Commit Graph

500 Commits

Author SHA1 Message Date
Barcode Betty 01669c3300 Merge pull request 'fix(ci): revert deploy PR base dev/uat → main (CAR-1431)' (#303) from barcode-betty/car-1428-revert-deploy-base into dev
fix(ci): revert deploy PR base dev/uat → main (CAR-1431)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-23 01:35:42 +00:00
Barcode Betty fc3be36fc3 fix(ci): revert deploy PR base dev/uat → main (CAR-1431)
Deploy-dev and deploy-uat jobs were opening image-tag-bump PRs against
dev/uat branches per CAR-1371. Flux reconciles all overlays from infra
main, so those PRs were never picked up. Revert --arg base back to main.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-23 01:07:14 +00:00
Barcode Betty 5184fcceb8 Merge branch 'uat' into dev 2026-06-19 04:02:51 +00:00
Deal Dottie fbc8476e0c chore(uat): CAR-1375 UAT regression no-op trigger
Co-authored-by: Deal Dottie <cs_dottie@users.noreply.git.farh.net>
2026-06-10 22:57:22 +00:00
Savannah Savings 5c38a6cc89 CAR-1374 + CAR-1365: deploy-dev/uat checkout ref match base + alembic version_num widen — dev → uat
Co-authored-by: Savannah Savings <31+cs_savannah@noreply.git.farh.net>
Co-committed-by: Savannah Savings <31+cs_savannah@noreply.git.farh.net>
2026-06-10 22:53:10 +00:00
Barcode Betty 01c7492d77 chore: trigger deploy-dev for CAR-1374 verification (post-fix no-op)
Verifies the actions/checkout ref parameterization in deploy-dev:
- head branch lineage now matches PR base (dev)
- cartsnitch/infra PR should be mergeable with single-file diff

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-10 22:21:59 +00:00
Barcode Betty 4cb051a104 Merge pull request 'fix(cartsnitch/cartsnitch): deploy-dev/deploy-uat checkout ref must match PR base (CAR-1374)' (#300) from barcode-betty/car-1374-checkout-ref-match-base into dev 2026-06-10 22:19:12 +00:00
Barcode Betty eb899c46bf fix(cartsnitch): deploy-dev/deploy-uat checkout ref must match PR base (CAR-1374)
Parameterize the actions/checkout ref for cartsnitch/infra in deploy-dev
and deploy-uat so the head branch lineage matches the PR base:
  - main push -> ref: main, base: main (unchanged)
  - dev push  -> ref: dev,  base: dev
  - uat push  -> ref: uat,  base: uat

Before: ref: main was hardcoded, so the auto-opened image-tag-bump PR
in cartsnitch/infra was branched from main, not from dev/uat. With the
CAR-1371 base=dev/base=uat change, the diff ballooned to 30+ files and
the PR was unmergeable (see cartsnitch/infra#392).

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-10 22:16:38 +00:00
Barcode Betty 8c8236d6e5 chore: trigger deploy-dev after CAR-1370 fix (CAR-1371 verification)
Verification no-op to confirm the deploy-dev job now opens image-tag-bump
PRs against cartsnitch/infra:dev instead of :main.

Will self-revert after the deploy-dev run completes successfully.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-10 20:56:01 +00:00
Barcode Betty d6b2257fa2 Merge pull request 'fix(cartsnitch): deploy-dev/deploy-uat PR base = dev/uat not main (CAR-1370)' (#299) from barcode-betty/car-1370-deploy-base-dev into dev
fix(cartsnitch): deploy-dev/deploy-uat PR base = dev/uat not main (CAR-1370)

Two-line swap in .gitea/workflows/ci.yml so deploy-dev targets dev and deploy-uat targets uat instead of main.

CAR-1370 / CAR-1371

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-10 20:54:56 +00:00
Barcode Betty f504807467 fix(cartsnitch): deploy-dev/deploy-uat PR base = dev/uat not main (CAR-1370)
Deploy jobs in ci.yml were opening image-tag-bump PRs against cartsnitch/infra: main
regardless of which branch triggered the deploy. The deploy-dev job should target
dev, deploy-uat should target uat.

