starred/hoppscotch
1
0
Fork 0
mirror of https://github.com/hoppscotch/hoppscotch.git synced 2026-04-26 01:06:00 +03:00
Code Issues 711 Projects Releases 5 Packages Wiki Activity

[PR #5887] [MERGED] chore: security patch for the dependency chain v2026.2.0 #5391

New issue
Closed
opened 2026-03-17 02:50:41 +03:00 by kerem · 0 comments
kerem commented 2026-03-17 02:50:41 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/hoppscotch/hoppscotch/pull/5887
Author: @mirarifhasan
Created: 2/17/2026
Status: Merged
Merged: 2/19/2026
Merged by: @jamesgeorge007

Base: nextHead: chore/security-fix-2026-2-0

📝 Commits (4)

  • 2fd6fdb chore: bump dependency versions and update lockfile
  • 164b469 chore: verify Go tarball checksum in Dockerfile
  • 28a4ae2 chore: pin form-data and harden Docker build
  • 03a6da3 chore: bump non-major dependencies across packages

📊 Changes

13 files changed (+2848 additions, -5375 deletions)

View changed files

📝 package.json (+8 -8)
📝 packages/hoppscotch-agent/package.json (+11 -11)
📝 packages/hoppscotch-backend/package.json (+27 -27)
📝 packages/hoppscotch-cli/package.json (+7 -7)
📝 packages/hoppscotch-common/package.json (+26 -26)
📝 packages/hoppscotch-data/package.json (+1 -1)
📝 packages/hoppscotch-desktop/package.json (+10 -10)
📝 packages/hoppscotch-js-sandbox/package.json (+6 -6)
📝 packages/hoppscotch-kernel/package.json (+3 -3)
📝 packages/hoppscotch-selfhost-web/package.json (+17 -17)
📝 packages/hoppscotch-sh-admin/package.json (+18 -18)
📝 pnpm-lock.yaml (+2675 -5200)
📝 prod.Dockerfile (+39 -41)

📄 Description

Closes BE-716, FE-1131.

What's changed

This pull request primarily updates dependencies across the backend and Docker build files to address vulnerabilities and keep the stack current. The most significant changes include updating the Go and Node.js base images, bumping various package versions (including security-related ones), and restructuring the Dockerfile build stages for improved clarity and maintainability.

Dockerfile and build process improvements:

  • Upgraded the Go base image to alpine:3.23.3 and Go version to 1.26.0 (from 1.25.6), addressing CVE-2025-47907, and restructured the Dockerfile to separate the Caddy build stage for better clarity and maintainability. [1] [2]
  • Updated the Node.js base image to alpine:3.23.3, upgraded NPM to 11.10.0 (from 11.7.0), and PNPM to 10.29.3 (from 10.28.1), and simplified the vulnerability patching steps for glob, tar, and diff dependencies.

Backend and dependency updates:

  • Updated multiple backend dependencies in packages/hoppscotch-backend/package.json, including major/minor bumps for @nestjs/*, @prisma/*, nodemailer, pg, dotenv, posthog-node, prisma, and various dev dependencies, ensuring improved security and compatibility. [1] [2]
  • Updated main package.json to bump versions for hono, lodash, nodemailer, qs, and adjust version ranges for some dependencies, keeping the stack up to date and secure.

Notes to reviewers

Nil

Summary by cubic

Security patch for the dependency chain to reduce CVE exposure and modernize build/runtime images. Addresses BE-716 by upgrading Go/Node bases, adding checksum verification, pinning risky packages, and updating backend, frontend, and root dependencies.

  • Dependencies

    • Backend: bumped NestJS, Prisma 7.4, pg 8.18, nodemailer 8.0.1, dotenv 17.3.1, express-session 1.19.0, posthog-node 5.24.x, and lint/test tooling (eslint 10.0.0, @eslint/js 10.0.1, ts-eslint 8.56, prettier 3.8.1).
    • Apps/packages: refreshed axios 1.13.5, lodash/lodash-es 4.17.23, vue 3.5.28, qs 6.15.0, codegen/vite plugins; minor bumps across common, cli, desktop, kernel, selfhost-web, sh-admin, js-sandbox.
    • Root: updated hono 4.11.7, lodash 4.17.23, qs 6.14.2; pinned form-data 4.0.4; set nodemailer 7.0.11 override; tightened execa (<2.0.0 ⇒ 2.0.0), keep glob 11.1.0; refreshed pnpm lockfile.

  • Refactors

    • prod.Dockerfile: Alpine 3.23.3 and Go 1.26.0; added checksum verification for Go tarball and Caddy source; split Caddy stage; vendored deps and kept quic-go/crypto/smallstep patches; dropped nebula patch.
    • Node base: npm 11.10.0, pnpm 10.29.3; keep glob@11.1.0 and replace tar with 7.5.8 (propagated to npm and pnpm); removed diff replacement; simplified and hardened build steps.

