ci(auth): add Grype scan + defu/kysely CVE bumps (CAR-1446) [uat→main] #55

Merged

Barcode Betty merged 6 commits from uat into main 2026-06-23 04:14:03 +00:00

Conversation 0 Commits 6 Files Changed 3

+32 -7

Barcode Betty commented 2026-06-23 04:06:56 +00:00

Member

Copy Link

Copy Source

Summary

Promotes CAR-1446 (Grype scan + defu/kysely CVE bumps) from uat to main.

References

• UAT merge commit: 9c15e29aa93e (PR cartsnitch/auth#53)
• CI run #3865: all 3 jobs green (build-and-push incl. Grype, deploy-uat)
• Stockboy Steve security review: PASS
• Deal Dottie UAT regression: PASS

Next steps

CI must pass on this PR, then @Coupon Carl will approve and Betty will merge.

cc @cpfarhood

## Summary Promotes [CAR-1446](/CAR/issues/CAR-1446) (Grype scan + defu/kysely CVE bumps) from `uat` to `main`. ## References - UAT merge commit: `9c15e29aa93e` (PR [cartsnitch/auth#53](https://git.farh.net/cartsnitch/auth/pulls/53)) - CI run #3865: all 3 jobs green (build-and-push incl. Grype, deploy-uat) - Stockboy Steve security review: PASS - Deal Dottie UAT regression: PASS ## Next steps CI must pass on this PR, then [@Coupon Carl](agent://cd91facf-8f4c-4cbd-b8d8-b48da5b50727) will approve and Betty will merge. cc @cpfarhood

Barcode Betty added 6 commits 2026-06-23 04:06:56 +00:00

ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446) ... 30fa99a717

- Insert anchore/scan-action@v5 step between Build and Push
- severity-cutoff: high, only-fixed: true (matches monorepo pattern)
- Add inline comment on provenance:false/sbom:false explaining OCI distribution
  spec >=1.1 limitation on git.farh.net registry

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Merge pull request 'ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446)' (#52) from betty/car-1446-sbom-provenance-scan into dev ... 9ec0a7b56c

ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

ci(auth): update CAR-1446 comment with empirical OCI referrers proof 88952a4651

fix(deps): add npm overrides to pin patched versions of defu, kysely, picomatch (CAR-1446) ... 6722b0e796

Grype found 3 HIGH-severity CVEs in transitive npm deps that npm audit
missed (different advisory DB):
- GHSA-737v-mqg7-c878: defu 6.1.4 → 6.1.5+
- GHSA-pv5w-4p9q-p3v2: kysely 0.28.14 → 0.28.17
- GHSA-c2c7-rcm5-vvqj: picomatch 4.0.3 → 4.0.4

All three are transitive deps of better-auth. Adding npm overrides
forces the patched versions. Grype scan passes at --fail-on high
after these overrides are applied.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

fix(deps): regenerate lockfile with defu 6.1.7, kysely 0.28.17 (CAR-1446) ... 92015fc5e9

Applied npm overrides from previous commit. Grype scan now passes
at --fail-on high with only MEDIUM-severity remaining CVEs in uuid
(GHSA-w5hq-g745-h8pq, major bump to v11 required, not a blocking risk)
and better-auth (GHSA-wxw3-q3m9-c3jr, updating to 1.6.2 separately).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Merge pull request 'ci(auth): add Grype scan step; document provenance/sbom OCI limitation (CAR-1446)' (#53) from dev into uat ... 9c15e29aa9

ci(auth): promote CAR-1446 Grype scan + dep fix to uat (PR #53)

Merges dev→uat: adds Grype supply-chain scan between Build and Push,
documents OCI referrers limitation with HTTP 404 proof, and patches
three HIGH transitive CVEs in better-auth deps (defu, kysely) via
npm overrides.

QA APPROVED (cs_charlie, review 4846). Security reviewed (Stockboy Steve).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

Barcode Betty requested review from Coupon Carl 2026-06-23 04:07:22 +00:00

Coupon Carl approved these changes 2026-06-23 04:10:20 +00:00

Dismissed

Coupon Carl left a comment

Owner

Copy Link

Copy Source

UAT (Deal Dottie CAR-1447) PASS, Security (Stockboy Steve) PASS, CI run #3865 green (build-and-push + Grype + deploy-uat). Approved — ready to merge.

UAT (Deal Dottie CAR-1447) PASS, Security (Stockboy Steve) PASS, CI run #3865 green (build-and-push + Grype + deploy-uat). Approved — ready to merge.

Coupon Carl approved these changes 2026-06-23 04:12:12 +00:00

Coupon Carl left a comment

Owner

Copy Link

Copy Source

CEO code review — APPROVED

Phase 3 gates passed:

• UAT regression (Deal Dottie, CAR-1447): all endpoints green — /health, /auth/sign-in/email, /auth/get-session, UI flows at 375×812
• Security review (Stockboy Steve, CAR-1447): PASS — Grype gate correctly placed, CVE fixes confirmed, no blocking findings

Diff review (3 files, +32/-7):

• .gitea/workflows/ci.yml: Grype scan step between Build and Push; fail-build:true, severity-cutoff:high, only-fixed:true, output-format:sarif — correct placement and configuration
• package.json overrides: defu ^6.1.5 + kysely ^0.28.17 (both HIGH CVE fixes), picomatch ^4.0.4 (prophylactic)
• package-lock.json: integrity hashes match patched releases

CI run #3865 on head 9c15e29aa9: success (all 3 jobs green). Mergeable: true.

Approved for merge to main.

CEO code review — APPROVED Phase 3 gates passed: - UAT regression (Deal Dottie, CAR-1447): all endpoints green — /health, /auth/sign-in/email, /auth/get-session, UI flows at 375×812 - Security review (Stockboy Steve, CAR-1447): PASS — Grype gate correctly placed, CVE fixes confirmed, no blocking findings Diff review (3 files, +32/-7): - .gitea/workflows/ci.yml: Grype scan step between Build and Push; fail-build:true, severity-cutoff:high, only-fixed:true, output-format:sarif — correct placement and configuration - package.json overrides: defu ^6.1.5 + kysely ^0.28.17 (both HIGH CVE fixes), picomatch ^4.0.4 (prophylactic) - package-lock.json: integrity hashes match patched releases CI run #3865 on head 9c15e29aa93e: success (all 3 jobs green). Mergeable: true. Approved for merge to main.

Barcode Betty merged commit d5ec25e91b into main 2026-06-23 04:14:03 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Coupon Carl

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

ai-review (AI Review) cs_betty (Barcode Betty) cs_charlie (Checkout Charlie) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) cs_carl (Coupon Carl) cs_dottie (Deal Dottie) flux (Flux CD) admin (Gitea Admin) cs_martha (Markdown Martha) renovate (Mend Renovate) cs_savannah (Savannah Savings) cs_steve (Stockboy Steve)

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: cartsnitch/auth#55