Two-line swap in .gitea/workflows/ci.yml:
- Line 582 (deploy-dev): --arg base main -> --arg base dev
- Line 728 (deploy-uat): --arg base main -> --arg base uat

Verified by inspecting both curl payloads; no other --arg base occurrences.

CAR-1370 / CAR-1371
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-10 20:40:48 +00:00
Barcode Betty 3aa6459bed Merge pull request 'fix(api): widen alembic_version.version_num in migration 001 (CAR-1302)' (#289) from barcode-betty/car-1303-widen-alembic-via-migration into dev
fix(api): widen alembic_version.version_num in migration 001 (CAR-1302)

Rebased onto current dev head ad18a43b5 per CAR-1365. Drops 71e3b81 (already in dev via #281). Resolves ci.yml conflict by keeping dev's CAR-1316/1318 fixed version. Self-merge per SDLC Phase 1 (CI green on run #3470).
2026-06-10 04:53:34 +00:00
Barcode Betty 446cf6642b fix(ci): bind vite preview to 127.0.0.1, not localhost (CAR-1218)
The act runner resolves 'localhost' to ::1 (IPv6) and the preview
server does not get a reachable IPv4 socket, so wait-on times out
and the 'Start preview server' step fails the lighthouse job. Bind
explicitly to 127.0.0.1 (IPv4).

Refs CAR-1218, CAR-1302, CAR-1334
2026-06-10 04:50:12 +00:00
Barcode Betty b0cb2b7a9e ci: retrigger CI for CAR-1334 (CAR-1302) 2026-06-10 04:49:33 +00:00
Barcode Betty a54ea423ef fix(api): widen alembic_version.version_num in migration 001 (CAR-1302)
Alembic hardcodes alembic_version.version_num to VARCHAR(32) in
DefaultImpl.version_table_impl, and version_table_column_width is NOT a
real kwarg that context.configure() honors — it's silently ignored, so
the env.py change alone was never going to take effect on a fresh DB.

Our descriptive revision ids exceed 32 chars (e.g. 003_make_users_hashed_
password_nullable = 39, common 002_add_normalized_products_upc_variants_
index = 46), so the 003 / common 002 stamp fails with StringDataRight-
Truncation, the whole chain rolls back, and the column is recreated at
VARCHAR(32) on the next attempt.

Fix:
- api/alembic/versions/001_encrypt_session_data.py: insert ALTER TABLE
  alembic_version ALTER COLUMN version_num TYPE VARCHAR(128) as the very
  first statement of upgrade(), before any early-return path. Idempotent
  when the column is already wider (e.g. the CAR-1298 one-shot Job).
- common/alembic/versions/001_add_email_inbound_token.py: same defensive
  ALTER as the first statement of upgrade() (common is a library, not
  deployed, but the 46-char 002 id would have hit the same trap).
- api/alembic/env.py: remove the phantom version_table_column_width=128
  kwarg from both context.configure() call sites — it was a no-op and
  misled the original investigation.

No downgrade() changes: a matching narrowing could truncate.

Refs CAR-1302 (durable root fix), CAR-1298 (prod workaround this
replaces). Verified against a fresh PostgreSQL — all 9 api migrations
upgrade head with no StringDataRightTruncation, and common 001/002 stamp
the 46-char id cleanly. Cluster has pgcrypto enabled by the operator.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-10 04:49:33 +00:00
Savannah Savings ad18a43b57 Merge pull request 'fix(ci): let lhci serve static dist for lighthouse gate (CAR-1218)' (#281) from betty/car-1218-lighthouse-ci into dev 2026-06-10 04:16:49 +00:00
Barcode Betty 13d270224c fix(ci): step-level continue-on-error + lhci log capture (CAR-1218)
act_runner does not honor continue-on-error at the job level (the
lighthouse job still posts 'failure' commit status). Apply
continue-on-error at the step level and capture lhci output to
/tmp/lhci.log so we can see the actual lhci failure for future
debugging.

Refs CAR-1218, CAR-1334
2026-06-09 10:21:35 +00:00
Barcode Betty 1261b46759 ci: retrigger CI for CAR-1334 (CAR-1218) 2026-06-09 10:09:42 +00:00
Savannah Savings 9a811f9e93 Merge pull request 'promote: deploy jobs compute sha tag from $GITHUB_SHA (CAR-1319, CAR-1316)' (#295) from dev into uat 2026-06-08 12:41:45 +00:00
Savannah Savings 6abbc2f04e Merge pull request 'fix(ci): deploy jobs compute sha tag from $GITHUB_SHA (CAR-1316, CAR-1195)' (#292) from betty/car-1319-sha-tag-fix into dev 2026-06-08 12:34:06 +00:00
Savannah Savings a0f3eff2a4 Merge pull request 'promote(uat): frontend image-bump alignment (CAR-1318)' (#293) from dev into uat 2026-06-07 11:52:13 +00:00
Barcode Betty afe8f7b7f9 fix(ci): align deploy frontend image-bump to app entry name (CAR-1318)
Co-authored-by: Barcode Betty <betty@cartsnitch.com>
Co-committed-by: Barcode Betty <betty@cartsnitch.com>
2026-06-07 11:51:42 +00:00
Barcode Betty 04529666fc fix(ci): deploy jobs compute sha tag from $GITHUB_SHA (CAR-1316, CAR-1195)
The four `build-and-push*` jobs declared a job-level output
`sha_tag: sha-${{ github.sha }}` (literal prefix concatenated with
an expression). Gitea Actions does NOT substitute ${{ github.sha }}
inside that concatenated value, so the literal string
`sha-${{ github.sha }}` propagated into needs.<job>.outputs.sha_tag.

Each deploy job's 'Determine image tag' step then expanded
`echo "tag=${{ needs.<job>.outputs.sha_tag }}" >> "$GITHUB_OUTPUT"`
into `echo "tag=sha-${{ github.sha }}"`, and bash parsed ${{ }}
as a parameter expansion -> bad substitution (CAR-1316, run #2994).

Switch the consumer-side fix: read $GITHUB_SHA (bash env var, no
template) directly inside the 8 'else' branches in deploy-dev and
deploy-uat. Leave the 4 build-and-push* outputs alone — they're only
consumed by these 8 steps, so the consumer fix fully resolves the
failure with the smallest blast radius.

Refs: CAR-1316, CAR-1195, CAR-1194.
2026-06-07 11:28:41 +00:00
Savannah Savings 292f428bc7 Merge pull request 'promote: CAR-1216 deploy never hard-fail on infra-PR merge (dev → uat)' (#290) from dev into uat 2026-06-07 10:26:22 +00:00
Savannah Savings 515631987b Merge pull request 'ci(deploy): never hard-fail on infra-PR merge outcome (CAR-1216)' (#284) from betty/car-1216-deploy-never-fail-merge into dev 2026-06-07 10:20:28 +00:00
Savannah Savings a3b6ba488f promote(uat): pin auth base image to node 22.22.2 digest (CAR-1287 / CAR-1279 Phase 2) (#288) 2026-06-06 06:23:12 +00:00
Savannah Savings 993302c72c fix(auth): pin base image to node 22.22.2 digest (CAR-1279 Phase 2) (#287) 2026-06-06 06:22:35 +00:00
Savannah Savings 7803d229eb fix(auth): pin base image to node 22.22.2 digest (CAR-1279 Phase 2)
Pin both build and runtime stages of auth/Dockerfile to
node:22-alpine@sha256:8ea2348b068a9544dae7317b4f3aafcdc032df1647bb7d768a05a5cad1a7683f
— the Docker Hub manifest digest for node:22.22.2-alpine (verified against
the registry by CTO).

This is the digest pulled in by the previously-healthy ghcr auth image, which
connects fine to the dev Postgres with the same pg 8.20.0 driver and
byte-identical source. The Gitea-built image, which bundles node 22.22.3
(via the floating 'node:22-alpine' tag), deterministically resets the
Postgres connection during the /health DB probe (read ECONNRESET →
Connection terminated unexpectedly).

Pinning both stages to the manifest digest restores the exact node runtime
that the healthy ghcr image used and fixes the dev auth crashloop. The
'RUN apk update && apk upgrade --no-cache' lines are kept as-is per task
spec.

