Skip to content

Release: staging -> main (2026-05-05 07:29)#680

Merged
is0692vs merged 23 commits into
mainfrom
staging
May 5, 2026
Merged

Release: staging -> main (2026-05-05 07:29)#680
is0692vs merged 23 commits into
mainfrom
staging

Conversation

@github-actions

@github-actions github-actions Bot commented May 5, 2026

Copy link
Copy Markdown

Summary

Promotes staging into main.

  • Source branch: staging
  • Target branch: main
  • Generated by npm run pr:promote

Included PRs

Compare

google-labs-jules Bot and others added 15 commits May 4, 2026 16:32
Honoの`secureHeaders`ミドルウェアを全体に適用し、
XSS対策やクリックジャッキング対策などのセキュリティを強化しました。

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
デフォルトの`no-referrer`による将来的なCSRFチェックへの影響を避けるため、
`referrerPolicy`に`strict-origin-when-cross-origin`を明示的に指定しました。

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
…367244681164' into sentinel/security-headers-653258367244681164
フロントエンドがエラーを適切にパースできるよう、
CSRFチェック失敗時のレスポンスをtextからJSON (`{ error: "Forbidden" }`)に変更しました。
また、関連するテストを更新しJSONレスポンスを検証するようにしました。

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Bumps the npm_and_yarn group with 1 update in the /apps/web directory: [axios](https://github.com/axios/axios).


Updates `axios` from 1.15.0 to 1.16.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.15.0...v1.16.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.16.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
…258367244681164

🛡️ Sentinel: [HIGH] セキュリティヘッダー(secureHeaders)の追加
@github-actions github-actions Bot added automated Automated main-to-staging sync PR release Release promotion PR labels May 5, 2026
@vercel

vercel Bot commented May 5, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
open-shelf Ignored Ignored May 5, 2026 7:29am

@codecov

codecov Bot commented May 5, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 91.66667% with 3 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
apps/api/src/index.ts 91.66% 2 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

Comment thread apps/api/src/index.ts
Comment on lines +24 to +33
app.use(
"*",
secureHeaders({
referrerPolicy: "strict-origin-when-cross-origin",
contentSecurityPolicy: {
defaultSrc: ["'none'"],
frameAncestors: ["'none'"],
},
}),
);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 frameAncestors: ["'none'"] はフレーム埋め込みを完全拒否することを意図していますが、hono/secure-headers のデフォルト値である X-Frame-Options: SAMEORIGIN はそのまま送信されるため、設定が矛盾しています。CSP frame-ancestors をサポートしない古いブラウザでは、同一オリジンからの iframe 埋め込みが許可されてしまいます。xFrameOptions: "DENY" を明示的に指定することで一貫性が保たれます。

Suggested change
app.use(
"*",
secureHeaders({
referrerPolicy: "strict-origin-when-cross-origin",
contentSecurityPolicy: {
defaultSrc: ["'none'"],
frameAncestors: ["'none'"],
},
}),
);
app.use(
"*",
secureHeaders({
xFrameOptions: "DENY",
referrerPolicy: "strict-origin-when-cross-origin",
contentSecurityPolicy: {
defaultSrc: ["'none'"],
frameAncestors: ["'none'"],
},
}),
);
Prompt To Fix With AI
This is a comment left during a code review.
Path: apps/api/src/index.ts
Line: 24-33

Comment:
`frameAncestors: ["'none'"]` はフレーム埋め込みを完全拒否することを意図していますが、`hono/secure-headers` のデフォルト値である `X-Frame-Options: SAMEORIGIN` はそのまま送信されるため、設定が矛盾しています。CSP `frame-ancestors` をサポートしない古いブラウザでは、同一オリジンからの iframe 埋め込みが許可されてしまいます。`xFrameOptions: "DENY"` を明示的に指定することで一貫性が保たれます。

```suggestion
app.use(
  "*",
  secureHeaders({
    xFrameOptions: "DENY",
    referrerPolicy: "strict-origin-when-cross-origin",
    contentSecurityPolicy: {
      defaultSrc: ["'none'"],
      frameAncestors: ["'none'"],
    },
  }),
);
```

How can I resolve this? If you propose a fix, please make it concise.

chore: sync main into staging
@github-actions github-actions Bot changed the title Release: staging -> main (2026-05-05 06:59) Release: staging -> main (2026-05-05 07:02) May 5, 2026
is0692vs and others added 3 commits May 5, 2026 16:03
…t-17287036571437809720

🎨 Palette: トースト通知のスクリーンリーダー読み上げ対応 (アクセシビリティ改善)
@github-actions github-actions Bot changed the title Release: staging -> main (2026-05-05 07:02) Release: staging -> main (2026-05-05 07:12) May 5, 2026
…web/npm_and_yarn-ac20752053

chore(deps): bump axios from 1.15.0 to 1.16.0 in /apps/web in the npm_and_yarn group across 1 directory
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

automated Automated main-to-staging sync PR release Release promotion PR size/L

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant