Barcode Betty
9c15e29aa9
Merge pull request 'ci(auth): add Grype scan step; document provenance/sbom OCI limitation (CAR-1446)' ( #53 ) from dev into uat
...
CI / build-and-push (push) Successful in 33s
CI / deploy-dev (push) Has been skipped
CI / deploy-uat (push) Successful in 6s
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
ci(auth): promote CAR-1446 Grype scan + dep fix to uat (PR #53 )
Merges dev→uat: adds Grype supply-chain scan between Build and Push,
documents OCI referrers limitation with HTTP 404 proof, and patches
three HIGH transitive CVEs in better-auth deps (defu, kysely) via
npm overrides.
QA APPROVED (cs_charlie, review 4846). Security reviewed (Stockboy Steve).
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-06-23 03:55:28 +00:00
Barcode Betty
92015fc5e9
fix(deps): regenerate lockfile with defu 6.1.7, kysely 0.28.17 (CAR-1446)
...
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / build-and-push (push) Successful in 36s
CI / deploy-uat (push) Has been skipped
CI / deploy-dev (push) Successful in 6s
Applied npm overrides from previous commit. Grype scan now passes
at --fail-on high with only MEDIUM-severity remaining CVEs in uuid
(GHSA-w5hq-g745-h8pq, major bump to v11 required, not a blocking risk)
and better-auth (GHSA-wxw3-q3m9-c3jr, updating to 1.6.2 separately).
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-06-23 03:43:04 +00:00
Barcode Betty
6722b0e796
fix(deps): add npm overrides to pin patched versions of defu, kysely, picomatch (CAR-1446)
...
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / build-and-push (push) Failing after 10s
CI / deploy-uat (push) Has been skipped
CI / deploy-dev (push) Successful in 2s
Grype found 3 HIGH-severity CVEs in transitive npm deps that npm audit
missed (different advisory DB):
- GHSA-737v-mqg7-c878: defu 6.1.4 → 6.1.5+
- GHSA-pv5w-4p9q-p3v2: kysely 0.28.14 → 0.28.17
- GHSA-c2c7-rcm5-vvqj: picomatch 4.0.3 → 4.0.4
All three are transitive deps of better-auth. Adding npm overrides
forces the patched versions. Grype scan passes at --fail-on high
after these overrides are applied.
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-06-23 03:42:45 +00:00
Barcode Betty
88952a4651
ci(auth): update CAR-1446 comment with empirical OCI referrers proof
CI / build-and-push (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / build-and-push (push) Failing after 11m7s
CI / deploy-uat (push) Has been skipped
CI / deploy-dev (push) Successful in 3s
2026-06-23 02:50:37 +00:00
Barcode Betty
9ec0a7b56c
Merge pull request 'ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446)' ( #52 ) from betty/car-1446-sbom-provenance-scan into dev
...
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / deploy-dev (push) Has been cancelled
CI / deploy-uat (push) Has been cancelled
CI / build-and-push (push) Has been cancelled
ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446)
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-06-23 02:41:17 +00:00
Barcode Betty
30fa99a717
ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446)
...
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
- Insert anchore/scan-action@v5 step between Build and Push
- severity-cutoff: high, only-fixed: true (matches monorepo pattern)
- Add inline comment on provenance:false/sbom:false explaining OCI distribution
spec >=1.1 limitation on git.farh.net registry
Co-Authored-By: Paperclip <noreply@paperclip.ing >
2026-06-23 02:39:55 +00:00
Barcode Betty