From 58a3cfb9fdf8f85aae41e7ae9edeeb8bd42d06d2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 27 Aug 2025 21:07:48 +0000
Subject: [PATCH 1/7] chore: bump coder/coder-login/coder from 1.0.31 to 1.1.0
in /dogfood/coder (#19586)
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
dogfood/coder/main.tf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dogfood/coder/main.tf b/dogfood/coder/main.tf
index d4ce0cb5f0b2b..b5e51f3f08763 100644
--- a/dogfood/coder/main.tf
+++ b/dogfood/coder/main.tf
@@ -425,7 +425,7 @@ module "filebrowser" {
module "coder-login" {
count = data.coder_workspace.me.start_count
source = "dev.registry.coder.com/coder/coder-login/coder"
- version = "1.0.31"
+ version = "1.1.0"
agent_id = coder_agent.dev.id
}
From dbf42612e2a950e7f164a7b0c4f4a94537e537c4 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 27 Aug 2025 22:06:48 +0000
Subject: [PATCH 2/7] chore: bump coder/coder-login/coder from 1.0.31 to 1.1.0
in /dogfood/coder-envbuilder (#19590)
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
dogfood/coder-envbuilder/main.tf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dogfood/coder-envbuilder/main.tf b/dogfood/coder-envbuilder/main.tf
index 73cef7dec5b9d..f5dfbb3259c49 100644
--- a/dogfood/coder-envbuilder/main.tf
+++ b/dogfood/coder-envbuilder/main.tf
@@ -154,7 +154,7 @@ module "filebrowser" {
module "coder-login" {
source = "dev.registry.coder.com/coder/coder-login/coder"
- version = "1.0.31"
+ version = "1.1.0"
agent_id = coder_agent.dev.id
}
From 64c50534e70c9caaac2847ec532dff293f452730 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 27 Aug 2025 22:27:04 +0000
Subject: [PATCH 3/7] chore: bump coder/windsurf/coder from 1.1.1 to 1.2.0 in
/dogfood/coder (#19592)
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
dogfood/coder/main.tf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dogfood/coder/main.tf b/dogfood/coder/main.tf
index b5e51f3f08763..bbfe2f560e3fd 100644
--- a/dogfood/coder/main.tf
+++ b/dogfood/coder/main.tf
@@ -440,7 +440,7 @@ module "cursor" {
module "windsurf" {
count = contains(jsondecode(data.coder_parameter.ide_choices.value), "windsurf") ? data.coder_workspace.me.start_count : 0
source = "dev.registry.coder.com/coder/windsurf/coder"
- version = "1.1.1"
+ version = "1.2.0"
agent_id = coder_agent.dev.id
folder = local.repo_dir
}
From b729c29ab9f8cd26c9497ab0c77088b085a557c7 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 27 Aug 2025 22:33:19 +0000
Subject: [PATCH 4/7] chore: bump coder/cursor/coder from 1.3.1 to 1.3.2 in
/dogfood/coder (#19593)
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
Signed-off-by: dependabot[bot]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
dogfood/coder/main.tf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dogfood/coder/main.tf b/dogfood/coder/main.tf
index bbfe2f560e3fd..40f02764da46d 100644
--- a/dogfood/coder/main.tf
+++ b/dogfood/coder/main.tf
@@ -432,7 +432,7 @@ module "coder-login" {
module "cursor" {
count = contains(jsondecode(data.coder_parameter.ide_choices.value), "cursor") ? data.coder_workspace.me.start_count : 0
