From 8dde59583022bf0831aac6c8e02f6400896eae52 Mon Sep 17 00:00:00 2001 From: scttbnsn <80784472+scttbnsn@users.noreply.github.com> Date: Fri, 19 Jun 2026 20:52:09 -0400 Subject: [PATCH 1/3] =?UTF-8?q?=F0=9F=93=9D=20docs(changelog):=20cut=20v1.?= =?UTF-8?q?5.0-rc.38=20section?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Promote the post-rc.37 Unreleased block (startup banner #440, Snyk→Grype #441, logo refresh #439, image HIGH/CRITICAL CVE batch #442, apps/web+e2e transitive CVEs #438) to a dated 1.5.0-rc.38 heading so release-cut.yml's CHANGELOG validation passes. --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 02afb310..6b749428 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,8 @@ scheme restriction) live in `UPGRADE-NOTES.md` and are auto-appended to every 1.4.6+ / 1.5.x release's notes by `scripts/append-upgrade-notes.mjs` (wired into `release-cut.yml`). Update that file — not this comment — when the notes change. --> +## [1.5.0-rc.38] — 2026-06-19 + ### Added - **Colored startup banner.** When drydock starts on an interactive terminal it now renders the whale logo as a compact truecolor half-block banner followed by a `drydock v · ` identity line. The art is baked from the master logo (`drydock.png`) at build time by `scripts/gen-banner.mjs`, so startup decodes no image. The banner is written to stderr and suppressed automatically when stdout/stderr is not a TTY or `NO_COLOR` is set, so logs and piped output stay clean. From 5747914b6252593d257aad53b0474178e139406c Mon Sep 17 00:00:00 2001 From: scttbnsn <80784472+scttbnsn@users.noreply.github.com> Date: Fri, 19 Jun 2026 21:00:15 -0400 Subject: [PATCH 2/3] =?UTF-8?q?=F0=9F=94=92=20security(deps):=20patch=20th?= =?UTF-8?q?e=20undici=20CVE=20batch=20(CVE-2026-6733/6734/9675/9678/9679/9?= =?UTF-8?q?697/11525/12151)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit osv-scanner flagged eight newly-disclosed undici advisories across three workspaces. The shipped backend (app) used undici 8.3.0 as a direct dependency — bumped to 8.5.0 (the only release clearing the full set; CVE-2026-9675 is fixed solely in 8.5.0) and pinned in overrides. The dashboard build (ui) and e2e load-test harness pulled undici 7.25.0/7.26.0 transitively — an overrides entry forces 7.28.0 (patched 7.x) in each; build/test-only, not shipped. Changelog entry added to the 1.5.0-rc.38 Security section. --- CHANGELOG.md | 2 ++ app/package-lock.json | 8 ++++---- app/package.json | 5 +++-- e2e/package-lock.json | 6 +++--- e2e/package.json | 3 ++- ui/package-lock.json | 6 +++--- ui/package.json | 3 ++- 7 files changed, 19 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6b749428..0a57937f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -35,6 +35,8 @@ scheme restriction) live in `UPGRADE-NOTES.md` and are auto-appended to every - **Patched the container image's HIGH/CRITICAL CVE surface and scoped the Grype image gate.** The first `grype-image` scan on `main` flagged a pre-existing CVE backlog that nothing had been scanning (Snyk Container never ran — no token was configured). Bumped the `node:24-alpine` base (node 24.14.0 → 24.16.0 clearing CVE-2026-21710, musl 1.2.5 → 1.2.6, curl 8.19.0 → 8.20.0, git 2.52.0 → 2.54.0) and `cosign` 2.6.3 → 3.0.6, which clears every HIGH/CRITICAL in the Node runtime and Alpine OS packages. The only residual HIGH/CRITICAL findings live inside the vendored Go module graphs compiled into the bundled `cosign` and `trivy` CLI binaries (drydock shells out to them for signature verification and container scanning) — those clear only when Alpine rebuilds the packages, so a documented `.grype.yaml` scopes the fail-on-HIGH image gate to the dependencies drydock controls (Node, OS packages, the app npm graph) and excludes the two tool-binary locations. cosign 3.0.6 keeps the `verify --output json`/`--certificate-identity`/`--certificate-oidc-issuer`/`--key` flags drydock's signature path uses. +- **Patched a batch of newly-disclosed `undici` CVEs across the runtime and tooling workspaces.