Written for commit 03a6da3828. Summary will update on new commits.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/hoppscotch/hoppscotch/pull/5887 **Author:** [@mirarifhasan](https://github.com/mirarifhasan) **Created:** 2/17/2026 **Status:** ✅ Merged **Merged:** 2/19/2026 **Merged by:** [@jamesgeorge007](https://github.com/jamesgeorge007) **Base:** `next` ← **Head:** `chore/security-fix-2026-2-0` --- ### 📝 Commits (4) - [`2fd6fdb`](https://github.com/hoppscotch/hoppscotch/commit/2fd6fdbdb4bd98c7becb708753174124839f2c91) chore: bump dependency versions and update lockfile - [`164b469`](https://github.com/hoppscotch/hoppscotch/commit/164b469b3ccc3b06d517b39c9f819e1e5202fd6e) chore: verify Go tarball checksum in Dockerfile - [`28a4ae2`](https://github.com/hoppscotch/hoppscotch/commit/28a4ae213978cdcc3fbf8ca03c69902401128bc8) chore: pin form-data and harden Docker build - [`03a6da3`](https://github.com/hoppscotch/hoppscotch/commit/03a6da38283339bec22083a06c41657112c03bd4) chore: bump non-major dependencies across packages ### 📊 Changes **13 files changed** (+2848 additions, -5375 deletions) <details> <summary>View changed files</summary> 📝 `package.json` (+8 -8) 📝 `packages/hoppscotch-agent/package.json` (+11 -11) 📝 `packages/hoppscotch-backend/package.json` (+27 -27) 📝 `packages/hoppscotch-cli/package.json` (+7 -7) 📝 `packages/hoppscotch-common/package.json` (+26 -26) 📝 `packages/hoppscotch-data/package.json` (+1 -1) 📝 `packages/hoppscotch-desktop/package.json` (+10 -10) 📝 `packages/hoppscotch-js-sandbox/package.json` (+6 -6) 📝 `packages/hoppscotch-kernel/package.json` (+3 -3) 📝 `packages/hoppscotch-selfhost-web/package.json` (+17 -17) 📝 `packages/hoppscotch-sh-admin/package.json` (+18 -18) 📝 `pnpm-lock.yaml` (+2675 -5200) 📝 `prod.Dockerfile` (+39 -41) </details> ### 📄 Description <!-- Thanks for creating this pull request 🤗 Please make sure that the pull request is limited to one type (docs, feature, etc.) and keep it as small as possible. You can open multiple prs instead of opening a huge one. --> <!-- If this pull request closes an issue, please mention the issue number below --> <!-- Issue # here --> Closes BE-716, FE-1131. <!-- Add an introduction into what this PR tries to solve in a couple of sentences --> ### What's changed <!-- Describe point by point the different things you have changed in this PR --> This pull request primarily updates dependencies across the backend and Docker build files to address vulnerabilities and keep the stack current. The most significant changes include updating the Go and Node.js base images, bumping various package versions (including security-related ones), and restructuring the Dockerfile build stages for improved clarity and maintainability. **Dockerfile and build process improvements:** * Upgraded the Go base image to `alpine:3.23.3` and Go version to `1.26.0` (from `1.25.6`), addressing CVE-2025-47907, and restructured the Dockerfile to separate the Caddy build stage for better clarity and maintainability. [[1]](diffhunk://#diff-93deb24e09c3e11b921d0bcea79e1f81ba10affde06fe5ab82a3c5c10e3b48e7L4-R8) [[2]](diffhunk://#diff-93deb24e09c3e11b921d0bcea79e1f81ba10affde06fe5ab82a3c5c10e3b48e7R19-R30) * Updated the Node.js base image to `alpine:3.23.3`, upgraded NPM to `11.10.0` (from `11.7.0`), and PNPM to `10.29.3` (from `10.28.1`), and simplified the vulnerability patching steps for `glob`, `tar`, and `diff` dependencies. **Backend and dependency updates:** * Updated multiple backend dependencies in `packages/hoppscotch-backend/package.json`, including major/minor bumps for `@nestjs/*`, `@prisma/*`, `nodemailer`, `pg`, `dotenv`, `posthog-node`, `prisma`, and various dev dependencies, ensuring improved security and compatibility. [[1]](diffhunk://#diff-f95930a2c3d53c2408a125ce8083496e5d3b45a7b097fb957dc7a6b6250d5529L34-R59) [[2]](diffhunk://#diff-f95930a2c3d53c2408a125ce8083496e5d3b45a7b097fb957dc7a6b6250d5529L68-R110) * Updated main `package.json` to bump versions for `hono`, `lodash`, `nodemailer`, `qs`, and adjust version ranges for some dependencies, keeping the stack up to date and secure. <!