Skip to content

deps: upgrade cartridge/matcha + patch security advisories#40

Merged
karloscodes merged 3 commits into
mainfrom
chore/upgrade-deps-security
May 24, 2026
Merged

deps: upgrade cartridge/matcha + patch security advisories#40
karloscodes merged 3 commits into
mainfrom
chore/upgrade-deps-security

Conversation

@karloscodes

Copy link
Copy Markdown
Owner

Dependency upgrades (cartridge/matcha) plus the security advisories surfaced by dependabot + govulncheck + npm audit.

Upgrades

  • cartridge 0.13.4 → 0.15.0 (additive: Context.Bind, Inertia/PRG helpers)
  • matcha 0.12.13 → 0.12.18 (bug fixes: backups, multi-app deploy)

Security fixes

Issue Fix Source
fiber AutoFormat XSS → 2.52.13 dependabot #34
x/net HTML XSS/DoS + HTTP/2 loop (5+) → 0.55.0 govulncheck
stdlib html/template XSS, crypto/tls, x509, net/url Go toolchain → 1.25.10 govulncheck
brace-expansion DoS, ip-address XSS npm audit fix dependabot #31
@tootallnate/once build chain (5 low) sqlite3 → 6.0.1 dependabot #33

Also fixes the broken make release target (now a tag + push wrapper for the GoReleaser pipeline, matching fusionaly-oss).

Verification

  • govulncheck: 17 reachable vulns → 0
  • npm audit (e2e): 7 vulns → 0
  • go build, go vet, unit tests pass under Go 1.25.10; sqlite3 v6 native module smoke-tested

Supersedes dependabot PRs #34, #33, #31, #22, #23 (auto-close after merge).

- cartridge v0.13.4 -> v0.15.0 (additive: Context.Bind, Inertia/PRG helpers)
- matcha v0.12.13 -> v0.12.18 (bug fixes: backups, multi-app deploy)
- fiber v2.52.12 -> v2.52.13 (XSS in AutoFormat content negotiation)
- golang.org/x/net v0.49.0 -> v0.55.0 (HTML-parse XSS/DoS, HTTP/2 loop)
- Go toolchain 1.25.5 -> 1.25.10 (html/template XSS, crypto/tls, x509, net/url)

govulncheck: 17 reachable vulns -> 0.
- sqlite3 ^5.1.7 -> ^6.0.1, dropping the vulnerable node-gyp/@tootallnate/once
  build chain (5 low advisories)
- brace-expansion (DoS) and ip-address (XSS) bumped via npm audit fix

npm audit: 7 vulns -> 0.
The scripts/release.sh referenced by 'make release' was removed when the
custom installer was replaced with matcha, leaving the target broken.
Replace it with an inline tag + push wrapper (matching fusionaly-oss) that
triggers the existing tag-driven GoReleaser pipeline.

Usage: make release v=3.0.5
@karloscodes karloscodes merged commit dfe463d into main May 24, 2026
9 checks passed
@karloscodes karloscodes deleted the chore/upgrade-deps-security branch May 24, 2026 09:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant