build(deps-dev): bump webpack from 5.106.2 to 5.107.2 in /js#24
Open
dependabot[bot] wants to merge 53 commits into
Open
build(deps-dev): bump webpack from 5.106.2 to 5.107.2 in /js#24dependabot[bot] wants to merge 53 commits into
dependabot[bot] wants to merge 53 commits into
Conversation
…e chaves estrangeiras, índices e colunas ENUM
…visos sobre índices não suportados no Postgres
… de bytes e gerenciamento de memória
- Introduced a new chunked upload mechanism in ImportModal.tsx to handle large .flarum archive uploads. - Added fallback chunk size and retry logic for failed chunks. - Created new API endpoints for handling chunk uploads and inspecting the uploaded files. - Updated UploadImportController to initialize chunked uploads and validate file sizes. - Added ChunkImportController to append chunks to the staging file and ensure idempotency. - Implemented InspectImportController to validate the completeness of the uploaded file and retrieve metadata.
…de branches, além de melhorias na validação de identificadores e na estrutura do projeto
feat: Adicionar workflows de CI, limpeza de releases e sincronização …
…bility - Standardized string quotes from single to double across ImportModal.tsx, index.tsx, api.ts, errorBoundary.tsx, and other files. - Improved formatting and indentation for better code clarity. - Updated error handling messages to ensure consistent usage of translation functions. - Removed unnecessary comments and streamlined code logic in various functions. - Enhanced the user interface by ensuring consistent alert messages and button labels.
…o Composer e instalação de dependências JS
…ersões e documentação
Update CI and release workflows for better version management
- MysqlIntrospector: normaliza COLUMN_DEFAULT do MariaDB 10.2.7+ (literais entre aspas, string "NULL" como NULL real) e remove deprecation do str_getcsv() no PHP 8.4. - PostgresIntrospector: literais true/false do PG passam a ser reconhecidos como booleanos (antes eram emitidos como bareword, inválido no MySQL DDL). - MysqlEmitter: suprime DEFAULT em colunas TEXT/BLOB/JSON, que o MySQL/MariaDB rejeitam (erro 1101); essencial no caminho PG -> MySQL, onde VARCHARs originais aparecem como TEXT. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Added `ImportCommand` to restore a .flarum archive into the running install. - Implemented options for confirming the import, selecting specific components to restore (database, assets, storage, extensions). - Introduced `CliTransferE2ETest` to validate the export and import process via CLI, ensuring data integrity across transfers. - Created `CrossEngineTransferTest` to verify data preservation across different database engines. - Developed support classes (`Engines`, `Fixture`, `Transfer`) to facilitate database connections and data handling for tests. - Added unit tests for `Dialect` to ensure correct engine detection and parsing.
fix: corrigir a detecção do driver de banco de dados no enum Dialect
…s operações de exportação e importação
Adicionar suporte a progresso detalhado e contagem de linhas nas operações de exportação e importação
… implementar lógica de recuperação de estado em operações de importação e exportação
feat: Alterar permissões de diretórios para 0700 em ensureDir para maior segurança
…workflows Troca os pins mutáveis (@v4/@v2/@v7) por SHA de 40 caracteres com comentário de versão (§35.13 C2/C3 — o Dependabot mantém os SHAs frescos preservando o pin), alinhando com os repos irmãos. Adiciona step-security/harden-runner v2.19.4 em modo audit como primeiro passo de todos os jobs (§35.13 I3), promove o ci.yml a permissions default-deny com grant por job (§35.13 C1) e sobe o harden-runner do release-management de v2.11.0 para v2.19.4.
Análise semanal + por PR com queries security-extended e security-and-quality (§35.13 I2). O CodeQL não suporta PHP — essa cobertura virá do Semgrep (security.yml) e do PHPStan/Psalm. Os passos init/analyze levam continue-on-error porque code scanning em repo privado exige GHAS; quando habilitado, o job vale sozinho.
…loqueantes Workflow novo em duas camadas, no padrão do marketplace: rulesets genéricos (p/php, p/security-audit, p/owasp-top-ten, p/secrets, p/javascript) informativos + 22 regras Flarum v2 (.github/semgrep/ flarum-v2.yaml) bloqueantes em modo diff-aware no pull_request (--baseline-commit <base> --error); em push/schedule só informam. Checkout com fetch-depth: 0. Verificado localmente com semgrep 1.166.0: 22 regras válidas; 10 achados legados (server-side-fetch nos jobs de export/import, capsule em testes) que não travam o gate e ficam no SARIF para revisão.