source = "dev.registry.coder.com/coder/cursor/coder"
- version = "1.3.1"
+ version = "1.3.2"
agent_id = coder_agent.dev.id
folder = local.repo_dir
}
From 252f7d461e4ee2d350844b70f8811c90cfa4b3be Mon Sep 17 00:00:00 2001
From: Jon Ayers
Date: Wed, 27 Aug 2025 15:41:28 -0700
Subject: [PATCH 5/7] chore: pin dependencies in Dockerfiles (#19587)
Fixes up some security issues related to lack of pinned dependencies
---
.github/workflows/release.yaml | 2 +-
dogfood/coder/Dockerfile | 2 +-
offlinedocs/package.json | 3 +-
offlinedocs/pnpm-lock.yaml | 20 ++---
package.json | 5 ++
pnpm-lock.yaml | 20 ++---
scripts/apidocgen/package.json | 5 +-
scripts/apidocgen/pnpm-lock.yaml | 123 ++++++++++---------------------
site/package.json | 3 +-
site/pnpm-lock.yaml | 18 ++---
10 files changed, 75 insertions(+), 126 deletions(-)
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index f4f9c8f317664..ecd2e2ac39be9 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -37,7 +37,7 @@ jobs:
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
steps:
- name: Allow only maintainers/admins
- uses: actions/github-script@v7.0.1
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
diff --git a/dogfood/coder/Dockerfile b/dogfood/coder/Dockerfile
index 9d9daac11a411..b0e0e4b3f0cfd 100644
--- a/dogfood/coder/Dockerfile
+++ b/dogfood/coder/Dockerfile
@@ -41,7 +41,7 @@ RUN apt-get update && \
# goimports for updating imports
go install golang.org/x/tools/cmd/goimports@v0.31.0 && \
# protoc-gen-go is needed to build sysbox from source
- go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30 && \
+ go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30.0 && \
# drpc support for v2
go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.34 && \
# migrate for migration support for v2
diff --git a/offlinedocs/package.json b/offlinedocs/package.json
index 77af85ccf4874..d06b54a64ca4f 100644
--- a/offlinedocs/package.json
+++ b/offlinedocs/package.json
@@ -46,7 +46,8 @@
},
"pnpm": {
"overrides": {
- "@babel/runtime": "7.26.10"
+ "@babel/runtime": "7.26.10",
+ "brace-expansion": "1.1.12"
}
}
}
diff --git a/offlinedocs/pnpm-lock.yaml b/offlinedocs/pnpm-lock.yaml
index 5fff8a2098456..dca4871c014cf 100644
--- a/offlinedocs/pnpm-lock.yaml
+++ b/offlinedocs/pnpm-lock.yaml
@@ -6,6 +6,7 @@ settings:
overrides:
'@babel/runtime': 7.26.10
+ brace-expansion: 1.1.12
importers:
@@ -730,11 +731,8 @@ packages:
bare-events@2.4.2:
resolution: {integrity: sha512-qMKFd2qG/36aA4GwvKq8MxnPgCQAmBWmSyLWsJcbn8v03wvIPQ/hG1Ms8bPzndZxMDoHpxez5VOS+gC9Yi24/Q==}
- brace-expansion@1.1.11:
- resolution: {integrity: sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==}
-
- brace-expansion@2.0.1:
- resolution: {integrity: sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==}
+ brace-expansion@1.1.12:
+ resolution: {integrity: sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==}
braces@3.0.3:
resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==}
@@ -3222,15 +3220,11 @@ snapshots:
bare-events@2.4.2:
optional: true
- brace-expansion@1.1.11:
+ brace-expansion@1.1.12:
dependencies:
balanced-match: 1.0.2
concat-map: 0.0.1
