deps: upgrade cartridge/matcha + patch security advisories#40
Merged
Conversation
- cartridge v0.13.4 -> v0.15.0 (additive: Context.Bind, Inertia/PRG helpers) - matcha v0.12.13 -> v0.12.18 (bug fixes: backups, multi-app deploy) - fiber v2.52.12 -> v2.52.13 (XSS in AutoFormat content negotiation) - golang.org/x/net v0.49.0 -> v0.55.0 (HTML-parse XSS/DoS, HTTP/2 loop) - Go toolchain 1.25.5 -> 1.25.10 (html/template XSS, crypto/tls, x509, net/url) govulncheck: 17 reachable vulns -> 0.
- sqlite3 ^5.1.7 -> ^6.0.1, dropping the vulnerable node-gyp/@tootallnate/once build chain (5 low advisories) - brace-expansion (DoS) and ip-address (XSS) bumped via npm audit fix npm audit: 7 vulns -> 0.
The scripts/release.sh referenced by 'make release' was removed when the custom installer was replaced with matcha, leaving the target broken. Replace it with an inline tag + push wrapper (matching fusionaly-oss) that triggers the existing tag-driven GoReleaser pipeline. Usage: make release v=3.0.5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Dependency upgrades (cartridge/matcha) plus the security advisories surfaced by dependabot +
govulncheck+npm audit.Upgrades
cartridge0.13.4 → 0.15.0 (additive:Context.Bind, Inertia/PRG helpers)matcha0.12.13 → 0.12.18 (bug fixes: backups, multi-app deploy)Security fixes
Also fixes the broken
make releasetarget (now a tag + push wrapper for the GoReleaser pipeline, matching fusionaly-oss).Verification
govulncheck: 17 reachable vulns → 0npm audit(e2e): 7 vulns → 0go build,go vet, unit tests pass under Go 1.25.10; sqlite3 v6 native module smoke-testedSupersedes dependabot PRs #34, #33, #31, #22, #23 (auto-close after merge).