[PR #5278] [MERGED] chore: security patches for the dependency chain #5136

New issue

Closed

opened 2026-03-17 02:36:50 +03:00 by kerem · 0 comments

kerem commented

2026-03-17 02:36:50 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/hoppscotch/hoppscotch/pull/5278
Author: @mirarifhasan
Created: 7/25/2025
Status: ✅ Merged
Merged: 7/28/2025
Merged by: @jamesgeorge007

Base: next ← Head: chore/secutiry-fix-2025-7-0

📝 Commits (3)

e5fcdef chore: bump backend deps
2c96ec6 chore: clean up dependency overrides
06f0b15 chore: optimize Dockerfile builds

📊 Changes

8 files changed (+2569 additions, -1988 deletions)

View changed files

📝 package.json (+1 -3)
📝 packages/hoppscotch-backend/package.json (+29 -30)
📝 packages/hoppscotch-backend/src/posthog/posthog.service.ts (+5 -12)
📝 packages/hoppscotch-selfhost-desktop/package.json (+1 -0)
📝 packages/hoppscotch-selfhost-web/package.json (+1 -0)
📝 packages/hoppscotch-sh-admin/package.json (+1 -0)
📝 pnpm-lock.yaml (+2490 -1851)
📝 prod.Dockerfile (+41 -92)

📄 Description

Closes SHBE-553

This PR updates backend dependencies and optimizes the production Dockerfile to address vulnerabilities and improve maintainability.

What's changed

Backend Dependencies

Updated hoppscotch-backend dependencies to the latest versions that fix known vulnerabilities.

`pnpm` Overrides

Removed overrides for cookie and multer as the updated hoppscotch-backend dependencies no longer require them to be overridden.

Dockerfile Optimization (`prod.Dockerfile`)

Updated Caddy from 2.9.1 to 2.10.0 to address Caddy-specific vulnerabilities.
Introduced a reusable node_base build stage to reduce repetition and improve maintainability.
Added dotenv and autofixer dependencies across relevant packages instead of depending on hoisting.

Notes to reviewers

Make sure the containers (backend, app, sh-admin, aio) boot and function properly.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/hoppscotch/hoppscotch/pull/5278 **Author:** [@mirarifhasan](https://github.com/mirarifhasan) **Created:** 7/25/2025 **Status:** ✅ Merged **Merged:** 7/28/2025 **Merged by:** [@jamesgeorge007](https://github.com/jamesgeorge007) **Base:** `next` ← **Head:** `chore/secutiry-fix-2025-7-0` --- ### 📝 Commits (3) - [`e5fcdef`](https://github.com/hoppscotch/hoppscotch/commit/e5fcdef9fbef52745bfb914597dbad862568f172) chore: bump backend deps - [`2c96ec6`](https://github.com/hoppscotch/hoppscotch/commit/2c96ec627cd4019197ba059e48d31322fc91aa1f) chore: clean up dependency overrides - [`06f0b15`](https://github.com/hoppscotch/hoppscotch/commit/06f0b1544d63935259415e186c805a2d99cf61cc) chore: optimize Dockerfile builds ### 📊 Changes **8 files changed** (+2569 additions, -1988 deletions) <details> <summary>View changed files</summary> 📝 `package.json` (+1 -3) 📝 `packages/hoppscotch-backend/package.json` (+29 -30) 📝 `packages/hoppscotch-backend/src/posthog/posthog.service.ts` (+5 -12) 📝 `packages/hoppscotch-selfhost-desktop/package.json` (+1 -0) 📝 `packages/hoppscotch-selfhost-web/package.json` (+1 -0) 📝 `packages/hoppscotch-sh-admin/package.json` (+1 -0) 📝 `pnpm-lock.yaml` (+2490 -1851) 📝 `prod.Dockerfile` (+41 -92) </details> ### 📄 Description Closes SHBE-553 This PR updates backend dependencies and optimizes the production Dockerfile to address vulnerabilities and improve maintainability. ### What's changed #### Backend Dependencies - Updated `hoppscotch-backend` dependencies to the latest versions that fix known vulnerabilities. #### `pnpm` Overrides - Removed overrides for `cookie` and `multer` as the updated `hoppscotch-backend` dependencies no longer require them to be overridden. #### Dockerfile Optimization (`prod.Dockerfile`) - Updated Caddy from `2.9.1` to `2.10.0` to address Caddy-specific vulnerabilities. - Introduced a reusable `node_base` build stage to reduce repetition and improve maintainability. - Added `dotenv` and `autofixer` dependencies across relevant packages instead of depending on hoisting. ### Notes to reviewers Make sure the containers (`backend`, `app`, `sh-admin`, `aio`) boot and function properly. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>