- brace-expansion@2.0.1:
- dependencies:
- balanced-match: 1.0.2
-
braces@3.0.3:
dependencies:
fill-range: 7.1.1
@@ -4807,15 +4801,15 @@ snapshots:
minimatch@3.1.2:
dependencies:
- brace-expansion: 1.1.11
+ brace-expansion: 1.1.12
minimatch@5.1.6:
dependencies:
- brace-expansion: 2.0.1
+ brace-expansion: 1.1.12
minimatch@9.0.5:
dependencies:
- brace-expansion: 2.0.1
+ brace-expansion: 1.1.12
minimist@1.2.8: {}
diff --git a/package.json b/package.json
index f8ab3fa89170b..b220803ad729b 100644
--- a/package.json
+++ b/package.json
@@ -13,5 +13,10 @@
"markdown-table-formatter": "^1.6.1",
"markdownlint-cli2": "^0.16.0",
"quicktype": "^23.0.0"
+ },
+ "pnpm": {
+ "overrides": {
+ "brace-expansion": "1.1.12"
+ }
}
}
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 4e6996283b064..1e2921375adb5 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -4,6 +4,9 @@ settings:
autoInstallPeers: true
excludeLinksFromLockfile: false
+overrides:
+ brace-expansion: 1.1.12
+
importers:
.:
@@ -191,11 +194,8 @@ packages:
base64-js@1.5.1:
resolution: {integrity: sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==}
- brace-expansion@1.1.11:
- resolution: {integrity: sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==}
-
- brace-expansion@2.0.1:
- resolution: {integrity: sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==}
+ brace-expansion@1.1.12:
+ resolution: {integrity: sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==}
braces@3.0.3:
resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==}
@@ -914,15 +914,11 @@ snapshots:
base64-js@1.5.1: {}
- brace-expansion@1.1.11:
+ brace-expansion@1.1.12:
dependencies:
balanced-match: 1.0.2
concat-map: 0.0.1
- brace-expansion@2.0.1:
- dependencies:
- balanced-match: 1.0.2
-
braces@3.0.3:
dependencies:
fill-range: 7.1.1
@@ -1204,11 +1200,11 @@ snapshots:
minimatch@3.1.2:
dependencies:
- brace-expansion: 1.1.11
+ brace-expansion: 1.1.12
minimatch@9.0.5:
dependencies:
- brace-expansion: 2.0.1
+ brace-expansion: 1.1.12
minipass@7.1.2: {}
diff --git a/scripts/apidocgen/package.json b/scripts/apidocgen/package.json
index 4ab69c8f72442..29fa0631d84b8 100644
--- a/scripts/apidocgen/package.json
+++ b/scripts/apidocgen/package.json
@@ -9,7 +9,10 @@
"pnpm": {
"overrides": {
"@babel/runtime": "7.26.10",
- "form-data": "4.0.4"
+ "form-data": "4.0.4",
+ "yargs-parser": "13.1.2",
+ "ajv": "6.12.3",
+ "markdown-it": "12.3.2"
}
}
}
diff --git a/scripts/apidocgen/pnpm-lock.yaml b/scripts/apidocgen/pnpm-lock.yaml
index 619e9dc9f6a6c..87901653996f0 100644
--- a/scripts/apidocgen/pnpm-lock.yaml
+++ b/scripts/apidocgen/pnpm-lock.yaml
@@ -9,6 +9,9 @@ overrides:
jsonpointer: 5.0.1
'@babel/runtime': 7.26.10
form-data: 4.0.4
+ yargs-parser: 13.1.2
+ ajv: 6.12.3
+ markdown-it: 12.3.2
importers:
@@ -16,7 +19,7 @@ importers:
dependencies:
widdershins:
specifier: ^4.0.1
- version: 4.0.1(ajv@5.5.2)(mkdirp@3.0.1)
+ version: 4.0.1(ajv@6.12.3)(mkdirp@3.0.1)
packages:
@@ -42,11 +45,8 @@ packages:
'@types/json-schema@7.0.12':
resolution: {integrity: sha512-Hr5Jfhc9eYOQNPYO5WLDq/n4jqijdHNlDXjuAQkkt+mWdQR+XJToOHrsD4cPaMXpn6KO7y2+wM8AZEs8VpBLVA==}
- ajv@5.5.2:
