Upgrade from v0.15.0 to v1.4.1#32
Merged
Merged
Conversation
Bumps [coverallsapp/github-action](https://github.com/coverallsapp/github-action) from 2.3.6 to 2.3.7. - [Release notes](https://github.com/coverallsapp/github-action/releases) - [Commits](coverallsapp/github-action@v2.3.6...v2.3.7) --- updated-dependencies: - dependency-name: coverallsapp/github-action dependency-version: 2.3.7 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3.6.0 to 3.7.0. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](docker/setup-qemu-action@v3.6.0...v3.7.0) --- updated-dependencies: - dependency-name: docker/setup-qemu-action dependency-version: 3.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) from 8.32.0 to 8.46.2. - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.46.2/packages/eslint-plugin) --- updated-dependencies: - dependency-name: "@typescript-eslint/eslint-plugin" dependency-version: 8.46.2 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Felipe Alvarado <6717781+falvaradorodriguez@users.noreply.github.com>
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v4...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Uxío <Uxio0@users.noreply.github.com>
Bumps [ts-jest](https://github.com/kulshekhar/ts-jest) from 29.4.5 to 29.4.6. - [Release notes](https://github.com/kulshekhar/ts-jest/releases) - [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md) - [Commits](kulshekhar/ts-jest@v29.4.5...v29.4.6) --- updated-dependencies: - dependency-name: ts-jest dependency-version: 29.4.6 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@nestjs/cli](https://github.com/nestjs/nest-cli) from 11.0.13 to 11.0.14. - [Release notes](https://github.com/nestjs/nest-cli/releases) - [Commits](nestjs/nest-cli@11.0.13...11.0.14) --- updated-dependencies: - dependency-name: "@nestjs/cli" dependency-version: 11.0.14 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@eslint/eslintrc](https://github.com/eslint/eslintrc) from 3.3.1 to 3.3.3. - [Release notes](https://github.com/eslint/eslintrc/releases) - [Changelog](https://github.com/eslint/eslintrc/blob/main/CHANGELOG.md) - [Commits](eslint/eslintrc@v3.3.1...eslintrc-v3.3.3) --- updated-dependencies: - dependency-name: "@eslint/eslintrc" dependency-version: 3.3.3 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@types/express](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/express) from 5.0.5 to 5.0.6. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/express) --- updated-dependencies: - dependency-name: "@types/express" dependency-version: 5.0.6 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
* fix: Set Json format to Warning logs * fix: Remove sensitive webhook fields
Bumps [viem](https://github.com/wevm/viem) from 2.40.3 to 2.42.1. - [Release notes](https://github.com/wevm/viem/releases) - [Commits](https://github.com/wevm/viem/compare/viem@2.40.3...viem@2.42.1) --- updated-dependencies: - dependency-name: viem dependency-version: 2.42.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [prettier](https://github.com/prettier/prettier) from 3.7.1 to 3.7.4. - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](prettier/prettier@3.7.1...3.7.4) --- updated-dependencies: - dependency-name: prettier dependency-version: 3.7.4 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [typeorm](https://github.com/typeorm/typeorm) from 0.3.27 to 0.3.28. - [Release notes](https://github.com/typeorm/typeorm/releases) - [Changelog](https://github.com/typeorm/typeorm/blob/master/CHANGELOG.md) - [Commits](typeorm/typeorm@0.3.27...0.3.28) --- updated-dependencies: - dependency-name: typeorm dependency-version: 0.3.28 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Update License
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6 to 7. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@v6...v7) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3 to 4. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@v3...v4) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Reuse TCP connections across webhook deliveries instead of tearing them down after each request, reducing connection overhead.
- Use timing-safe comparison for admin authentication - Stop container startup if database migrations fail - Document all optional env vars in README and .env.sample - Fix README webhook timeout documentation (1s default, not 2s)
…kpressure Unawaited func() caused channel.ack() to fire synchronously before any HTTP requests were made, making AMQP_PREFETCH_MESSAGES completely ineffective and creating unbounded concurrent connections under load.