Refs CAR-1279, CAR-1276 (CAR-1287)
2026-06-06 02:26:54 +00:00
Savannah Savings f283d5aa02 promote: auth /health 503 error-log fix (CAR-1276 Phase 1) dev→uat (#285) 2026-06-06 00:02:56 +00:00
Savannah Savings 39804135a4 fix(auth): log /health 503 error and surface message in body (#283, CAR-1276) 2026-06-06 00:02:17 +00:00
Barcode Betty 81b19b9072 ci(deploy): never hard-fail on infra-PR merge outcome (CAR-1216)
The in-job merge attempt against `cartsnitch/infra` main is a best-effort
fast-path only. `infra` main requires a human approving review and the CI
bot (`CI_GITEA_TOKEN`) can never self-approve, so the merge call
structurally cannot succeed in the general case.

Replace the special-cased `does not have enough approvals` branch and the
final `else -> exit 1` branch in both `deploy-dev` and `deploy-uat` with a
single non-failing outcome: surface the Gitea response as a `::notice::`
and `exit 0`. The PR is already opened and `cs_savannah` is requested as
reviewer above, so the GitOps hand-off is intact.

The only hard-fail (`exit 1`) in this step remains the empty-`PR_NUM`
check (PR could not be created at all).

Related: CAR-1195 (PR-bump pattern), CAR-1194, CAR-1212.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-05 23:57:11 +00:00
Barcode Betty b2c4692400 fix(auth): log /health 503 error and surface message in body (CAR-1276)
The /health handler's catch block was empty, so when the DB probe
failed we had no log line to diagnose from. UAT auth was crashlooping
on /health 503s for that exact reason — pod logs only showed
'CartSnitch auth service listening on port 3001' and nothing else.

Add console.error with the error name/message and include the message
in the 503 response body so the next time this fails we can read the
actual error from `kubectl logs` without re-deploying.

This is the dev-side observability half of CAR-1276. The underlying
DB failure still needs investigation (likely better-auth schema
missing from the cartsnitch DB; see CAR-1276 for the analysis).

Tests updated to assert the new error field is present and a string.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-05 07:05:46 +00:00
Barcode Betty 2e638cf03a ci(lighthouse): make advisory via continue-on-error (CAR-1218)
Per the issue's guidance, when a quality gate is misconfigured and the
fix is non-trivial, the right call is to propose making it
non-required / advisory (not silently delete it). This PR does exactly
that.

The lighthouse job was failing pre-existing on dev base 284b361f, and
stays failing after pinning wait-on to 127.0.0.1, pinning
lighthouserc.json url to 127.0.0.1:4173, and forcing 'npx vite preview
--host 127.0.0.1 --port 4173'. Root cause is environmental: the
Gitea Actions act runner does NOT capture lhci's stdout. lhci exits ~40ms
after start with code 1 and zero log output. set -x, tee, file
redirection, and cat all bypassed the capture. This is a known
limitation of the act-based runner; fixing it properly is out of scope
for CAR-1218 (would need runner infrastructure work).

Continue-on-error: true preserves the gate:
- The job still runs (npm ci, npm run build, install playwright
  chromium, vite preview on 127.0.0.1:4173, lhci autorun).
- All quality-gate assertions in lighthouserc.json are unchanged
  (perf >= 0.7, a11y >= 0.9, best-practices >= 0.8).
- Failures surface on the PR commit status but no longer block
  merge.
- When the act runner's output-capture is fixed (e.g. via
  act_runner upgrade or self-hosted runner), drop the
  continue-on-error line and the gate re-engages automatically.

Refs: CAR-1218, CAR-1215, CAR-938, CAR-937
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-04 01:24:56 +00:00
Barcode Betty 4e772d120a fix(ci): bind vite preview to 127.0.0.1, not localhost (CAR-1218)
The previous fix (probe 127.0.0.1) wasn't enough because 'vite preview'
binds to 'localhost', which resolves to ::1 (IPv6) on the Gitea Actions
runner. wait-on probed 127.0.0.1 but vite preview was listening on
::1, so the IPv4 probe still timed out.

Use 'npx vite preview --host 127.0.0.1 --port 4173' to force the
explicit IPv4 binding, matching the wait-on probe. Two-line diff total
with the lighthouserc.json change. The vite preview 'Local' message
will report 127.0.0.1:4173 (no 'Network' line because we're not bound
to 0.0.0.0).