- resolution: {integrity: sha512-Ajr4IcMXq/2QmMkEmSvxqfLN5zGmJ92gHXAeOXq1OekoH2rfDNsgdDoL2f7QaRCy7G/E6TpxBVdRuNraMztGHw==}
-
- ajv@6.12.6:
- resolution: {integrity: sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==}
+ ajv@6.12.3:
+ resolution: {integrity: sha512-4K0cK3L1hsqk9xIb2z9vs/XU+PGJZ9PNpJRDS9YLzmNdX6jmVPfamLvTJr0aDAusnHyCHO6MjzlkAsgtqp9teA==}
ansi-regex@2.1.1:
resolution: {integrity: sha512-TIGnTpdo+E3+pCyAluZvtED5p5wCqLdezCyhPZzKPcxvFplEt4i+W7OONCKgeZFT3+y5NZZfOOS/Bdcanm1MYA==}
@@ -72,8 +72,8 @@ packages:
resolution: {integrity: sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==}
engines: {node: '>=8'}
- argparse@1.0.10:
- resolution: {integrity: sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==}
+ argparse@2.0.1:
+ resolution: {integrity: sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==}
asynckit@0.4.0:
resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==}
@@ -81,7 +81,7 @@ packages:
better-ajv-errors@0.6.7:
resolution: {integrity: sha512-PYgt/sCzR4aGpyNy5+ViSQ77ognMnWq7745zM+/flYO4/Yisdtp9wDQW2IKCyVYPUxQt3E/b5GBSwfhd1LPdlg==}
peerDependencies:
- ajv: 4.11.8 - 6
+ ajv: 6.12.3
call-bind-apply-helpers@1.0.2:
resolution: {integrity: sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==}
@@ -112,10 +112,6 @@ packages:
resolution: {integrity: sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==}
engines: {node: '>=12'}
- co@4.6.0:
- resolution: {integrity: sha512-QVb0dM5HvG+uaxitm8wONl7jltx8dqhfU33DcqtOZcLSVIKSDDLDi7+0LbAKiyI8hD9u42m2YxXSkMGWThaecQ==}
- engines: {iojs: '>= 1.0.0', node: '>= 0.12.0'}
-
code-error-fragment@0.0.230:
resolution: {integrity: sha512-cadkfKp6932H8UkhzE/gcUqhRMNf8jHzkAN7+5Myabswaghu4xABTgPHDCjW+dBAJxj/SpkTYokpzDqY4pCzQw==}
engines: {node: '>= 4'}
@@ -185,8 +181,8 @@ packages:
end-of-stream@1.4.4:
resolution: {integrity: sha512-+uw1inIHVPQoaVuHzRyXd21icM+cnt4CzD5rW+NC1wjOUSTOs+Te7FOv7AhN7vS9x/oIyhLP5PR1H+phQAHu5Q==}
- entities@2.0.3:
- resolution: {integrity: sha512-MyoZ0jgnLvB2X3Lg5HqpFmn1kybDiIfEQmKzTb5apr51Rb+T3KdmMiqa70T+bhGnyv7bQ6WMj2QMHpGMmlrUYQ==}
+ entities@2.1.0:
+ resolution: {integrity: sha512-hCx1oky9PFrJ611mf0ifBLBRW8lUUVRlFolb5gWRfIELabBlbp9xZvrqZLZAs+NxFnbfQoeGd8wDkygjg7U85w==}
es-define-property@1.0.1:
resolution: {integrity: sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==}
@@ -222,9 +218,6 @@ packages:
resolution: {integrity: sha512-adbxcyWV46qiHyvSp50TKt05tB4tK3HcmF7/nxfAdhnox83seTDbwnaqKO4sXRy7roHAIFqJP/Rw/AuEbX61LA==}
engines: {node: '>=6'}
- fast-deep-equal@1.1.0:
- resolution: {integrity: sha512-fueX787WZKCV0Is4/T2cyAdM4+x1S3MXXOAhavE1ys/W42SHAPacLTQhucja22QBYrfGw50M2sRiXPtTGv9Ymw==}
-
fast-deep-equal@3.1.3:
resolution: {integrity: sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==}
@@ -376,9 +369,6 @@ packages:
json-pointer@0.6.2:
resolution: {integrity: sha512-vLWcKbOaXlO+jvRy4qNd+TI1QUPZzfJj1tpJ3vAXDych5XJf93ftpUKe5pKCrzyIIwgBJcOcCVRUfqQP25afBw==}
- json-schema-traverse@0.3.1:
- resolution: {integrity: sha512-4JD/Ivzg7PoW8NzdrBSr3UFwC9mHgvI7Z6z3QGBsSHgKaRTUDmyZAAKJo2UbG1kUVfS9WS8bi36N49U1xw43DA==}
-
json-schema-traverse@0.4.1:
