diff --git a/CHANGELOG.md b/CHANGELOG.md index 1c5b2d5..ab6e82e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,11 @@ Versioning follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] +### Security + +- Resolved CodeQL high-severity findings in backend: webhook URL platform detection now uses `urlparse` netloc comparison instead of substring matching to prevent bypass; phone number removed from SMS warning log to prevent PII exposure +- Pinned transitive `postcss` dependency to 8.5.10 via npm `overrides` to address GHSA-qx2v-qp2m-jg93 (XSS via unescaped `` in CSS stringify output); the vulnerability was in the version of postcss bundled internally by next + ### Added - GitHub Sponsors added to `.github/FUNDING.yml` as first entry; order updated to github, buy_me_a_coffee, patreon diff --git a/frontend/package-lock.json b/frontend/package-lock.json index c78a0d3..99cbe93 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -5805,34 +5805,6 @@ } } }, - "node_modules/next/node_modules/postcss": { - "version": "8.4.31", - "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.4.31.tgz", - "integrity": "sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ==", - "funding": [ - { - "type": "opencollective", - "url": "https://opencollective.com/postcss/" - }, - { - "type": "tidelift", - "url": "https://tidelift.com/funding/github/npm/postcss" - }, - { - "type": "github", - "url": "https://github.com/sponsors/ai" - } - ], - "license": "MIT", - "dependencies": { - "nanoid": "^3.3.6", - "picocolors": "^1.0.0", - "source-map-js": "^1.0.2" - }, - "engines": { - "node": "^10 || ^12 || >=14" - } - }, "node_modules/node-exports-info": { "version": "1.6.0", "resolved": "https://registry.npmjs.org/node-exports-info/-/node-exports-info-1.6.0.tgz", diff --git a/frontend/package.json b/frontend/package.json index 60fd30a..001c894 100644 --- a/frontend/package.json +++ b/frontend/package.json @@ -20,6 +20,9 @@ "recharts": "^2.12.7", "tailwind-merge": "^2.3.0" }, + "overrides": { + "postcss": "8.5.10" + }, "devDependencies": { "@tailwindcss/typography": "^0.5.19", "@types/node": "^20", diff --git a/logs/2026-06-15.md b/logs/2026-06-15.md index 3a399c8..6d4774d 100644 --- a/logs/2026-06-15.md +++ b/logs/2026-06-15.md @@ -26,3 +26,19 @@ GitHub Sponsors is now active. GitHub displays the Sponsor button entries in the **What changed:** Removed `to_number` from the warning log at line 19. Old: `"SMS not sent to %s", to_number`. New: `"SMS not sent"` with no interpolated value. Added inline comment explaining why. **Why:** CodeQL finding #1 flagged "Clear-text logging of sensitive information" at sms_service.py:19. Phone numbers are PII. Logging them in warning output risks them appearing in aggregated log streams, monitoring dashboards, or crash reports where they do not belong. The warning message still conveys all actionable information - the operator knows Brevo is not configured - without leaking recipient data. + +--- + +## [DONE] fix/frontend-postcss branch - npm postcss vulnerability (issue #141) + +### frontend/package.json + +**What changed:** Added an `"overrides"` block pinning `"postcss": "8.5.10"`. This forces npm to deduplicate the postcss version that `next` bundles internally in `node_modules/next/node_modules/postcss`, collapsing it to the same 8.5.10 that is already the top-level devDependency. Ran `/opt/homebrew/bin/npm install` to regenerate `package-lock.json` with the override applied. Verified with `npm audit --omit=dev`: result is 0 vulnerabilities. + +**Why:** Issue #141 was opened by the biweekly security audit workflow because `npm audit --omit=dev` reported `postcss < 8.5.10` inside next's own dependency tree (GHSA-qx2v-qp2m-jg93 - XSS via unescaped `` tag in CSS stringify output). The vulnerability is in next's bundled copy, not the top-level postcss. `npm audit fix --force` would "fix" it by downgrading next to 9.3.3 which would be a major breaking change. The `overrides` field is the correct approach - it tells npm to hoist exactly one version of postcss across the whole tree without changing any declared dependencies. + +**Design tradeoff:** Overriding a transitive dependency is a mild coupling risk - if next starts requiring an incompatible postcss API in a future release, the override could silently break the build. However postcss 8.x is stable; 8.5.10 vs 8.4.x is a patch range with no breaking API changes. The risk is low and the alternative (shipping with a known XSS advisory) is worse. + +### CHANGELOG.md + +Added a `### Security` subsection under `[Unreleased]` documenting both the backend CodeQL fixes (from PR #144) and the postcss override. Issue #141 acceptance criteria required documenting resolved advisories in CHANGELOG or release notes.