Security upgrades #1

frostyfan109 · 2025-06-24T20:32:30Z

Pulls in latest version of filebrowser and mitigates most vulnerabilities that can be patched without causing instability.

…ilebrowser#3574)

…owser#3618) Bumps [vue-i18n](https://github.com/intlify/vue-i18n/tree/HEAD/packages/vue-i18n) from 9.10.2 to 9.14.2. - [Release notes](https://github.com/intlify/vue-i18n/releases) - [Changelog](https://github.com/intlify/vue-i18n/blob/master/CHANGELOG.md) - [Commits](https://github.com/intlify/vue-i18n/commits/v9.14.2/packages/vue-i18n) --- updated-dependencies: - dependency-name: vue-i18n dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

This commit brings the project to support node 22 which became LTS and fixes broken builds with typescript 5.7+ until vue-tsc is updated and replaces npm with pnpm. - Update tsconfig for node 22 - Pin typescript to 5.6.x to not break vue-tsc - Replace npm with pnpm (corepack recommended) - Update Makefile and main workflow for pnpm - Migrate to eslint 9 flat config - Fix broken imports - Exclude non-TS vue files for vue-tsc

…ser#3601) Bumps [cross-spawn](https://github.com/moxystudio/node-cross-spawn) from 7.0.3 to 7.0.6. - [Changelog](https://github.com/moxystudio/node-cross-spawn/blob/master/CHANGELOG.md) - [Commits](moxystudio/node-cross-spawn@v7.0.3...v7.0.6) --- updated-dependencies: - dependency-name: cross-spawn dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ebrowser#3569) --------- Co-authored-by: Oleg Lobanov <oleg@lobanov.me>

…ser#3634) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.26.0 to 0.31.0. - [Commits](golang/crypto@v0.26.0...v0.31.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

--------- Co-authored-by: Ryan Miller <ryan.miller@infinitetactics.com> Co-authored-by: Oleg Lobanov <oleg@lobanov.me>

…ish) language (filebrowser#3704)

* Update dependencies and remove typescript version pinning (fixed upstream) * Fix esling warnings (disabled any and script lang checks) Rewrote clipboard copy (Fixes filebrowser#3407) Run prettier --------- Co-authored-by: Oleg Lobanov <oleg@lobanov.me>

…#3712) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.23.0 to 0.33.0. - [Commits](golang/net@v0.23.0...v0.33.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Co-authored-by: Oleg Lobanov <oleg@lobanov.me>

* Fix user creation on proxy auth * Refactoring --------- Co-authored-by: Oleg Lobanov <oleg@lobanov.me>

…owser#3786) Bumps [vue-i18n](https://github.com/intlify/vue-i18n/tree/HEAD/packages/vue-i18n) from 11.0.1 to 11.1.2. - [Release notes](https://github.com/intlify/vue-i18n/releases) - [Changelog](https://github.com/intlify/vue-i18n/blob/master/CHANGELOG.md) - [Commits](https://github.com/intlify/vue-i18n/commits/v11.1.2/packages/vue-i18n) --- updated-dependencies: - dependency-name: vue-i18n dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…wser#3886) Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.0.11 to 6.1.6. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.1.6/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.1.6/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 6.1.6 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ser#3865) Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.31.0 to 0.35.0. - [Commits](golang/crypto@v0.31.0...v0.35.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-version: 0.35.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…#3869)

This should help mitigate issues like filebrowser#3646

…rowser#4903)

Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>

…ilebrowser#4638)

github-actions · 2025-06-24T20:32:39Z

Hey there and thank you for opening this pull request! 👋🏼

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Details:

No release type found in pull request title "Security upgrades". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

Available types:
 - feat: A new feature
 - fix: A bug fix
 - docs: Documentation only changes
 - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
 - refactor: A code change that neither fixes a bug nor adds a feature
 - perf: A code change that improves performance
 - test: Adding missing tests or correcting existing tests
 - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
 - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
 - chore: Other changes that don't modify src or test files
 - revert: Reverts a previous commit

dependabot bot and others added 30 commits November 5, 2024 06:49

build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (f…

2fdea73

…ilebrowser#3574)

feat: create user on proxy authentication if user does not exist (fil…

209acf2

…ebrowser#3569) --------- Co-authored-by: Oleg Lobanov <oleg@lobanov.me>

fix: prompts disappearing on copy / move / upload (filebrowser#3537)

d1c84a8

--------- Co-authored-by: Ryan Miller <ryan.miller@infinitetactics.com> Co-authored-by: Oleg Lobanov <oleg@lobanov.me>

chore: add translation for the "Hide dot files setting" in "es" (Span…

cc33138

…ish) language (filebrowser#3704)

chore: update ko.json (filebrowser#3688)