resolution: {integrity: sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==}
@@ -398,8 +388,8 @@ packages:
resolution: {integrity: sha512-qsda+H8jTaUaN/x5vzW2rzc+8Rw4TAQ/4KjB46IwK5VH+IlVeeeje/EoZRpiXvIqjFgK84QffqPztGI3VBLG1A==}
engines: {node: '>=6'}
- linkify-it@2.2.0:
- resolution: {integrity: sha512-GnAl/knGn+i1U/wjBz3akz2stz+HrHLsxMwHQGofCDfPvlf+gDKN58UtfmUquTY4/MXeE2x7k19KQmeoZi94Iw==}
+ linkify-it@3.0.3:
+ resolution: {integrity: sha512-ynTsyrFSdE5oZ/O9GEf00kPngmOfVwazR5GKDq6EYfhlpFug3J2zybX56a2PRRpc9P+FuSoGNAwjlbDs9jJBPQ==}
locate-path@3.0.0:
resolution: {integrity: sha512-7AO748wWnIhNqAuaty2ZWHkQHRSNfPVIsPIfwEOWO22AmaoVrWavlOcMR5nzTLNYvp36X220/maaRsrec1G65A==}
@@ -423,8 +413,8 @@ packages:
markdown-it-emoji@1.4.0:
resolution: {integrity: sha512-QCz3Hkd+r5gDYtS2xsFXmBYrgw6KuWcJZLCEkdfAuwzZbShCmCfta+hwAMq4NX/4xPzkSHduMKgMkkPUJxSXNg==}
- markdown-it@10.0.0:
- resolution: {integrity: sha512-YWOP1j7UbDNz+TumYP1kpwnP0aEa711cJjrAQrzd0UXlbJfc5aAq0F/PZHjiioqDC1NKgvIMX+o+9Bk7yuM2dg==}
+ markdown-it@12.3.2:
+ resolution: {integrity: sha512-TchMembfxfNVpHkbtriWltGWc+m3xszaRD0CZup7GFFhzIgQqxIfn3eGj1yZpfuflzPvfkt611B2Q/Bsk1YnGg==}
hasBin: true
math-intrinsics@1.1.0:
@@ -640,9 +630,6 @@ packages:
split@0.3.3:
resolution: {integrity: sha512-wD2AeVmxXRBoX44wAycgjVpMhvbwdI2aZjCkvfNcH1YqHQvJVa1duWc73OyVGJUc05fhFaTZeQ/PYsrmyH0JVA==}
- sprintf-js@1.0.3:
- resolution: {integrity: sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==}
-
stream-combiner@0.0.4:
resolution: {integrity: sha512-rT00SPnTVyRsaSz5zgSPma/aHSOic5U1prhYdRy5HS2kTZviFpmDgzilbtsJsxiroqACmayynDN/9VzIbX5DOw==}
@@ -751,16 +738,8 @@ packages:
resolution: {integrity: sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==}
engines: {node: '>= 6'}
- yargs-parser@11.1.1:
- resolution: {integrity: sha512-C6kB/WJDiaxONLJQnF8ccx9SEeoTTLek8RVbaOIsrAUS8VrBEXfmeSnCZxygc+XC2sNMBIwOOnfcxiynjHsVSQ==}
-
- yargs-parser@18.1.3:
- resolution: {integrity: sha512-o50j0JeToy/4K6OZcaQmW6lyXXKhq7csREXcDwk2omFPJEwUNOVtJKvmDr9EI1fAJZUyZcRF7kxGBWmRXudrCQ==}
- engines: {node: '>=6'}
-
- yargs-parser@21.1.1:
- resolution: {integrity: sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==}
- engines: {node: '>=12'}
+ yargs-parser@13.1.2:
+ resolution: {integrity: sha512-3lbsNRf/j+A4QuSZfDRA7HRSfWrzO0YjqTJd5kjAq37Zep1CEgaYmrH9Q3GwPiB9cHyd1Y1UwggGhJGoxipbzg==}
yargs@12.0.5:
resolution: {integrity: sha512-Lhz8TLaYnxq/2ObqHDql8dX8CJi97oHxrjUcYtzKbbykPtVW9WB+poxI+NM2UIzsMgNCZTIf0AQwsjK5yMAqZw==}
@@ -795,14 +774,7 @@ snapshots:
'@types/json-schema@7.0.12': {}
- ajv@5.5.2:
- dependencies:
- co: 4.6.0
- fast-deep-equal: 1.1.0
- fast-json-stable-stringify: 2.1.0
- json-schema-traverse: 0.3.1
-
- ajv@6.12.6:
+ ajv@6.12.3:
dependencies:
fast-deep-equal: 3.1.3
fast-json-stable-stringify: 2.1.0
@@ -825,17 +797,15 @@ snapshots:
dependencies:
color-convert: 2.0.1
- argparse@1.0.10:
- dependencies:
- sprintf-js: 1.0.3
+ argparse@2.0.1: {}
asynckit@0.4.0: {}
- better-ajv-errors@0.6.7(ajv@5.5.2):
+ better-ajv-errors@0.6.7(ajv@6.12.3):
dependencies:
'@babel/code-frame': 7.22.5
'@babel/runtime': 7.26.10
- ajv: 5.5.2
+ ajv: 6.12.3
chalk: 2.4.2
core-js: 3.31.0
json-to-ast: 2.1.0
@@ -883,8 +853,6 @@ snapshots:
strip-ansi: 6.0.1
wrap-ansi: 7.0.0
- co@4.6.0: {}
-
code-error-fragment@0.0.230: {}
code-point-at@1.1.0: {}
@@ -941,7 +909,7 @@ snapshots:
dependencies:
once: 1.4.0
- entities@2.0.3: {}
+ entities@2.1.0: {}
es-define-property@1.0.1: {}
@@ -984,8 +952,6 @@ snapshots:
signal-exit: 3.0.7
strip-eof: 1.0.0
- fast-deep-equal@1.1.0: {}
-
fast-deep-equal@3.1.3: {}
fast-json-stable-stringify@2.1.0: {}
@@ -1064,7 +1030,7 @@ snapshots:
har-validator@5.1.5:
dependencies:
- ajv: 6.12.6
+ ajv: 6.12.3
har-schema: 2.0.0
has-ansi@2.0.0:
@@ -1129,8 +1095,6 @@ snapshots:
dependencies:
foreach: 2.0.6
- json-schema-traverse@0.3.1: {}
-
json-schema-traverse@0.4.1: {}
json-to-ast@2.1.0:
@@ -1146,7 +1110,7 @@ snapshots:
leven@3.1.0: {}
- linkify-it@2.2.0:
+ linkify-it@3.0.3:
dependencies:
uc.micro: 1.0.6
@@ -1171,11 +1135,11 @@ snapshots:
markdown-it-emoji@1.4.0: {}
- markdown-it@10.0.0:
+ markdown-it@12.3.2:
dependencies:
- argparse: 1.0.10
- entities: 2.0.3
- linkify-it: 2.2.0
+ argparse: 2.0.1
+ entities: 2.1.0
+ linkify-it: 3.0.3
mdurl: 1.0.1
uc.micro: 1.0.6
@@ -1247,8 +1211,8 @@ snapshots:
oas-validator@4.0.8:
dependencies:
- ajv: 5.5.2
- better-ajv-errors: 0.6.7(ajv@5.5.2)
+ ajv: 6.12.3
+ better-ajv-errors: 0.6.7(ajv@6.12.3)
call-me-maybe: 1.0.2
oas-kit-common: 1.0.8
oas-linter: 3.2.2
@@ -1376,8 +1340,6 @@ snapshots:
dependencies:
through: 2.3.8
- sprintf-js@1.0.3: {}
-
stream-combiner@0.0.4:
dependencies:
duplexer: 0.1.2
@@ -1425,9 +1387,9 @@ snapshots:
dependencies:
has-flag: 3.0.0
- swagger2openapi@6.2.3(ajv@5.5.2):
+ swagger2openapi@6.2.3(ajv@6.12.3):
dependencies:
- better-ajv-errors: 0.6.7(ajv@5.5.2)
+ better-ajv-errors: 0.6.7(ajv@6.12.3)
call-me-maybe: 1.0.2
node-fetch-h2: 2.3.0
node-readfiles: 0.2.0
@@ -1466,21 +1428,21 @@ snapshots:
dependencies:
isexe: 2.0.0
- widdershins@4.0.1(ajv@5.5.2)(mkdirp@3.0.1):
+ widdershins@4.0.1(ajv@6.12.3)(mkdirp@3.0.1):
dependencies:
dot: 1.1.3
fast-safe-stringify: 2.1.1
highlightjs: 9.16.2
httpsnippet: 1.25.0(mkdirp@3.0.1)
jgexml: 0.4.4
- markdown-it: 10.0.0
+ markdown-it: 12.3.2
markdown-it-emoji: 1.4.0
node-fetch: 2.6.12
oas-resolver: 2.5.6
oas-schema-walker: 1.1.5
openapi-sampler: 1.3.1
reftools: 1.1.9
- swagger2openapi: 6.2.3(ajv@5.5.2)
+ swagger2openapi: 6.2.3(ajv@6.12.3)
urijs: 1.19.11
yaml: 1.10.2
yargs: 12.0.5
@@ -1517,18 +1479,11 @@ snapshots:
yaml@1.10.2: {}
- yargs-parser@11.1.1:
+ yargs-parser@13.1.2:
dependencies:
camelcase: 5.3.1
decamelize: 1.2.0
- yargs-parser@18.1.3:
- dependencies:
- camelcase: 5.3.1
- decamelize: 1.2.0
-
- yargs-parser@21.1.1: {}
-
yargs@12.0.5:
dependencies:
cliui: 4.1.0
@@ -1542,7 +1497,7 @@ snapshots:
string-width: 2.1.1
which-module: 2.0.1
y18n: 4.0.3
- yargs-parser: 11.1.1
+ yargs-parser: 13.1.2
yargs@15.4.1:
dependencies:
@@ -1556,7 +1511,7 @@ snapshots:
string-width: 4.2.3
which-module: 2.0.1
y18n: 4.0.3
- yargs-parser: 18.1.3
+ yargs-parser: 13.1.2
yargs@17.7.2:
dependencies:
@@ -1566,4 +1521,4 @@ snapshots:
require-directory: 2.1.1
string-width: 4.2.3
y18n: 5.0.8
- yargs-parser: 21.1.1
+ yargs-parser: 13.1.2
diff --git a/site/package.json b/site/package.json
