chore(security): bump vite, add per-job permissions in ci.yml#172
Merged
Conversation
## Dependabot #8: Vite path traversal (CVE-2026-39365) Bump ui/package.json `vite` from ^5.4.10 to ^6.4.2. CVE-2026-39365 allows reaching `.map` files outside the project root via `../` segments under the optimized-deps URL prefix; affects vite versions <= 6.4.1 (and 7.0.0-7.3.1, and 8.0.0-8.0.4). Vite 6.4.2 patches the strict-fs allow list to reject path traversal in `.map` handling. Impact is dev-only (the admin UI is a build-time tool gated behind the embed-admin-ui cargo feature) and requires the dev server to be exposed to the network via `--host` or `server.host`, so production exposure is nil. Bumping anyway: the audit guard is the dependency hygiene, not a runtime mitigation. `@vitejs/plugin-react ^4.3.3` is compatible with vite 6; no other manifest changes needed. `npm run build` clean: 26 modules transformed, 145 kB bundle, 218 ms. ## Code scanning #56: actions/missing-workflow-permissions Add explicit per-job `permissions: contents: read` to all four jobs in .github/workflows/ci.yml (build, release-build, supply-chain, crate-graph). The workflow root already declared the same permissions block (PR #105, da30222), but CodeQL's actions/missing-workflow-permissions rule prefers defense-in-depth: even when the root default is read-only, a per-job block keeps the contract explicit if the root is ever widened or the job is copied into a different workflow.
`actions/checkout@v4` (and pinned `@v4.1.7`) was on Node 20, which GitHub deprecated for runner-hosted actions. The workflows here papered over the deprecation with `FORCE_JAVASCRIPT_ACTIONS_TO_NODE24` env vars per the September 2025 changelog. The proper fix is to bump to the v5 majors that target Node 24 natively, then drop the env shim. Bumped across every workflow: - actions/checkout v4 -> v5 - actions/upload-artifact v4 -> v5 - actions/download-artifact v4 -> v5 - actions/cache v4 -> v5 - actions/github-script v7 -> v8 Dropped `FORCE_JAVASCRIPT_ACTIONS_TO_NODE24` env vars from ci.yml, release.yml, release-checks.yml, perf-regression.yml, reproducible-build.yml, licensing-conformance.yml, e2e.yml, fixture-freshness.yml, docs-ci.yml, and synthetic.yml; they are unnecessary once every action declares `runs.using: node24`. Reference: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
rickcrawford
added a commit
that referenced
this pull request
May 16, 2026
The docs-ci lane (scripts/docs-ci.sh) extracts every fenced rust block and type-checks it via `rustc --emit=metadata`. Five blocks across three docs files were authored as pseudocode and never compiled cleanly. They flagged the docs-ci job as failed on every PR that touched docs even though docs-ci is not a required gate; PR #172 was the latest casualty (run 25949658645). Fixed by adding `,ignore` to the info tag, which the script's `is_skipped` predicate recognises alongside `no_run`, `skip`, `compile_fail`, and `edition2024`: - docs/cloudflare-code-mode.md (1 block): WOR-410 usage example with a placeholder construction. Also tightens the placeholder to `/* built at startup */;` so it reads as obviously incomplete. - docs/outbound-peer-pricing.md (1 block): llms.txt parse + iterate example that references types out of context. - docs/adr-ai-hub-format.md (3 blocks): WOR-235 ADR pseudocode for the ChatFormat trait, hub types, and streaming event vocabulary. These are design sketches, not runnable code. Local docs-ci is now green: `checked=99 skipped=29 rc=0` (vs `checked=104 skipped=24 rc=1` before).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes two open security alerts and removes the Node-20 deprecation banner across every workflow.
Dependabot #8: Vite path traversal (CVE-2026-39365)
Bumps
ui/package.jsonvitefrom^5.4.10to^6.4.2.vite <= 6.4.1(and 7.0.0-7.3.1, 8.0.0-8.0.4)embed-admin-uicargo feature, so production exposure is nil. Fixing as a hygiene baseline.@vitejs/plugin-react ^4.3.3is compatible with Vite 6; no other manifest changes.npm run buildclean: 26 modules transformed, 145 kB bundle, 218 ms.npm auditreports zero findings.Code scanning #56:
actions/missing-workflow-permissionsAdds explicit
permissions: contents: readto all four jobs in.github/workflows/ci.yml(build,release-build,supply-chain,crate-graph). The workflow root already declared the same block (PR #105), but CodeQL prefers defense-in-depth: the per-job block keeps the auth contract explicit even if the root default widens or the job is copied into a different workflow.Node-20 deprecation removal
GitHub deprecated Node 20 for runner-hosted actions in the September 2025 changelog. Every workflow here was papering over the deprecation with
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24env vars. Bumped to the v5 majors that declareruns.using: node24natively, then dropped the env shim.actions/checkoutactions/upload-artifactactions/download-artifactactions/cacheactions/github-scriptDropped
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24fromci.yml,release.yml,release-checks.yml,perf-regression.yml,reproducible-build.yml,licensing-conformance.yml,e2e.yml,fixture-freshness.yml,docs-ci.yml, andsynthetic.yml.Test plan
npm install && npm run buildinui/(vite 6.4.2, no audit findings)@v4,@v7.x, andFORCE_JAVASCRIPT_ACTIONS_TO_NODE24