misospace · itsmiso-ai · Jun 10, 2026 · Jun 9, 2026 · Jun 9, 2026 · Jun 9, 2026
diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
@@ -79,7 +79,7 @@ jobs:
 
       - name: Run Trivy vulnerability scanner
         if: github.event_name != 'pull_request'
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
         continue-on-error: true
         with:
           image-ref: ${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}

diff --git a/SECURITY-ACCEPTED-RISKS.md b/SECURITY-ACCEPTED-RISKS.md
@@ -0,0 +1,31 @@
+# Accepted Security Risks
+
+The following moderate-severity advisories are accepted as low-risk for the dispatch project.
+Fixing them would require major version downgrades that break functionality.
+
+## 1. `next` → bundled `postcss` (XSS via unescaped `</style>` — GHSA-qx2v-qp2m-jg93)
+
+- **Affected:** `next@16.2.7` bundles `postcss@8.4.31` (< 8.5.10)
+- **Impact:** Moderate (CVSS 6.1) — XSS requires user interaction (UI:R in CVSS)
+- **Why not fix:** Latest stable Next.js (16.2.7) still bundles vulnerable postcss.
+  Upgrading to a patched version would require a major downgrade to `next@9.3.3`,
+  which is not viable. The attack surface requires user-supplied CSS with crafted
+  `</style>` tags — unlikely in our self-hosted deployment model.
+
+## 2. `prisma` → `@prisma/dev` → `@hono/node-server` (Middleware bypass — GHSA-92pp-h63x-v22m)
+
+- **Affected:** `prisma@7.8.0` depends on `@prisma/dev` ≤ 0.24.8, which depends
+  on `@hono/node-server` < 1.19.13 (middleware bypass via repeated slashes in serveStatic)
+- **Impact:** Moderate (CVSS 5.3) — path traversal in static file serving
+- **Why not fix:** The only fix available is downgrading to `prisma@6.19.3` (major downgrade).
+  Our deployment does not use `serveStatic` with user-controlled paths, and Prisma's
+  dev tools are not exposed in production builds.
+
+## Resolution
+
+| Advisory | Status | Action |
+|---|---|---|
+| Trivy action pinned to SHA | ✅ Resolved | `aquasecurity/trivy-action@ed142fd` (v0.36.0) |
+| `.npmrc` invalid omit config | ✅ Resolved | Fixed `omit=` → `omit=dev` |
+| next/postcss XSS | 🟡 Accepted risk | Monitor for Next.js patch; no viable upgrade path |
+| prisma/@hono/node-server bypass | 🟡 Accepted risk | Monitor for Prisma patch; no viable upgrade path |
diff --git a/docs/smoke-checklist.md b/docs/smoke-checklist.md
@@ -30,10 +30,12 @@ Run all checks against the target instance (local dev, staging, or production) b
 {
   "ok": true,
   "database": "ok",
-  "version": "0.1.13"
+  "version": "<current-app-version>"
 }
 ```
 
+**Note:** The `version` field is dynamically resolved by `getAppVersion()` — it reflects the current app version from `package.json` (or `NEXT_PUBLIC_DISPATCH_VERSION` at build time).
+
 **Status code:** `200 OK`
 
 **Failure signal:** Any response with `ok: false`, `database: "error"`, or status `503`. This means the PostgreSQL database is unreachable but Dispatch itself is still running.

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -27,15 +27,15 @@
     "@dnd-kit/utilities": "^3.2.2",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "@prisma/adapter-pg": "^7.8.0",
-    "@prisma/client": "^7.0.0",
+    "@prisma/client": "^7.8.0",
     "@radix-ui/react-slot": "^1.2.4",
     "class-variance-authority": "^0.7.0",
     "clsx": "^2.1.1",
     "effect": "^3.20.0",
     "lucide-react": "^1.0.0",
-    "next": "16.2.7",
+    "next": "^16.2.7",
     "next-auth": "^5.0.0-beta.31",
-    "prisma": "^7.0.0",
+    "prisma": "^7.8.0",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
     "tailwind-merge": "^3.0.0",