diff --git a/CHANGELOG.md b/CHANGELOG.md index 02afb310..6d4a6a96 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,8 @@ scheme restriction) live in `UPGRADE-NOTES.md` and are auto-appended to every 1.4.6+ / 1.5.x release's notes by `scripts/append-upgrade-notes.mjs` (wired into `release-cut.yml`). Update that file — not this comment — when the notes change. --> +## [1.5.0-rc.38] — 2026-06-19 + ### Added - **Colored startup banner.** When drydock starts on an interactive terminal it now renders the whale logo as a compact truecolor half-block banner followed by a `drydock v · ` identity line. The art is baked from the master logo (`drydock.png`) at build time by `scripts/gen-banner.mjs`, so startup decodes no image. The banner is written to stderr and suppressed automatically when stdout/stderr is not a TTY or `NO_COLOR` is set, so logs and piped output stay clean. @@ -33,6 +35,10 @@ scheme restriction) live in `UPGRADE-NOTES.md` and are auto-appended to every - **Patched the container image's HIGH/CRITICAL CVE surface and scoped the Grype image gate.** The first `grype-image` scan on `main` flagged a pre-existing CVE backlog that nothing had been scanning (Snyk Container never ran — no token was configured). Bumped the `node:24-alpine` base (node 24.14.0 → 24.16.0 clearing CVE-2026-21710, musl 1.2.5 → 1.2.6, curl 8.19.0 → 8.20.0, git 2.52.0 → 2.54.0) and `cosign` 2.6.3 → 3.0.6, which clears every HIGH/CRITICAL in the Node runtime and Alpine OS packages. The only residual HIGH/CRITICAL findings live inside the vendored Go module graphs compiled into the bundled `cosign` and `trivy` CLI binaries (drydock shells out to them for signature verification and container scanning) — those clear only when Alpine rebuilds the packages, so a documented `.grype.yaml` scopes the fail-on-HIGH image gate to the dependencies drydock controls (Node, OS packages, the app npm graph) and excludes the two tool-binary locations. cosign 3.0.6 keeps the `verify --output json`/`--certificate-identity`/`--certificate-oidc-issuer`/`--key` flags drydock's signature path uses. +- **Patched a batch of newly-disclosed `undici` CVEs across the runtime and tooling workspaces.** osv-scanner flagged eight undici advisories disclosed in 2026 — [CVE-2026-6733](https://github.com/advisories/GHSA-35p6-xmwp-9g52), [CVE-2026-6734](https://github.com/advisories/GHSA-hm92-r4w5-c3mj), [CVE-2026-9675](https://github.com/advisories/GHSA-38rv-x7px-6hhq), [CVE-2026-9678](https://github.com/advisories/GHSA-pr7r-676h-xcf6), [CVE-2026-9679](https://github.com/advisories/GHSA-p88m-4jfj-68fv), [CVE-2026-9697](https://github.com/advisories/GHSA-vmh5-mc38-953g), [CVE-2026-11525](https://github.com/advisories/GHSA-g8m3-5g58-fq7m), and [CVE-2026-12151](https://github.com/advisories/GHSA-vxpw-j846-p89q). The shipped backend (`app`) carries undici as a direct dependency and was on `8.3.0`, vulnerable to all eight — bumped to `8.5.0`, the only release clearing the full set (CVE-2026-9675 is fixed solely in 8.5.0), and pinned in `overrides` as well. The dashboard build (`ui`) and the e2e load-test harness pulled undici `7.25.0`/`7.26.0` transitively; an `overrides` entry forces `7.28.0` (the patched 7.x line) in each — build- and test-only, not part of the shipped image. + +- **Patched `nodemailer` to 9.0.1 ([GHSA-p6gq-j5cr-w38f](https://github.com/advisories/GHSA-p6gq-j5cr-w38f), CVSS 7.1).** A message-level `raw` option bypassed nodemailer's `disableFileAccess`/`disableUrlAccess` guards, allowing arbitrary file read and full-response SSRF in the delivered message. drydock's SMTP trigger only calls `createTransport`/`sendMail` with plain `from`/`to`/`subject`/`text` fields and never passes `raw`, so the sink isn't reachable here — but the advisory affects every release through 9.0.0 with the fix landing only in 9.0.1, so the direct dependency in `app` is bumped from `8.0.10`. The 8→9 major jump doesn't touch the stable `createTransport`/`sendMail` core drydock relies on. + ## [1.5.0-rc.37] — 2026-06-15 ### Security diff --git a/app/package-lock.json b/app/package-lock.json index 9083c70c..0e975d18 100644 --- a/app/package-lock.json +++ b/app/package-lock.json @@ -38,7 +38,7 @@ "mqtt": "5.15.1", "nocache": "4.0.0", "node-cron": "4.2.1", - "nodemailer": "8.0.10", + "nodemailer": "9.0.1", "openid-client": "6.8.4", "p-limit": "7.3.0", "parse-docker-image-name": "3.0.0", @@ -53,7 +53,7 @@ "semver": "7.8.1", "set-value": "4.1.0", "sort-es": "1.7.18", - "undici": "8.3.0", + "undici": "8.5.0", "unix-crypt-td-js": "1.1.4", "uuid": "14.0.0", "ws": "8.21.0", @@ -7041,9 +7041,9 @@ "license": "MIT" }, "node_modules/nodemailer": { - "version": "8.0.10", - "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-8.0.10.tgz", - "integrity": "sha512-BLFuSth7QtHOkBzyqTehWWyub0NTRDuK2Q2SQfnGLsrJnzyU+Yeh4WpV1eZGuARFj1xQJHIdnTuJZLP+b9R1GQ==", + "version": "9.0.1", + "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-9.0.1.tgz", + "integrity": "sha512-Gwv8SQewT616ZM/URn0H54b8PWo/Wum7md3EW2aWy1lO27+WZCX+Xyak3J+NlmHUjDh5ME+uesJUDRbR3Ye8Bw==", "license": "MIT-0", "engines": { "node": ">=6.0.0" @@ -8826,9 +8826,9 @@ "license": "MIT" }, "node_modules/undici": { - "version": "8.3.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-8.3.0.tgz", - "integrity": "sha512-TkUDgb6tl7KOGZ+7e8E3d2FYgUQgF6z5YypqjWmixVQSQERFcVrVg0ySADm2LVLRh5ljAaHTCR5Fmz3Q34rB7Q==", + "version": "8.5.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-8.5.0.tgz", + "integrity": "sha512-xamtWoB1EshgjpmlXd7GGm2VfdDtw1+rD8uhry8pSNW3If6S8E0m2T2+orSKeZXEn/aPJMviCpDBA65WJt8zhg==", "license": "MIT", "engines": { "node": ">=22.19.0" diff --git a/app/package.json b/app/package.json index 4fb40555..ac366305 100644 --- a/app/package.json +++ b/app/package.json @@ -51,7 +51,7 @@ "mqtt": "5.15.1", "nocache": "4.0.0", "node-cron": "4.2.1", - "nodemailer": "8.0.10", + "nodemailer": "9.0.1", "openid-client": "6.8.4", "p-limit": "7.3.0", "parse-docker-image-name": "3.0.0", @@ -66,7 +66,7 @@ "semver": "7.8.1", "set-value": "4.1.0", "sort-es": "1.7.18", - "undici": "8.3.0", + "undici": "8.5.0", "unix-crypt-td-js": "1.1.4", "uuid": "14.0.0", "ws": "8.21.0", @@ -85,7 +85,8 @@ "vite": "8.0.16", "@babel/core": "7.29.6", "form-data": "4.0.6", - "protobufjs": "7.6.3" + "protobufjs": "7.6.3", + "undici": "8.5.0" }, "devDependencies": { "@fast-check/vitest": "0.4.1", diff --git a/e2e/package-lock.json b/e2e/package-lock.json index 2f9a1f12..eb8ddcdf 100644 --- a/e2e/package-lock.json +++ b/e2e/package-lock.json @@ -7591,9 +7591,9 @@ "license": "MIT" }, "node_modules/undici": { - "version": "7.26.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.26.0.tgz", - "integrity": "sha512-3O9Tf67pGhgOv9jM35AbhkXAKi13f3oy3aE4CSgr+TckGeY+/iu97ZXN+J7DpHPzLbVApFd1IFhcnBjREYXYcg==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "dev": true, "license": "MIT", "engines": { diff --git a/e2e/package.json b/e2e/package.json index 18479456..f11cffc0 100644 --- a/e2e/package.json +++ b/e2e/package.json @@ -47,6 +47,7 @@ "yaml": "2.8.3", "form-data": "4.0.6", "protobufjs": "7.6.3", - "@opentelemetry/core": "2.8.0" + "@opentelemetry/core": "2.8.0", + "undici": "7.28.0" } } diff --git a/ui/package-lock.json b/ui/package-lock.json index 3f9235a3..7d227252 100644 --- a/ui/package-lock.json +++ b/ui/package-lock.json @@ -6287,9 +6287,9 @@ "license": "MIT" }, "node_modules/undici": { - "version": "7.25.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.25.0.tgz", - "integrity": "sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "dev": true, "license": "MIT", "engines": { diff --git a/ui/package.json b/ui/package.json index 890ec6c8..12ddccfa 100644 --- a/ui/package.json +++ b/ui/package.json @@ -71,6 +71,7 @@ "postcss": "8.5.10", "qs": "6.15.2", "yaml": "2.9.0", - "@babel/core": "7.29.6" + "@babel/core": "7.29.6", + "undici": "7.28.0" } }