index 95788ef97d30a..71382d859d43a 100644
--- a/site/package.json
+++ b/site/package.json
@@ -205,7 +205,8 @@
"esbuild": "^0.25.0",
"form-data": "4.0.4",
"prismjs": "1.30.0",
- "dompurify": "3.2.6"
+ "dompurify": "3.2.6",
+ "brace-expansion": "1.1.12"
},
"ignoredBuiltDependencies": [
"storybook-addon-remix-react-router"
diff --git a/site/pnpm-lock.yaml b/site/pnpm-lock.yaml
index 2351ad4c51e06..8aecb51747de6 100644
--- a/site/pnpm-lock.yaml
+++ b/site/pnpm-lock.yaml
@@ -13,6 +13,7 @@ overrides:
form-data: 4.0.4
prismjs: 1.30.0
dompurify: 3.2.6
+ brace-expansion: 1.1.12
importers:
@@ -2885,11 +2886,8 @@ packages:
resolution: {integrity: sha512-7rAxByjUMqQ3/bHJy7D6OGXvx/MMc4IqBn/X0fcM1QUcAItpZrBEYhWGem+tzXH90c+G01ypMcYJBO9Y30203g==, tarball: https://registry.npmjs.org/body-parser/-/body-parser-1.20.3.tgz}
engines: {node: '>= 0.8', npm: 1.2.8000 || >= 1.4.16}
- brace-expansion@1.1.11:
- resolution: {integrity: sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==, tarball: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz}
-
- brace-expansion@2.0.1:
- resolution: {integrity: sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==, tarball: https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz}
+ brace-expansion@1.1.12:
+ resolution: {integrity: sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==, tarball: https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz}
braces@3.0.3:
resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==, tarball: https://registry.npmjs.org/braces/-/braces-3.0.3.tgz}
@@ -8894,15 +8892,11 @@ snapshots:
transitivePeerDependencies:
- supports-color
- brace-expansion@1.1.11:
+ brace-expansion@1.1.12:
dependencies:
balanced-match: 1.0.2
concat-map: 0.0.1
- brace-expansion@2.0.1:
- dependencies:
- balanced-match: 1.0.2
-
braces@3.0.3:
dependencies:
fill-range: 7.1.1
@@ -11326,11 +11320,11 @@ snapshots:
minimatch@3.1.2:
dependencies:
- brace-expansion: 1.1.11
+ brace-expansion: 1.1.12
minimatch@9.0.5:
dependencies:
- brace-expansion: 2.0.1
+ brace-expansion: 1.1.12
minimist@1.2.8: {}
From 0f1fc88d5ae424eec54e5cd572c8907717574dd5 Mon Sep 17 00:00:00 2001
From: Jon Ayers
Date: Wed, 27 Aug 2025 16:26:47 -0700
Subject: [PATCH 6/7] chore: pin devcontainer-cli for .devcontainer config
(#19594)
---
.devcontainer/scripts/post_create.sh | 6 ++++-
.../tools/devcontainer-cli/package-lock.json | 26 +++++++++++++++++++
.../tools/devcontainer-cli/package.json | 8 ++++++
3 files changed, 39 insertions(+), 1 deletion(-)
create mode 100644 .devcontainer/tools/devcontainer-cli/package-lock.json
create mode 100644 .devcontainer/tools/devcontainer-cli/package.json
diff --git a/.devcontainer/scripts/post_create.sh b/.devcontainer/scripts/post_create.sh
index 50acf3b577b57..a1b774f98d2ca 100755
--- a/.devcontainer/scripts/post_create.sh
+++ b/.devcontainer/scripts/post_create.sh
@@ -1,7 +1,11 @@
#!/bin/sh
install_devcontainer_cli() {
- npm install -g @devcontainers/cli@0.80.0 --integrity=sha512-w2EaxgjyeVGyzfA/KUEZBhyXqu/5PyWNXcnrXsZOBrt3aN2zyGiHrXoG54TF6K0b5DSCF01Rt5fnIyrCeFzFKw==
+ set -e
+ echo "🔧 Installing DevContainer CLI..."
