fs.scandir@2.1.5": @@ -8793,15 +8799,15 @@ snapshots: "@types/validator@13.15.10": optional: true - "@typescript-eslint/eslint-plugin@8.49.0(@typescript-eslint/parser@8.49.0(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3)": + "@typescript-eslint/eslint-plugin@8.49.0(@typescript-eslint/parser@8.49.0(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3)": dependencies: "@eslint-community/regexpp": 4.12.2 - "@typescript-eslint/parser": 8.49.0(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3) + "@typescript-eslint/parser": 8.49.0(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3) "@typescript-eslint/scope-manager": 8.49.0 - "@typescript-eslint/type-utils": 8.49.0(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3) - "@typescript-eslint/utils": 8.49.0(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3) + "@typescript-eslint/type-utils": 8.49.0(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3) + "@typescript-eslint/utils": 8.49.0(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3) "@typescript-eslint/visitor-keys": 8.49.0 - eslint: 9.39.1(jiti@2.6.1) + eslint: 9.39.2(jiti@2.6.1) ignore: 7.0.5 natural-compare: 1.4.0 ts-api-utils: 2.1.0(typescript@5.9.3) @@ -8809,14 +8815,14 @@ snapshots: transitivePeerDependencies: - supports-color - "@typescript-eslint/parser@8.49.0(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3)": + "@typescript-eslint/parser@8.49.0(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3)": dependencies: "@typescript-eslint/scope-manager": 8.49.0 "@typescript-eslint/types": 8.49.0 "@typescript-eslint/typescript-estree": 8.49.0(typescript@5.9.3) "@typescript-eslint/visitor-keys": 8.49.0 debug: 4.4.3 - eslint: 9.39.1(jiti@2.6.1) + eslint: 9.39.2(jiti@2.6.1) typescript: 5.9.3 transitivePeerDependencies: - supports-color @@ -8839,13 +8845,13 @@ snapshots: dependencies: typescript: 5.9.3 - "@typescript-eslint/type-utils@8.49.0(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3)": + "@typescript-eslint/type-utils@8.49.0(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3)": dependencies: "@typescript-eslint/types": 8.49.0 "@typescript-eslint/typescript-estree": 8.49.0(typescript@5.9.3) - "@typescript-eslint/utils": 8.49.0(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3) + "@typescript-eslint/utils": 8.49.0(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3) debug: 4.4.3 - eslint: 9.39.1(jiti@2.6.1) + eslint: 9.39.2(jiti@2.6.1) ts-api-utils: 2.1.0(typescript@5.9.3) typescript: 5.9.3 transitivePeerDependencies: @@ -8868,13 +8874,13 @@ snapshots: transitivePeerDependencies: - supports-color - "@typescript-eslint/utils@8.49.0(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3)": + "@typescript-eslint/utils@8.49.0(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3)": dependencies: - "@eslint-community/eslint-utils": 4.9.0(eslint@9.39.1(jiti@2.6.1)) + "@eslint-community/eslint-utils": 4.9.0(eslint@9.39.2(jiti@2.6.1)) "@typescript-eslint/scope-manager": 8.49.0 "@typescript-eslint/types": 8.49.0 "@typescript-eslint/typescript-estree": 8.49.0(typescript@5.9.3) - eslint: 9.39.1(jiti@2.6.1) + eslint: 9.39.2(jiti@2.6.1) typescript: 5.9.3 transitivePeerDependencies: - supports-color @@ -9702,14 +9708,14 @@ snapshots: escape-string-regexp@4.0.0: {} - eslint-plugin-react-hooks@7.0.1(eslint@9.39.1(jiti@2.6.1)): + eslint-plugin-react-hooks@7.0.1(eslint@9.39.2(jiti@2.6.1)): dependencies: "@babel/core": 7.28.5 "@babel/parser": 7.28.5 - eslint: 9.39.1(jiti@2.6.1) + eslint: 9.39.2(jiti@2.6.1) hermes-parser: 0.25.1 - zod: 4.1.13 - zod-validation-error: 4.0.2(zod@4.1.13) + zod: 4.2.0 + zod-validation-error: 4.0.2(zod@4.2.0) transitivePeerDependencies: - supports-color @@ -9727,15 +9733,15 @@ snapshots: eslint-visitor-keys@4.2.1: {} - eslint@9.39.1(jiti@2.6.1): + eslint@9.39.2(jiti@2.6.1): dependencies: - "@eslint-community/eslint-utils": 4.9.0(eslint@9.39.1(jiti@2.6.1)) + "@eslint-community/eslint-utils": 4.9.0(eslint@9.39.2(jiti@2.6.1)) "@eslint-community/regexpp": 4.12.2 "@eslint/config-array": 0.21.1 "@eslint/config-helpers": 0.4.2 "@eslint/core": 0.17.0 "@eslint/eslintrc": 3.3.3 - "@eslint/js": 9.39.1 + "@eslint/js": 9.39.2 "@eslint/plugin-kit": 0.4.1 "@humanfs/node": 0.16.7 "@humanwhocodes/module-importer": 1.0.1 @@ -10648,9 +10654,9 @@ snapshots: optionalDependencies: "@nestjs/swagger": 11.2.0(@nestjs/common@11.1.9(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.9)(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2) - next@16.0.9(@babel/core@7.28.5)(react-dom@19.2.1(react@19.2.1))(react@19.2.1): + next@16.0.10(@babel/core@7.28.5)(react-dom@19.2.1(react@19.2.1))(react@19.2.1): dependencies: - "@next/env": 16.0.9 + "@next/env": 16.0.10 "@swc/helpers": 0.5.15 caniuse-lite: 1.0.30001760 postcss: 8.4.31 @@ -10658,14 +10664,14 @@ snapshots: react-dom: 19.2.1(react@19.2.1) styled-jsx: 5.1.6(@babel/core@7.28.5)(react@19.2.1) optionalDependencies: - "@next/swc-darwin-arm64": 16.0.9 - "@next/swc-darwin-x64": 16.0.9 - "@next/swc-linux-arm64-gnu": 16.0.9 - "@next/swc-linux-arm64-musl": 16.0.9 - "@next/swc-linux-x64-gnu": 16.0.9 - "@next/swc-linux-x64-musl": 16.0.9 - "@next/swc-win32-arm64-msvc": 16.0.9 - "@next/swc-win32-x64-msvc": 16.0.9 + "@next/swc-darwin-arm64": 16.0.10 + "@next/swc-darwin-x64": 16.0.10 + "@next/swc-linux-arm64-gnu": 16.0.10 + "@next/swc-linux-arm64-musl": 16.0.10 + "@next/swc-linux-x64-gnu": 16.0.10 + "@next/swc-linux-x64-musl": 16.0.10 + "@next/swc-win32-arm64-msvc": 16.0.10 + "@next/swc-win32-x64-msvc": 16.0.10 sharp: 0.34.5 transitivePeerDependencies: - "@babel/core" @@ -11586,13 +11592,13 @@ snapshots: typedarray@0.0.6: {} - typescript-eslint@8.49.0(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3): + typescript-eslint@8.49.0(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3): dependencies: - "@typescript-eslint/eslint-plugin": 8.49.0(@typescript-eslint/parser@8.49.0(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3) - "@typescript-eslint/parser": 8.49.0(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3) + "@typescript-eslint/eslint-plugin": 8.49.0(@typescript-eslint/parser@8.49.0(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3) + "@typescript-eslint/parser": 8.49.0(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3) "@typescript-eslint/typescript-estree": 8.49.0(typescript@5.9.3) - "@typescript-eslint/utils": 8.49.0(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3) - eslint: 9.39.1(jiti@2.6.1) + "@typescript-eslint/utils": 8.49.0(eslint@9.39.2(jiti@2.6.1))(typescript@5.9.3) + eslint: 9.39.2(jiti@2.6.1) typescript: 