Refs: CAR-1218
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-04 01:21:59 +00:00
Barcode Betty 35ec73bf8f fix(ci): probe preview server on 127.0.0.1, not localhost (CAR-1218)
The lighthouse job has been failing on dev for months because wait-on
probes http://localhost:4173/, but 'localhost' resolves to ::1 (IPv6) on
the Gitea Actions runner while 'npm run preview' (vite preview) binds
127.0.0.1 (IPv4) only. The HTTP probe never connects; lighthouse never
runs.

Pin both the wait-on probe and the lighthouserc url to 127.0.0.1:4173 so
the IPv4 binding is the only thing in play. Two-line diff, scoped to
the lighthouse job and its config; no other CI step, no app/runtime
change, no quality-gate assertion change.

This is a carve-out of the workaround from CAR-938 (which disabled the
job) and supersedes the broken timeouts in CAR-937 (75700fb, a729b7e,
a9a7db6). audit/lint/test/e2e/build-and-push/deploy-dev/deploy-uat
gates are untouched.

Refs: CAR-1218, CAR-1215, CAR-938, CAR-937
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-04 01:18:49 +00:00
Savannah Savings eff1098289 Promote to UAT: CAR-1215 react-router audit-gate fix (#280)
Promotes CAR-1215 to uat. audit gate green; lighthouse pre-existing red (tracked separately).
2026-06-03 22:14:58 +00:00
Savannah Savings 8eeaa92ad8 CAR-1215: bump react-router to 7.16.0 (clear audit gate) (#278)
Lockfile-only bump react-router/react-router-dom 7.14.0->7.16.0 clearing GHSA-49rj-9fvp-4h2h, GHSA-2j2x-hqr9-3h42, GHSA-8x6r-g9mw-2r78. QA PASS (cs_charlie), security PASS (cs_steve). audit gate now green; lighthouse pre-existing red (out of scope, tracked separately).
2026-06-03 22:14:12 +00:00
Barcode Betty fc3a0b4d92 chore(deps): bump react-router + react-router-dom to 7.16.0 (CAR-1215)
Lockfile-only bump from 7.14.0 -> 7.16.0. The ^7.0.0 range in
package.json already permits 7.16.0, so no source changes.

Clears three high-severity advisories that block the audit CI gate:
- GHSA-49rj-9fvp-4h2h (turbo-stream arbitrary constructor invocation)
- GHSA-2j2x-hqr9-3h42 (protocol-relative URL open redirect)
- GHSA-8x6r-g9mw-2r78 (DoS via unbounded path expansion)

No runtime behavior change; react-router stays on 7.x. npm audit
--audit-level=high exits clean (0 high/critical) locally.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-03 21:56:05 +00:00
Savannah Savings 009aa92777 Merge pull request 'Promote to UAT: deploy-dev/deploy-uat approval-gate success (CAR-1212)' (#277) from dev into uat 2026-06-03 21:49:34 +00:00
Savannah Savings 284b361f9b Merge pull request 'ci: deploy-dev/deploy-uat: report success on infra-main approval gate (CAR-1212)' (#276) from betty/car-1212-approval-gate-exit0 into dev 2026-06-03 21:49:04 +00:00
Barcode Betty 3dcf0ce021 ci: treat infra PR approvals gate as success in deploy jobs (CAR-1212)
Per the spec for CAR-1212 (CAR-1195 follow-up):

- deploy-dev and deploy-uat now request cs_savannah as a reviewer on the
  cartsnitch/infra PR (best-effort, log on non-2xx, never fail the job).
- After the merge attempt, classify the response:
  * .merged == true                      -> success notice
  * 'Does not have enough approvals'     -> ::notice:: + exit 0
                                           (GitOps approval gate, not a
                                           failure; the PR is correctly
                                           opened and surfaces in the CTO
                                           queue)
  * anything else                        -> keep the existing ::error::
                                           and exit 1 (genuine unexpected
                                           failure)

This unblocks the deploy jobs that were hard-failing on the branch-protection
approvals requirement, which a CI bot cannot self-satisfy. The CTO (cs_savannah)
already backstop-approves+merges these infra PRs by hand (e.g. #321, #322).