Bumps [@nestjs/core](https://github.com/nestjs/nest/tree/HEAD/packages/core) from 11.1.9 to 11.1.17. - [Release notes](https://github.com/nestjs/nest/releases) - [Commits](https://github.com/nestjs/nest/commits/v11.1.17/packages/core) --- updated-dependencies: - dependency-name: "@nestjs/core" dependency-version: 11.1.17 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/login-action](https://github.com/docker/login-action) from 3 to 4. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@v3...v4) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3.7.0 to 4.0.0. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](docker/setup-qemu-action@v3.7.0...v4.0.0) --- updated-dependencies: - dependency-name: docker/setup-qemu-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [eslint-plugin-prettier](https://github.com/prettier/eslint-plugin-prettier) from 5.5.4 to 5.5.5. - [Release notes](https://github.com/prettier/eslint-plugin-prettier/releases) - [Changelog](https://github.com/prettier/eslint-plugin-prettier/blob/main/CHANGELOG.md) - [Commits](prettier/eslint-plugin-prettier@v5.5.4...v5.5.5) --- updated-dependencies: - dependency-name: eslint-plugin-prettier dependency-version: 5.5.5 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [axios](https://github.com/axios/axios) from 1.13.2 to 1.15.0. - [Release notes](https://github.com/axios/axios/releases) - [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md) - [Commits](axios/axios@v1.13.2...v1.15.0) --- updated-dependencies: - dependency-name: axios dependency-version: 1.15.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…fe-global#492) Closes [PLA-1252](https://linear.app/safe-global/issue/PLA-1252/optimize-webhook-http-delivery) Closes safe-global#116 ## Summary - Replace `@nestjs/axios` / `HttpService` with a `RetryAgent(new Agent(...))` provider injected under `UNDICI_AGENT` in `WebhookModule` - Rewrite `postWebhook` as plain `async/await`, removing the RxJS `firstValueFrom` / `catchError` / `of` layer - Add exponential-backoff retry on transient network errors and 5xx responses (`maxRetries: 2`, `minTimeout: 200ms`, `timeoutFactor: 2`) - Add `X-Delivery-Id` header (stable UUID across retries) for idempotent processing on the receiver side - Increase default `HTTP_TIMEOUT` from 1s → 5s; `connectTimeout` now also bounded by `HTTP_TIMEOUT` - Add `HTTP_MAX_RETRIES` env var; remove `@nestjs/axios` and `axios` dependencies ## Notes - `methods: ['POST']` is set explicitly — POST is not in undici's default retry method list, so omitting it would silently disable all retries - Retry on 5xx implies potential duplicate delivery; use `X-Delivery-Id` to deduplicate on the receiver side - Response body is always consumed (`body.text()`) as required by undici v8
Co-authored-by: Uxio Fuentefria <6909403+Uxio0@users.noreply.github.com>
- Fix Dockerfile with `CI=true` to prevent `ERR_PNPM_ABORTED_REMOVE_MODULES_DIR_NO_TTY`
…al#514) * feat: Add explicit permissions to GitHub Actions workflows Set permissions: {} at the workflow level (deny-all) and grant least-privilege scopes per job to resolve CodeQL "Workflow does not contain permissions" alerts. * feat: Limit more the permissions needed
…obal#524) - Iterate the cached webhook map directly in postEveryWebhook instead of materializing it into an array and filtering/mapping it on every event. - Read webhook response bodies up to WEBHOOK_MAX_RESPONSE_BYTES (default 10KB) so a misbehaving or malicious target cannot exhaust memory with an unbounded body; truncated bodies are flagged. - Update dispatcher spec mock to expose an async-iterable response body.
