fix: resolve CVEs, upgrade to Astro v6, and harden API security

Docker image CVE fixes: - Install git-lfs v3.7.1 from GitHub releases (Go 1.25) instead of Debian apt (Go 1.23.12), fixing CVE-2025-68121 and 8 other Go stdlib CVEs - Strip build-only packages (esbuild, vite, rollup, svgo, tailwindcss) from production image, eliminating 9 esbuild Go stdlib CVEs Dependency upgrades: - Astro v5 → v6 (includes Vite 7, Zod 4) - Remove legacy content config (src/content/config.ts) - Update HealthResponse type for simplified health endpoint - npm overrides for fast-xml-parser ≥5.3.6, devalue ≥5.6.2, node-forge ≥1.3.2, svgo ≥4.0.1, rollup ≥4.59.0 API security hardening: - /api/auth/debug: dev-only, require auth, remove user-creation POST, strip trustedOrigins/databaseConfig from response - /api/auth/check-users: return boolean hasUsers instead of exact count - /api/cleanup/auto: require authentication, remove per-user details - /api/health: remove OS version, memory, uptime from response - /api/config: validate Gitea URL protocol (http/https only) - BETTER_AUTH_SECRET: log security warning when using insecure defaults - generateRandomString: replace Math.random() with crypto.getRandomValues() - hashValue: add random salt and timing-safe verification
2026-04-14 15:09:44 +03:00 · 2026-03-15 08:27:30 +05:30
parent 1bca7df5ab
commit cf8c5dd8cb
13 changed files with 393 additions and 427 deletions
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
  "name": "gitea-mirror",
  "type": "module",
-  "version": "3.12.5",
+  "version": "3.12.6",
  "engines": {
    "bun": ">=1.2.9"
  },
@@ -44,14 +44,18 @@
  },
  "overrides": {
    "@esbuild-kit/esm-loader": "npm:tsx@^4.21.0",
-    "devalue": "^5.5.0"
+    "devalue": "^5.6.4",
+    "fast-xml-parser": "^5.5.5",
+    "node-forge": "^1.3.3",
+    "svgo": "^4.0.1",
+    "rollup": ">=4.59.0"
  },
  "dependencies": {
-    "@astrojs/check": "^0.9.6",
-    "@astrojs/mdx": "4.3.13",
-    "@astrojs/node": "9.5.4",
-    "@astrojs/react": "^4.4.2",
-    "@better-auth/sso": "1.4.19",
+    "@astrojs/check": "^0.9.7",
+    "@astrojs/mdx": "5.0.0",
+    "@astrojs/node": "10.0.1",
+    "@astrojs/react": "^5.0.0",
+    "@better-auth/sso": "1.5.5",
    "@octokit/plugin-throttling": "^11.0.3",
    "@octokit/rest": "^22.0.1",
    "@radix-ui/react-accordion": "^1.2.12",
@@ -73,13 +77,13 @@
    "@radix-ui/react-tabs": "^1.1.13",
    "@radix-ui/react-tooltip": "^1.2.8",
    "@tailwindcss/vite": "^4.2.1",
-    "@tanstack/react-virtual": "^3.13.19",
+    "@tanstack/react-virtual": "^3.13.22",
    "@types/canvas-confetti": "^1.9.0",
    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
-    "astro": "^5.18.0",
+    "astro": "^6.0.4",
    "bcryptjs": "^3.0.3",
-    "better-auth": "1.4.19",
+    "better-auth": "1.5.5",
    "buffer": "^6.0.3",
    "canvas-confetti": "^1.9.4",
    "class-variance-authority": "^0.7.1",
@@ -89,8 +93,8 @@
    "drizzle-orm": "^0.45.1",
    "fuse.js": "^7.1.0",
    "jsonwebtoken": "^9.0.3",
-    "lucide-react": "^0.575.0",
-    "nanoid": "^3.3.11",
+    "lucide-react": "^0.577.0",
+    "nanoid": "^5.1.6",
    "next-themes": "^0.4.6",
    "react": "^19.2.4",
    "react-dom": "^19.2.4",
@@ -109,15 +113,15 @@
    "@testing-library/jest-dom": "^6.9.1",
    "@testing-library/react": "^16.3.2",
    "@types/bcryptjs": "^3.0.0",
-    "@types/bun": "^1.3.9",
+    "@types/bun": "^1.3.10",
    "@types/jsonwebtoken": "^9.0.10",
-    "@types/node": "^25.3.2",
+    "@types/node": "^25.5.0",
    "@types/uuid": "^11.0.0",
-    "@vitejs/plugin-react": "^5.1.4",
+    "@vitejs/plugin-react": "^6.0.1",
    "drizzle-kit": "^0.31.9",
    "jsdom": "^28.1.0",
    "tsx": "^4.21.0",
-    "vitest": "^4.0.18"
+    "vitest": "^4.1.0"
  },
  "packageManager": "bun@1.3.10"
 }