-- You can also choose to add a list of changes and if they have been completed or not by using the markdown to-do list syntax - [ ] Not Completed - [x] Completed --> ### Notes to reviewers <!-- Any information you feel the reviewer should know about when reviewing your PR --> Nil <!-- This is an auto-generated description by cubic. --> --- ## Summary by cubic Security patch for the dependency chain to reduce CVE exposure and modernize build/runtime images. Addresses BE-716 by upgrading Go/Node bases, adding checksum verification, pinning risky packages, and updating backend, frontend, and root dependencies. - **Dependencies** - Backend: bumped NestJS, Prisma 7.4, pg 8.18, nodemailer 8.0.1, dotenv 17.3.1, express-session 1.19.0, posthog-node 5.24.x, and lint/test tooling (eslint 10.0.0, @eslint/js 10.0.1, ts-eslint 8.56, prettier 3.8.1). - Apps/packages: refreshed axios 1.13.5, lodash/lodash-es 4.17.23, vue 3.5.28, qs 6.15.0, codegen/vite plugins; minor bumps across common, cli, desktop, kernel, selfhost-web, sh-admin, js-sandbox. - Root: updated hono 4.11.7, lodash 4.17.23, qs 6.14.2; pinned form-data 4.0.4; set nodemailer 7.0.11 override; tightened execa (<2.0.0 ⇒ 2.0.0), keep glob 11.1.0; refreshed pnpm lockfile. - **Refactors** - prod.Dockerfile: Alpine 3.23.3 and Go 1.26.0; added checksum verification for Go tarball and Caddy source; split Caddy stage; vendored deps and kept quic-go/crypto/smallstep patches; dropped nebula patch. - Node base: npm 11.10.0, pnpm 10.29.3; keep glob@11.1.0 and replace tar with 7.5.8 (propagated to npm and pnpm); removed diff replacement; simplified and hardened build steps. <sup>Written for commit 03a6da38283339bec22083a06c41657112c03bd4. Summary will update on new commits.</sup> <!-- End of auto-generated description by cubic. --> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
kerem 2026-03-17 02:50:41 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
chore/security-fix-2026-4-0
next
fix/mockserver-env-set-url-priority
feat/rest-gql-merge
refactor/workspaces
fix/onboarding-mass-assignment
desktop-settings-phase-0-schema-bridge-shell
patch
test-webhook
pr/johnan319/5745
tembo/optimize-performance-db-queries
add-claude-github-actions-1772782423108
fix/code-scanning-103
fix/mock-server-example-endpoint-match-v2
fix/rate-limit-on-health-route
hotfix/api-doc-collection-deletetion
cd-test
fix/mock-server-backend-followup
chore/code-scanning-52
chore/verion-addition-check
nested-migrations
scripting-system-updates-worker-setup
scripting-system-updates
pr/shipko/4367
ci-test
feat/user-delete-condition
feat/user-workspace-stats-api
chore/collection-export-addition
fix/import-file-size-limit-flow
feat/dashboard-common
feat/sort-environment-alphabetically
feat/infra-config-encryption
refactor/team
feat/collection-duplicationn
feat/secure-cookies-toggle
pr/pavog/4195
pr/pavog/4196
test/patch-demo
feat/native-interceptor-updates
pr/AndrewBastin/4111
feat/user-last-active-on
fix/codemirror-large-text-scroll-bug
fix/precision-lost-beautify
fix/env-diff-test-schema-error
fix/email-case-sensitive
release/2024.3.3
refactor/workspace-login-conversion
feat/node-apline-version-upgrade
feat/seed
release/2024.3.2
fix/sh-email-handlebar-issue
feat/app-experiment-animation
release/2024.3.1
release/2024.3.0
pr/jamesgeorge007/3937
experiment/deploychan
feat/github-enterprise-auth
refactor/collection-search-query
hotfix/infra-config-reset-bug
fix/secret-var-bug
hotfix/full-text-search
hotfix/request-variable-version-syncing
feat/request-variable
feat/server-config-additional-properties
pr/JoelJacobStephen/3845
release/2023.12.6
fix/safari-codemirror-perf-bug
release/2023.12.5
release/2023.12.4
fix/secret-env-bugs-tooltip
release/2023.12.3
fix/shared-request-bug
fix/disable-context-menu-option
release/2023.12.2
release/2023.12.1
fix/shared-request-bugs
release/2023.12.0
fix/gql-history-schema
fix/actions-not-working-without-sidebar
pr/jamesgeorge007/3665
chore/desktop-app-corrections
fix/auth-headers-in-coll
fix/embed-url
improve/placeholder
add-realtime-logos
feat/shared-request-embeds
feat/collection-headers
revamp/header
release/2023.8.4
refactor/interceptor-error-display
feat/subpath-based-access
release/2023.8.3
feat/shared-requests
feat/desktop
fix/nodemailer-templates-issue
feature/upgrade-graphql-ws
fix/graphql-crashing
fix/set-environments-when-no-env-selected
refactor/pre-prisma-bump-setup
release/2023.8.2
pr/danitherex/3216
perf/raw-db-query
release/2023.8.1
revert-3348-perf/reduce-backend-calls
fix/incorrect-tab-count-close-all-tab
fix/duplicate-tab-bug
release/2023.8.0
hotfix/fetch-shortcode
fix/tab-right-click-rename-bug
chore/docker-fixes
pr/JoelJacobStephen/3178
feat/fe-accessible-auth-provider-env
feat-cherry-pick/conditional-auth-select
feat/conditional-auth-select
release/2023.4.8
fix/generate-sitemap-issue
test/backend-test-case
refactor/team-invitation
pr/AndrewBastin/3171
release/2023.4.7
fix/duplicate-team-invite
fix/unified-bg-color-coll-tree
fix/shortcode-screen-stuck
release/2023.4.6
revert-3117-patch-3
fix/env-selector-bg
fix/db-url
release/2023.4.4
fix/sync-popup-bug
fix/team-env-set-test
chore/wss-to-ws-on-env
fix/prettify-xml-response
feat/db-volume-addition
feat/env-selector-tabs-ui
bug/broken-env
release/2023.4.2
fix/switch-workspace-env-bug
fix/magic-link
fix/cookie-handler
HPS-OSS-1
staging
revert/auth-issue
feat/export-env
refactor/commons
reference/path-variables
orphan-pr/2243
feat/realtime-search
fix/save-override
refactor/strategies
feat/embeds
bug/withDefaults
feat/show-keys
refactor/toast
2026.3.1
2026.3.0
2026.2.1
2026.2.0
2026.1.1
2026.1.0
2025.12.1
2025.12.0
2025.11.2
2025.11.1
2025.11.0
2025.10.1
2025.10.0
2025.9.2
2025.9.1
2025.9.0
2025.8.1
2025.8.0
2025.7.1
2025.7.0
2025.6.1
2025.6.0
2025.5.4
2025.5.3
2025.5.2
2025.5.1
2025.5.0
2025.4.2
2025.4.1
2025.4.0
2025.3.2
2025.3.1
2025.3.0
2025.2.3
2025.2.2
2025.2.1
2025.2.0
2025.1.1
2025.1.0
2024.12.2
2024.12.1
2024.12.0
2024.11.0
2024.10.2
2024.10.1
2024.10.0
2024.9.3
2024.9.2
2024.9.1
2024.9.0
2024.8.3
2024.8.2
2024.8.1
2024.8.0
2024.7.2
2024.7.1
2024.7.0
2024.6.1
2024.6.0
2024.3.4
2024.3.3
2024.3.2
2024.3.1
2024.3.0
2023.12.6
2023.12.5
2023.12.4
2023.12.3
2023.12.2
2023.12.1
2023.12.0
2023.8.4
2023.8.3
2023.8.2
2023.8.1
2023.8.0
2023.4.8
2023.4.7
2023.4.6
2023.4.5
2023.4.4
2023.4.3
2023.4.2
2023.4.1
2023.4.0
v3.0.1
v3.0.0
v2.2.1
v2.2.0
v2.1.0
v2.0.0
v1.12.0
v1.10.0
v1.9.9
v1.9.7
v1.9.5
v1.9.0
v1.8.0
v1.5.0
v1.0.0
v0.1.0
Labels
Clear labels   
CodeDay

   
a11y

   
browser limited

   
bug

   
bug fix

   
cli

   
core

   
critical

   
design

   
desktop

   
discussion

   
docker

   
documentation

   
duplicate

   
enterprise

   
feature

   
feature

   
fosshack

   
future

   
good first issue

   
hacktoberfest

   
help wanted

   
i18n

   
invalid

   
major

   
minor

   
need information

   
need testing

   
not applicable to hoppscotch

   
not reproducible

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
refactor

   
resolved

   
sandbox

   
self-host

   
spam

   
stale

   
testmu

   
wip

   
wont fix
No labels
CodeDay
a11y
browser limited
bug
bug fix
cli
core
critical
design
desktop
discussion
docker
documentation
duplicate
enterprise
feature
feature
fosshack
future
good first issue
hacktoberfest
help wanted
i18n
invalid
major
minor
need information
need testing
not applicable to hoppscotch
not reproducible
pull-request
question
refactor
resolved
sandbox
self-host
spam
stale
testmu
wip
wont fix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hoppscotch#5391
No description provided.