…eante) Workflow dedicado que varre o histórico git completo (fetch-depth: 0) atrás de credenciais hardcoded e reprova o PR se encontrar. A varredura local (gitleaks 8.30.0, 29 commits) achou só uma chave de exemplo em docs num README antigo, ignorada por fingerprint no .gitleaksignore — com isso o histórico fecha limpo e o gate nasce verde. Actions SHA-pinadas, harden-runner em audit e permissions default-deny.
O repo não tinha .github/dependabot.yml — entra a config padrão dos repos irmãos (composer, npm em /js e github-actions, semanal, label dependencias). O workflow de auto-merge aprova e liga o merge automático (squash + delete-branch) só para PRs do próprio Dependabot com update patch/minor; major fica para revisão manual. pull_request_target sem checkout do código do PR — nenhum código não-confiável executa com o token de escrita.
O pacote em require-dev conflita com qualquer versão de dependência com advisory publicado — a resolução do composer falha em vez de instalar versão vulnerável. Verificado localmente: instala limpo, "No security vulnerability advisories found".
O repo não tinha análise estática nenhuma. Entram phpstan/phpstan ^2.0 em require-dev, phpstan.neon (nível 6, src + extend.php) e um job novo na CI rodando vendor/bin/phpstan — bloqueante desde o início. Os 41 achados pré-existentes ficam congelados em phpstan-baseline.neon; código novo é cobrado no nível 6. Verificado localmente com o phpstan 2.2.2 (o mesmo que a CI resolve): [OK] No errors.
ci(security): SHA-pinagem de todas as actions + harden-runner v2.19.4
ci(security): CodeQL para o frontend JS/TS
ci(security): Security Scan com Semgrep + regras Flarum-v2 bloqueantes (diff-aware)
ci(security): varredura de segredos com Gitleaks (gate bloqueante)
ci: Dependabot + auto-merge de PRs patch/minor com CI verde
ci(security): roave/security-advisories como gate duro de CVE
ci(security): PHPStan nível 6 bloqueante com baseline dedicado
Rastreia fluxo origem→sink em PHP (SQLi, XSS, path traversal) — a cobertura que o CodeQL não dá para PHP, relevante num repo que extrai arquivos, monta dumps SQL e fala com múltiplos engines. vimeo/psalm ^6 em require-dev, psalm.xml com escopo src/ + extend.php e workflow dedicado com SARIF. O gate já nasce bloqueante: taint pré-verificado limpo localmente (psalm 6.x, "No errors found", 93,2% dos tipos inferidos).
Bumps [webpack](https://github.com/webpack/webpack) from 5.106.2 to 5.107.2. - [Release notes](https://github.com/webpack/webpack/releases) - [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md) - [Commits](webpack/webpack@v5.106.2...v5.107.2) --- updated-dependencies: - dependency-name: webpack dependency-version: 5.107.2 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
ci(security): Psalm taint analysis (PHP data-flow), bloqueante
Owner
|
Generated by Claude Code |
Owner
|
Generated by Claude Code |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps webpack from 5.106.2 to 5.107.2.
Release notes
Sourced from webpack's releases.
... (truncated)
Changelog
Sourced from webpack's changelog.
... (truncated)
Commits
cfb24a4chore(release): new release (#21019)c7d8a3afix: release per-child Compilation heap pressure in MultiCompiler (#21015)d6cdebefix: regression in types for ProgressPlugin (#21036)c073890fix: gap-fill entryOptions when an async block reuses an existing entrypoint ...78158f0docs: streamline AGENTS.md to reduce AI hallucination (#21033)c61c649test: fail on missing per-kind snapshot instead of auto-writing it (#21027)a514897docs: update examples (#21031)cc4035bfix: remove unnecessary webpack_require in ESM library output (#21032)12cb825docs(buildChunkGraph): explain why blocksWithNestedBlocks gates the skip (#21...75f60f6fix(ConcatenatedModule): include runtimeCondition of external infos in update...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)