** osv-scanner flagged eight undici advisories disclosed in 2026 — [CVE-2026-6733](https://github.com/advisories/GHSA-35p6-xmwp-9g52), [CVE-2026-6734](https://github.com/advisories/GHSA-hm92-r4w5-c3mj), [CVE-2026-9675](https://github.com/advisories/GHSA-38rv-x7px-6hhq), [CVE-2026-9678](https://github.com/advisories/GHSA-pr7r-676h-xcf6), [CVE-2026-9679](https://github.com/advisories/GHSA-p88m-4jfj-68fv), [CVE-2026-9697](https://github.com/advisories/GHSA-vmh5-mc38-953g), [CVE-2026-11525](https://github.com/advisories/GHSA-g8m3-5g58-fq7m), and [CVE-2026-12151](https://github.com/advisories/GHSA-vxpw-j846-p89q). The shipped backend (`app`) carries undici as a direct dependency and was on `8.3.0`, vulnerable to all eight — bumped to `8.5.0`, the only release clearing the full set (CVE-2026-9675 is fixed solely in 8.5.0), and pinned in `overrides` as well. The dashboard build (`ui`) and the e2e load-test harness pulled undici `7.25.0`/`7.26.0` transitively; an `overrides` entry forces `7.28.0` (the patched 7.x line) in each — build- and test-only, not part of the shipped image. + ## [1.5.0-rc.37] — 2026-06-15 ### Security diff --git a/app/package-lock.json b/app/package-lock.json index 9083c70c..934a85aa 100644 --- a/app/package-lock.json +++ b/app/package-lock.json @@ -53,7 +53,7 @@ "semver": "7.8.1", "set-value": "4.1.0", "sort-es": "1.7.18", - "undici": "8.3.0", + "undici": "8.5.0", "unix-crypt-td-js": "1.1.4", "uuid": "14.0.0", "ws": "8.21.0", @@ -8826,9 +8826,9 @@ "license": "MIT" }, "node_modules/undici": { - "version": "8.3.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-8.3.0.tgz", - "integrity": "sha512-TkUDgb6tl7KOGZ+7e8E3d2FYgUQgF6z5YypqjWmixVQSQERFcVrVg0ySADm2LVLRh5ljAaHTCR5Fmz3Q34rB7Q==", + "version": "8.5.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-8.5.0.tgz", + "integrity": "sha512-xamtWoB1EshgjpmlXd7GGm2VfdDtw1+rD8uhry8pSNW3If6S8E0m2T2+orSKeZXEn/aPJMviCpDBA65WJt8zhg==", "license": "MIT", "engines": { "node": ">=22.19.0" diff --git a/app/package.json b/app/package.json index 4fb40555..2c918c18 100644 --- a/app/package.json +++ b/app/package.json @@ -66,7 +66,7 @@ "semver": "7.8.1", "set-value": "4.1.0", "sort-es": "1.7.18", - "undici": "8.3.0", + "undici": "8.5.0", "unix-crypt-td-js": "1.1.4", "uuid": "14.0.0", "ws": "8.21.0", @@ -85,7 +85,8 @@ "vite": "8.0.16", "@babel/core": "7.29.6", "form-data": "4.0.6", - "protobufjs": "7.6.3" + "protobufjs": "7.6.3", + "undici": "8.5.0" }, "devDependencies": { "@fast-check/vitest": "0.4.1", diff --git a/e2e/package-lock.json b/e2e/package-lock.json index 2f9a1f12..eb8ddcdf 100644 --- a/e2e/package-lock.json +++ b/e2e/package-lock.json @@ -7591,9 +7591,9 @@ "license": "MIT" }, "node_modules/undici": { - "version": "7.26.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.26.0.tgz", - "integrity": "sha512-3O9Tf67pGhgOv9jM35AbhkXAKi13f3oy3aE4CSgr+TckGeY+/iu97ZXN+J7DpHPzLbVApFd1IFhcnBjREYXYcg==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "dev": true, "license": "MIT", "engines": { diff --git a/e2e/package.json b/e2e/package.json index 18479456..f11cffc0 100644 --- a/e2e/package.json +++ b/e2e/package.json @@ -47,6 +47,7 @@ "yaml": "2.8.3", "form-data": "4.0.6", "protobufjs": "7.6.3", - "@opentelemetry/core": "2.8.0" + "@opentelemetry/core": "2.8.0", + "undici": "7.28.0" } } diff --git a/ui/package-lock.json b/ui/package-lock.json index 3f9235a3..7d227252 100644 --- a/ui/package-lock.json +++ b/ui/package-lock.json @@ -6287,9 +6287,9 @@ "license": "MIT" }, "node_modules/undici": { - "version": "7.25.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-7.25.0.tgz", - "integrity": "sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==", + "version": "7.28.0", + "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz", + "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==", "dev": true, "license": "MIT", "engines": { diff --git a/ui/package.json b/ui/package.json index 890ec6c8..12ddccfa 100644 --- a/ui/package.json +++ b/ui/package.json @@ -71,6 +71,7 @@ "postcss": "8.5.10", "qs": "6.15.2", "yaml": "2.9.0", - "@babel/core": "7.29.6" + "@babel/core": "7.29.6", + "undici": "7.28.0" } } From 15679630ec72556d739b913c9a907517124bf46e Mon Sep 17 00:00:00 2001 From: scttbnsn <80784472+scttbnsn@users.noreply.github.com> Date: Fri, 19 Jun 2026 21:05:51 -0400 Subject: [PATCH 3/3] =?UTF-8?q?=F0=9F=94=92=20security(deps):=20patch=20no?= =?UTF-8?q?demailer=20raw-option=20file-read/SSRF=20(GHSA-p6gq-j5cr-w38f)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit nodemailer ≤9.0.0 lets a message-level raw option bypass disableFileAccess/disableUrlAccess (arbitrary file read + full-response SSRF). Fixed only in 9.0.1; bumped app's direct dependency 8.0.10 → 9.0.1. drydock's SMTP trigger uses only createTransport/sendMail with from/to/subject/text and never passes raw, so the sink isn't reachable, but it's a HIGH (CVSS 7.1) shipped-runtime advisory. tsc --noEmit clean against nodemailer 9; @types/nodemailer unchanged. Changelog entry added to 1.5.0-rc.38 Security section. --- CHANGELOG.md | 2 ++ app/package-lock.json | 8 ++++---- app/package.json | 2 +- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a57937f..6d4a6a96 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -37,6 +37,8 @@ scheme restriction) live in `UPGRADE-NOTES.md` and are auto-appended to every - **Patched a batch of newly-disclosed `undici` CVEs across the runtime and tooling workspaces.** osv-scanner flagged eight undici advisories disclosed in 2026 — [CVE-2026-6733](https://github.com/advisories/GHSA-35p6-xmwp-9g52), [CVE-2026-6734](https://github.com/advisories/GHSA-hm92-r4w5-c3mj), [CVE-2026-9675](https://github.com/advisories/GHSA-38rv-x7px-6hhq), [CVE-2026-9678](https://github.com/advisories/GHSA-pr7r-676h-xcf6), [CVE-2026-9679](https://github.com/advisories/GHSA-p88m-4jfj-68fv), [CVE-2026-9697](https://github.com/advisories/GHSA-vmh5-mc38-953g), [CVE-2026-11525](https://github.com/advisories/GHSA-g8m3-5g58-fq7m), and [CVE-2026-12151](https://github.com/advisories/GHSA-vxpw-j846-p89q). The shipped backend (`app`) carries undici as a direct dependency and was on `8.3.0`, vulnerable to all eight — bumped to `8.5.0`, the only release clearing the full set (CVE-2026-9675 is fixed solely in 8.5.0), and pinned in `overrides` as well. The dashboard build (`ui`) and the e2e load-test harness pulled undici `7.25.0`/`7.26.0` transitively; an `overrides` entry forces `7.28.0` (the patched 7.x line) in each — build- and test-only, not part of the shipped image. +- **Patched `nodemailer` to 9.0.1 ([GHSA-p6gq-j5cr-w38f](https://github.com/advisories/GHSA-p6gq-j5cr-w38f), CVSS 7.1).** A message-level `raw` option bypassed nodemailer's `disableFileAccess`/`disableUrlAccess` guards, allowing arbitrary file read and full-response SSRF in the delivered message. drydock's SMTP trigger only calls `createTransport`/`sendMail` with plain `from`/`to`/`subject`/`text` fields and never passes `raw`, so the sink isn't reachable here — but the advisory affects every release through 9.0.0 with the fix landing only in 9.0.1, so the direct dependency in `app` is bumped from `8.0.10`. The 8→9 major jump doesn't touch the stable `createTransport`/`sendMail` core drydock relies on. + ## [1.5.0-rc.37] — 2026-06-15 ### Security diff --git a/app/package-lock.json b/app/package-lock.json index 934a85aa..0e975d18 100644 --- a/app/package-lock.json +++ b/app/package-lock.json @@ -38,7 +38,7 @@ "mqtt": "5.15.1", "nocache": "4.0.0", "node-cron": "4.2.1", - "nodemailer": "8.0.10", + "nodemailer": "9.0.1", "openid-client": "6.8.4", "p-limit": "7.3.0", "parse-docker-image-name": "3.0.0", @@ -7041,9 +7041,9 @@ "license": "MIT" }, "node_modules/nodemailer": { - "version": "8.0.10", - "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-8.0.10.tgz", - "integrity": "sha512-BLFuSth7QtHOkBzyqTehWWyub0NTRDuK2Q2SQfnGLsrJnzyU+Yeh4WpV1eZGuARFj1xQJHIdnTuJZLP+b9R1GQ==", + "version": "9.0.1", + "resolved": "https://registry.npmjs.org/nodemailer/-/nodemailer-9.0.1.tgz", + "integrity": "sha512-Gwv8SQewT616ZM/URn0H54b8PWo/Wum7md3EW2aWy1lO27+WZCX+Xyak3J+NlmHUjDh5ME+uesJUDRbR3Ye8Bw==", "license": "MIT-0", "engines": { "node": ">=6.0.0" diff --git a/app/package.json b/app/package.json index 2c918c18..ac366305 100644 --- a/app/package.json +++ b/app/package.json @@ -51,7 +51,7 @@ "mqtt": "5.15.1", "nocache": "4.0.0", "node-cron": "4.2.1", - "nodemailer": "8.0.10", + "nodemailer": "9.0.1", "openid-client": "6.8.4", "p-limit": "7.3.0", "parse-docker-image-name": "3.0.0",