Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,11 @@ Versioning follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]

### Security

- Resolved CodeQL high-severity findings in backend: webhook URL platform detection now uses `urlparse` netloc comparison instead of substring matching to prevent bypass; phone number removed from SMS warning log to prevent PII exposure
- Pinned transitive `postcss` dependency to 8.5.10 via npm `overrides` to address GHSA-qx2v-qp2m-jg93 (XSS via unescaped `</style>` in CSS stringify output); the vulnerability was in the version of postcss bundled internally by next

### Added

- GitHub Sponsors added to `.github/FUNDING.yml` as first entry; order updated to github, buy_me_a_coffee, patreon
Expand Down
28 changes: 0 additions & 28 deletions frontend/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions frontend/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@
"recharts": "^2.12.7",
"tailwind-merge": "^2.3.0"
},
"overrides": {
"postcss": "8.5.10"
},
"devDependencies": {
"@tailwindcss/typography": "^0.5.19",
"@types/node": "^20",
Expand Down
16 changes: 16 additions & 0 deletions logs/2026-06-15.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,3 +26,19 @@ GitHub Sponsors is now active. GitHub displays the Sponsor button entries in the
**What changed:** Removed `to_number` from the warning log at line 19. Old: `"SMS not sent to %s", to_number`. New: `"SMS not sent"` with no interpolated value. Added inline comment explaining why.

**Why:** CodeQL finding #1 flagged "Clear-text logging of sensitive information" at sms_service.py:19. Phone numbers are PII. Logging them in warning output risks them appearing in aggregated log streams, monitoring dashboards, or crash reports where they do not belong. The warning message still conveys all actionable information - the operator knows Brevo is not configured - without leaking recipient data.

---

## [DONE] fix/frontend-postcss branch - npm postcss vulnerability (issue #141)

### frontend/package.json

**What changed:** Added an `"overrides"` block pinning `"postcss": "8.5.10"`. This forces npm to deduplicate the postcss version that `next` bundles internally in `node_modules/next/node_modules/postcss`, collapsing it to the same 8.5.10 that is already the top-level devDependency. Ran `/opt/homebrew/bin/npm install` to regenerate `package-lock.json` with the override applied. Verified with `npm audit --omit=dev`: result is 0 vulnerabilities.

**Why:** Issue #141 was opened by the biweekly security audit workflow because `npm audit --omit=dev` reported `postcss < 8.5.10` inside next's own dependency tree (GHSA-qx2v-qp2m-jg93 - XSS via unescaped `</style>` tag in CSS stringify output). The vulnerability is in next's bundled copy, not the top-level postcss. `npm audit fix --force` would "fix" it by downgrading next to 9.3.3 which would be a major breaking change. The `overrides` field is the correct approach - it tells npm to hoist exactly one version of postcss across the whole tree without changing any declared dependencies.

**Design tradeoff:** Overriding a transitive dependency is a mild coupling risk - if next starts requiring an incompatible postcss API in a future release, the override could silently break the build. However postcss 8.x is stable; 8.5.10 vs 8.4.x is a patch range with no breaking API changes. The risk is low and the alternative (shipping with a known XSS advisory) is worse.

### CHANGELOG.md

Added a `### Security` subsection under `[Unreleased]` documenting both the backend CodeQL fixes (from PR #144) and the postcss override. Issue #141 acceptance criteria required documenting resolved advisories in CHANGELOG or release notes.
Loading