5.9.3 transitivePeerDependencies: - supports-color @@ -11796,12 +11802,14 @@ snapshots: dependencies: grammex: 3.1.12 - zod-validation-error@4.0.2(zod@4.1.13): + zod-validation-error@4.0.2(zod@4.2.0): dependencies: - zod: 4.1.13 + zod: 4.2.0 zod@4.1.13: {} + zod@4.2.0: {} + zustand@5.0.9(@types/react@19.2.7)(react@19.2.1): optionalDependencies: "@types/react": 19.2.7 diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index 0c3dcd31..29367b4f 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -2,8 +2,7 @@ packages: - apps/* - packages/* -# Centralized dependency versions (pnpm Catalogs) catalog: - zod: "4.1.13" - typescript: "5.9.3" - "@types/node": "24.10.3" + "@types/node": 24.10.3 + typescript: 5.9.3 + zod: 4.1.13 diff --git a/scripts/security-check.sh b/scripts/security-check.sh new file mode 100755 index 00000000..c9890dbd --- /dev/null +++ b/scripts/security-check.sh @@ -0,0 +1,97 @@ +#!/bin/bash + +# Security Check Script +# Run this to perform a comprehensive security check on your project + +set -e + +echo "🔍 Starting Security Scan..." +echo "" + +# Colors for output +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' # No Color + +# Function to print colored output +print_status() { + local color=$1 + local message=$2 + echo -e "${color}${message}${NC}" +} + +# Check if we're in the right directory +if [ ! -f "package.json" ]; then + print_status "$RED" "❌ Error: package.json not found. Please run this script from the project root." + exit 1 +fi + +print_status "$YELLOW" "đŸ“Ļ Checking for security vulnerabilities..." +echo "" + +# Run security audit +if pnpm audit --audit-level=high; then + print_status "$GREEN" "✅ No high or critical vulnerabilities found!" +else + print_status "$RED" "⚠ī¸ Security vulnerabilities detected!" + echo "" + print_status "$YELLOW" "Generating detailed report..." + pnpm audit --json > security-report.json + print_status "$GREEN" "Report saved to: security-report.json" + echo "" + print_status "$YELLOW" "To fix vulnerabilities, try:" + echo " pnpm security:fix" + echo " or update packages manually" + exit 1 +fi + +echo "" +print_status "$YELLOW" "📋 Checking for outdated dependencies..." +echo "" + +if pnpm outdated --recursive > /dev/null 2>&1; then + print_status "$GREEN" "✅ All dependencies are up to date!" +else + print_status "$YELLOW" "ℹī¸ Some dependencies have updates available" + echo "" + pnpm outdated --recursive || true + echo "" + print_status "$YELLOW" "To update safely, run:" + echo " pnpm update:safe" +fi + +echo "" +print_status "$YELLOW" "🔍 Running linter..." +echo "" + +if pnpm lint; then + print_status "$GREEN" "✅ No linting errors!" +else + print_status "$RED" "⚠ī¸ Linting errors found!" + echo "" + print_status "$YELLOW" "To fix automatically, try:" + echo " pnpm lint:fix" + exit 1 +fi + +echo "" +print_status "$YELLOW" "📝 Running type check..." +echo "" + +if pnpm type-check; then + print_status "$GREEN" "✅ No type errors!" +else + print_status "$RED" "⚠ī¸ Type errors found!" + exit 1 +fi + +echo "" +print_status "$GREEN" "🎉 All security checks passed!" +echo "" +print_status "$YELLOW" "Recommendations:" +echo " 1. Review any outdated dependencies" +echo " 2. Run tests: pnpm test" +echo " 3. Push changes to trigger CI/CD security scans" +echo "" +