…#522) Bumps the nestjs group with 12 updates in the / directory: | Package | From | To | | --- | --- | --- | | [@nestjs/cache-manager](https://github.com/nestjs/cache-manager) | `3.0.1` | `3.1.2` | | [@nestjs/common](https://github.com/nestjs/nest/tree/HEAD/packages/common) | `11.1.9` | `11.1.21` | | [@nestjs/config](https://github.com/nestjs/config) | `4.0.2` | `4.0.4` | | [@nestjs/core](https://github.com/nestjs/nest/tree/HEAD/packages/core) | `11.1.17` | `11.1.21` | | [@nestjs/platform-express](https://github.com/nestjs/nest/tree/HEAD/packages/platform-express) | `11.1.9` | `11.1.21` | | [@nestjs/schedule](https://github.com/nestjs/schedule) | `6.0.1` | `6.1.3` | | [@nestjs/swagger](https://github.com/nestjs/swagger) | `11.2.3` | `11.4.3` | | [@nestjs/terminus](https://github.com/nestjs/terminus) | `11.0.0` | `11.1.1` | | [@nestjs/typeorm](https://github.com/nestjs/typeorm) | `11.0.0` | `11.0.1` | | [@nestjs/cli](https://github.com/nestjs/nest-cli) | `11.0.14` | `11.0.21` | | [@nestjs/schematics](https://github.com/nestjs/schematics) | `11.0.9` | `11.1.0` | | [@nestjs/testing](https://github.com/nestjs/nest/tree/HEAD/packages/testing) | `11.1.9` | `11.1.21` | Updates `@nestjs/cache-manager` from 3.0.1 to 3.1.2 - [Release notes](https://github.com/nestjs/cache-manager/releases) - [Commits](nestjs/cache-manager@3.0.1...3.1.2) Updates `@nestjs/common` from 11.1.9 to 11.1.21 - [Release notes](https://github.com/nestjs/nest/releases) - [Commits](https://github.com/nestjs/nest/commits/v11.1.21/packages/common) Updates `@nestjs/config` from 4.0.2 to 4.0.4 - [Release notes](https://github.com/nestjs/config/releases) - [Commits](nestjs/config@4.0.2...4.0.4) Updates `@nestjs/core` from 11.1.17 to 11.1.21 - [Release notes](https://github.com/nestjs/nest/releases) - [Commits](https://github.com/nestjs/nest/commits/v11.1.21/packages/core) Updates `@nestjs/platform-express` from 11.1.9 to 11.1.21 - [Release notes](https://github.com/nestjs/nest/releases) - [Commits](https://github.com/nestjs/nest/commits/v11.1.21/packages/platform-express) Updates `@nestjs/schedule` from 6.0.1 to 6.1.3 - [Release notes](https://github.com/nestjs/schedule/releases) - [Commits](nestjs/schedule@6.0.1...6.1.3) Updates `@nestjs/swagger` from 11.2.3 to 11.4.3 - [Release notes](https://github.com/nestjs/swagger/releases) - [Commits](nestjs/swagger@11.2.3...11.4.3) Updates `@nestjs/terminus` from 11.0.0 to 11.1.1 - [Release notes](https://github.com/nestjs/terminus/releases) - [Changelog](https://github.com/nestjs/terminus/blob/master/CHANGELOG.md) - [Commits](nestjs/terminus@11.0.0...11.1.1) Updates `@nestjs/typeorm` from 11.0.0 to 11.0.1 - [Release notes](https://github.com/nestjs/typeorm/releases) - [Commits](nestjs/typeorm@11.0.0...11.0.1) Updates `@nestjs/cli` from 11.0.14 to 11.0.21 - [Release notes](https://github.com/nestjs/nest-cli/releases) - [Commits](nestjs/nest-cli@11.0.14...11.0.21) Updates `@nestjs/schematics` from 11.0.9 to 11.1.0 - [Release notes](https://github.com/nestjs/schematics/releases) - [Commits](nestjs/schematics@11.0.9...11.1.0) Updates `@nestjs/testing` from 11.1.9 to 11.1.21 - [Release notes](https://github.com/nestjs/nest/releases) - [Commits](https://github.com/nestjs/nest/commits/v11.1.21/packages/testing) --- updated-dependencies: - dependency-name: "@nestjs/cache-manager" dependency-version: 3.1.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: nestjs - dependency-name: "@nestjs/common" dependency-version: 11.1.21 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: nestjs - dependency-name: "@nestjs/config" dependency-version: 4.0.