fix: pin Trivy action to SHA, accept documented risk for moderate advisories#337
Closed
itsmiso-ai wants to merge 5 commits into
Closed
fix: pin Trivy action to SHA, accept documented risk for moderate advisories#337itsmiso-ai wants to merge 5 commits into
itsmiso-ai wants to merge 5 commits into
Conversation
added 5 commits
June 8, 2026 12:06
Extract DB-backed lock from scheduled sync into shared module (src/lib/sync-lock.ts) and apply it to manual issue sync and automation sync endpoints. This prevents overlapping concurrent runs across all three sync types (scheduled, manual, automation), addressing race conditions from browser refreshes, cron overlap, or repeated clicks. - New src/lib/sync-lock.ts: acquireLock(syncType) / releaseLock(runId) with stale lock cleanup (>30 min) and transactional double-check - src/app/api/sync/route.ts: acquire lock before issue sync, return 409 if a sync is already running - src/app/api/automation/sync/route.ts: acquire lock before automation sync (single repo or batch), return 409 if locked - src/app/api/sync/scheduled/route.ts: replace inline lock with shared module import, update error message to be sync-type-agnostic - prisma/schema.prisma: update syncType comment to include 'automation'
- Add authorizeRequest() to sync/route.ts POST handler for Bearer token auth - Add authorizeRequest() to webhook/route.ts POST handler - Make webhook signature verification fail-closed by default - Introduce WEBHOOK_GATEWAY_MODE=true opt-out for gateway deployments - Update documentation comments to reflect new security model
Add a new GET /api/issues/untriaged endpoint that surfaces open issues with no status/* label for grooming intake. This addresses issue #325: - Returns open issues from enabled repos without any status/ label - Excludes Renovate/dashboard noise by default (configurable) - Bounds results per run (default 50, hard cap 200) - Supports repo filter and excludeRenovate query params - Not claimable by worker queues — grooming-only view Includes tests for the new endpoint and updates route smoke checks.
Add .npmrc with 'omit=' to override global npm config that omits devDependencies by default. This ensures 'npm ci' installs all dependencies needed for 'npm run typecheck' and 'npm run test' to work from a clean checkout.
…oderate advisories - Pin aquasecurity/trivy-action to SHA ed142fd (v0.36.0) instead of @master for reproducible CI security scanning - Fix .npmrc invalid omit config (omit= → omit=dev) - Tighten version ranges: next ^16.2.7, prisma ^7.8.0, @prisma/client ^7.8.0 - Document accepted risk for 5 moderate advisories in SECURITY-ACCEPTED-RISKS.md (next/postcss XSS and prisma/@hono/node-server bypass require major downgrades)
Contributor
Author
|
Superseded by #338 which has a clean diff targeting only the dependency advisories fix. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #314
aquasecurity/trivy-actionto SHAed142fd(v0.36.0) instead of@masterfor reproducible CI security scanning.npmrcinvalidomit=config (was empty, nowomit=dev)Accepted Risks
Two moderate advisories cannot be resolved without major version downgrades:
Both are low-risk in our self-hosted deployment model. See SECURITY-ACCEPTED-RISKS.md for details.