- 'No image changes to deploy' early-exit preserved.
- Still uses secrets.CI_GITEA_TOKEN for the PR/reviewer/merge API calls.
- No git push origin main: only the API path is used.

Refs CAR-1195, CAR-1194.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-03 21:34:18 +00:00
Savannah Savings b3a452be50 Merge pull request 'promote(dev→uat): CI deploy PR-based image bump (CAR-1195, CAR-1194)' (#275) from dev into uat 2026-06-03 21:13:44 +00:00
Savannah Savings 440d7ac7e7 Merge pull request 'fix(ci): deploy jobs land image bump via PR (CAR-1195, CAR-1194)' (#274) from betty/car-1195-pr-based-deploy into dev 2026-06-03 21:06:44 +00:00
Barcode Betty 83b553b58e ci: delete overlay deploy branches after merge
Set delete_branch_after_merge:true on the auto-merge POST in both
deploy-dev and deploy-uat so the per-deploy branches in
cartsnitch/infra (ci/deploy-{dev,uat}-${GITHUB_SHA}) are removed
once their overlay image-tag bump lands on main. Without this flag
every successful deploy would leave a branch behind, accumulating
in cartsnitch/infra and making future re-runs of the same SHA
un-actionable from the existing branch name.

Refs CAR-1195 (CTO fix #2).
2026-06-03 20:53:54 +00:00
Barcode Betty 3a69ec29b5 fix(ci): bind deploy PR API to secrets.CI_GITEA_TOKEN (CAR-1195)
deploy-dev and deploy-uat had CI_GITEA_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
which is the package-scoped container-registry token. PR creation and
auto-merge against cartsnitch/infra would 403 on the first real push.
Bind to secrets.CI_GITEA_TOKEN (the token the infra checkout already
uses for branch push) so the Gitea API calls have repo-write scope.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-03 20:39:21 +00:00
Barcode Betty 2573de86d5 Update .gitea/workflows/ci.yml 2026-06-03 20:09:56 +00:00
Barcode Betty 06162f9f15 fix(ci): unblock dev build/deploy (CAR-1195) 2026-06-03 19:43:54 +00:00
Savannah Savings fb70b816f2 Merge pull request 'fix(receiptwitness): pool DB engine and Redis client to prevent connection exhaustion' (#273) from barcode-betty/car-1078-email-worker-dragonfly-reset into dev 2026-06-03 19:20:31 +00:00
Coupon Carl d92bcf433b fix(ci): remove actions/setup-node from lint job to bypass corrupted runner cache
Runner pod gitea-act-runner-cartsnitch-85b5984bb-527xw has a corrupt
/root/.cache/act clone of actions/setup-node (missing dist/setup/index.js).
SHA-pinning changed the cache hash but the fresh clone on that pod still
ends up missing the dist directory.

catthehacker/ubuntu:act-latest ships Node pre-installed; the lint job only
needs ESLint + tsc, both of which are devDependencies installed by npm ci.
Removing actions/setup-node from lint bypasses the corrupt pod cache entirely
without affecting other jobs.

Refs CAR-1162

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-03 19:07:14 +00:00
Barcode Betty 01ed6dac00 fix(deps): pin safe versions of audit-flagged transitive deps (CAR-1162 audit)
The CI's npm audit (10.8.2) flagged three transitive vulnerabilities
that local newer-npm runs (11.x) miss due to advisory-DB divergence:

- @babel/plugin-transform-modules-systemjs: 7.29.0 -> ^7.29.4
  (CVE-2026-44728: arbitrary code generation, fixed in 7.29.4)
- fast-uri: 3.1.0 -> ^3.1.2
  (path traversal / host confusion via percent-encoded segments)
- brace-expansion: 5.0.5 -> >=5.0.6
  (DoS via large numeric range defeating max protection)

These are non-breaking transitive updates within the same major
version. The previous override for brace-expansion (>=1.1.13) was
too loose to exclude 5.0.2-5.0.5; tightening it to >=5.0.6.

Ref CAR-1162, CAR-1122, CAR-1078

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-06-03 15:53:46 +00:00