+ cd "$(dirname "$0")/../tools/devcontainer-cli"
+ npm ci --omit=dev
+ ln -sf "$(pwd)/node_modules/.bin/devcontainer" "$(npm config get prefix)/bin/devcontainer"
}
install_ssh_config() {
diff --git a/.devcontainer/tools/devcontainer-cli/package-lock.json b/.devcontainer/tools/devcontainer-cli/package-lock.json
new file mode 100644
index 0000000000000..2fee536abeb07
--- /dev/null
+++ b/.devcontainer/tools/devcontainer-cli/package-lock.json
@@ -0,0 +1,26 @@
+{
+ "name": "devcontainer-cli",
+ "version": "1.0.0",
+ "lockfileVersion": 3,
+ "requires": true,
+ "packages": {
+ "": {
+ "name": "devcontainer-cli",
+ "version": "1.0.0",
+ "dependencies": {
+ "@devcontainers/cli": "^0.80.0"
+ }
+ },
+ "node_modules/@devcontainers/cli": {
+ "version": "0.80.0",
+ "resolved": "https://registry.npmjs.org/@devcontainers/cli/-/cli-0.80.0.tgz",
+ "integrity": "sha512-w2EaxgjyeVGyzfA/KUEZBhyXqu/5PyWNXcnrXsZOBrt3aN2zyGiHrXoG54TF6K0b5DSCF01Rt5fnIyrCeFzFKw==",
+ "bin": {
+ "devcontainer": "devcontainer.js"
+ },
+ "engines": {
+ "node": "^16.13.0 || >=18.0.0"
+ }
+ }
+ }
+}
diff --git a/.devcontainer/tools/devcontainer-cli/package.json b/.devcontainer/tools/devcontainer-cli/package.json
new file mode 100644
index 0000000000000..b474c8615592d
--- /dev/null
+++ b/.devcontainer/tools/devcontainer-cli/package.json
@@ -0,0 +1,8 @@
+{
+ "name": "devcontainer-cli",
+ "private": true,
+ "version": "1.0.0",
+ "dependencies": {
+ "@devcontainers/cli": "^0.80.0"
+ }
+}
From be40b8ca3e44bbc6677d4a8a791bfdcf626af83f Mon Sep 17 00:00:00 2001
From: Jon Ayers
Date: Wed, 27 Aug 2025 19:12:05 -0700
Subject: [PATCH 7/7] chore: set more explicit guards for serving bin files
(#19597)
---
site/site.go | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/site/site.go b/site/site.go
index e2a0d408e7f8d..d15439b264545 100644
--- a/site/site.go
+++ b/site/site.go
@@ -1018,6 +1018,16 @@ func newBinMetadataCache(binFS http.FileSystem, binSha1Hashes map[string]string)
}
func (b *binMetadataCache) getMetadata(name string) (binMetadata, error) {
+ // Reject any invalid or non-basename paths before touching the filesystem.
+ if name == "" ||
+ name == "." ||
+ strings.Contains(name, "/") ||
+ strings.Contains(name, "\\") ||
+ !fs.ValidPath(name) ||
+ path.Base(name) != name {
+ return binMetadata{}, os.ErrNotExist
+ }
+
b.mut.RLock()
metadata, ok := b.metadata[name]
b.mut.RUnlock()