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: nestjs - dependency-name: "@nestjs/core" dependency-version: 11.1.21 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: nestjs - dependency-name: "@nestjs/platform-express" dependency-version: 11.1.21 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: nestjs - dependency-name: "@nestjs/schedule" dependency-version: 6.1.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: nestjs - dependency-name: "@nestjs/swagger" dependency-version: 11.4.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: nestjs - dependency-name: "@nestjs/terminus" dependency-version: 11.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: nestjs - dependency-name: "@nestjs/typeorm" dependency-version: 11.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: nestjs - dependency-name: "@nestjs/cli" dependency-version: 11.0.21 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: nestjs - dependency-name: "@nestjs/schematics" dependency-version: 11.1.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: nestjs - dependency-name: "@nestjs/testing" dependency-version: 11.1.21 dependency-type: direct:development update-type: version-update:semver-patch dependency-group: nestjs ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* fix: harden auth with constant-time comparison - Deny AdminWebhookGuard access when ADMIN_WEBHOOK_AUTH is unset, instead of accepting an empty `Basic ` credential, and log that it must be set. - Replace timing-unsafe `===` comparisons in BasicAuthGuard and AdminWebhookGuard with a constant-time check. - Extract shared safeCompare util (timingSafeEqual) and reuse it in the guards and AuthService, removing duplicated comparison logic. - Add unit tests for safeCompare. * Add tests for AuthGuard
* fix: serve AdminJS static assets under pnpm (PLA-1573) AdminJS's express adapter serves its frontend bundles with res.sendFile(path.resolve(asset.src)) and no options. Under pnpm these live in node_modules/.pnpm/..., and the ".pnpm" dotfile segment trips Express 5 / send's default `dotfiles: 'ignore'`, turning every asset into a spurious 404 — the admin login page rendered blank and flooded the logs with NotFoundError. Patch res.sendFile on the admin layer to force `dotfiles: 'allow'` for AdminJS's (fixed, package-internal) asset paths. Runs unconditionally, unlike the proxy-prefix rewrites which are gated on x-forwarded-prefix. * refactor: simplify AdminJS response patching (PLA-1573) Two non-behavioral cleanups on top of the dotfile fix: - Collapse patchAdminAssetDotfiles to the single sendFile(path) shape that @adminjs/express actually uses, dropping the defensive handling of call shapes it never produces. - Consolidate the three admin response patches behind one patchAdminResponse(req, res): Location-header rewriting (extracted from ReverseProxyMiddleware as the reusable patchLocationHeader), body rewriting, and the sendFile dotfile fix. main.ts now wraps the admin layer with a single call instead of nesting an ad-hoc ReverseProxyMiddleware instance, and installAdminProxyBodyRewrite is renamed installAdminResponsePatch to match. The per-request x-forwarded-prefix rewriting is unchanged (the prefix is dynamic per request, so it must stay).
leonimella
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🚨 Breaking changes
New required environment variables
ADMIN_COOKIE_SECRETADMIN_SESSION_SECRETAll changes
corepack enablerequired in CI)@nestjs/*packages,@adminjs/nestjs6 → 7,cache-manager6 → 7,amqp-connection-manager4 → 5)@nestjs/axiosremoved,HTTP_MAX_REDIRECTSenv var gone)x-forwarded-prefixand AdminJS response patchingNew / changed environment variables
HTTP_MAX_RETRIES2HTTP_MAX_REDIRECTSHTTP_TIMEOUT5000AMQP_PREFETCH_MESSAGES100DB_HEALTH_CHECK_TIMEOUT5000WEBHOOK_MAX_RESPONSE_BYTES10000LOG_LEVELlogverbose,debug,log,warn,error,fatalHTTP_MAX_REDIRECTS