252f0a7

fix: add proper healthcheck for S6 containers (filebrowser#3691)

045064f

Co-authored-by: Oleg Lobanov <oleg@lobanov.me>

fix: disk usage refreshing (filebrowser#3692)

bbdd313

Co-authored-by: Oleg Lobanov <oleg@lobanov.me>

fix: Fix user creation on proxy auth (filebrowser#3666)

5300d00

* Fix user creation on proxy auth * Refactoring --------- Co-authored-by: Oleg Lobanov <oleg@lobanov.me>

build: fix go releaser

ba797cd

chore(release): 2.32.0

3d6c515

Update french translation

99c64c1

Merge branch 'master' into patch-1

f8a16a6

build(deps): bump golang.org/x/net from 0.33.0 to 0.38.0 (filebrowser…

cfea84f

…#3869)

Merge branch 'master' into patch-1

7a48fd0

Merge pull request filebrowser#3793 from Kcchouette/patch-1

ff1579b

Update Polish translation

495e731

chore: Update Polish translation

6d55cc5

Merge pull request filebrowser#3776 from Matthaiks/pl

1d14798

fix: generate random admin password on quick setup

a46acba

This should help mitigate issues like filebrowser#3646

fix: imports lint

54b91b8

fix: err shadowing lint

c606a01

hacdias and others added 24 commits June 11, 2025 18:51

chore: update Go dependencies

e82e239

chore: updated readme and templates

abbf203

chore: updated readme and template

31a3266

ci: add transifex.yml

6d82a27

ci: remove manual .tx config

b6b4fb5

chore: add only translated mode to transifex

54a1ae0

chore: revert only translated mode to transifex

5daae69

feat: improve pt-br translations with new keys and refinements (fileb…

a882fb6

…rowser#4903)

feat: update translation ko.json (filebrowser#3852)

d9ebd65

feat: add Vietnamese translation (filebrowser#3840)

56b80b6

chore(release): 2.32.1

56a0f92

feat: updated for project File Browser (filebrowser#5159)

c34c0af

Co-authored-by: transifex-integration[bot] <43880903+transifex-integration[bot]@users.noreply.github.com>

docs: move most docs to main repository (filebrowser#5141)

0cca7d8

ci: add @hacdias as codeowner

4aee14d

ci: update gorelease homebrew

db671c2

chore(release): 2.32.2

6ebfdcc

ci: fix the post install tap command

1cc539e

chore(release): 2.32.3

04a13f0

feat: improved docker image volumes and permissions (filebrowser#5160)

2e26393

chore(release): 2.33.0

e9bb3dc

fix: search uses ctrl+shift+f instead of hijacking browser's ctrl+f (f…

a02b297

…ilebrowser#4638)

Bring debian filebrowser build up-to-date

729b0e8

Use builder image isolation and replace vulnerable packages when doable

6381a16

Statically link binary by default, remove custom build

fa603eb

frostyfan109 requested review from joshua-seals and waTeim June 24, 2025 20:32

manually install libnss-ldap instead of libnss-ldapd

e44aadd

waTeim approved these changes Aug 13, 2025

View reviewed changes

frostyfan109 merged commit e44aadd into master Dec 14, 2025
7 of 8 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security upgrades #1

Security upgrades #1

Uh oh!

frostyfan109 commented Jun 24, 2025

Uh oh!

github-actions bot commented Jun 24, 2025 •

edited

Loading

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants

Security upgrades #1

Security upgrades #1

Uh oh!

Conversation

frostyfan109 commented Jun 24, 2025

Uh oh!

github-actions bot commented Jun 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants

github-actions bot commented Jun 24, 2025 •

edited

Loading