Merged
Conversation
fix(deps): update dependency lucide-react to ^0.575.0
fix(deps): update dependency lucide-react to ^0.577.0
fix(deps): update dependency react-helmet-async to v3
Remove `.npmrc` files (root and backend) that globally set `legacy-peer-deps=true`. This was originally needed because react-helmet-async v2 didn't declare React 19 support, now resolved with v3.0.0. Add a targeted `overrides` in package.json for the remaining eslint-plugin-react-hooks / ESLint 10 peer dep conflict, which will be resolved once a stable release supports ESLint 10. Closes #67 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
fix: remove legacy-peer-deps workaround
Add escapeHtml() to sanitize firstName before interpolation in email templates, preventing stored XSS via malicious registration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove VITE_AI_API_KEY from frontend code, env types, and documentation. VITE_ prefixed variables are bundled into the client JS and visible to anyone inspecting the source. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove the default admin user (admin@crafter.app / admin123) from the migration file. Admin users should be created via a dedicated seed script instead of being embedded in migration history. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add authenticate middleware to the upload route on the backend. On the frontend, include credentials and Authorization header in the upload fetch request. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Throw a fatal error at startup if JWT_ACCESS_SECRET or JWT_REFRESH_SECRET are not set, instead of falling back to predictable default values. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…tgreSQL Default rejectUnauthorized to true in production. Providers using self-signed certs (e.g. Railway) can opt out explicitly via DB_SSL_REJECT_UNAUTHORIZED=false. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace user email addresses with user IDs in backend auth logs. Remove email from frontend store logs and email service logs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Invert the logic so cookies are secure by default. Only disable the secure flag when NODE_ENV is explicitly 'development'. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace Zustand persist middleware with in-memory token store. Access tokens are no longer written to localStorage, reducing the XSS attack surface. Session recovery after page refresh relies on the httpOnly refresh token cookie. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add helmet to set security headers (X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security, etc.) on all backend responses. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Restore hardcoded admin credentials in the migration file. The default admin password should be changed manually after installation on each environment. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
fix(security): address security vulnerabilities across frontend and backend
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Breaking changes
JWT_ACCESS_SECRETandJWT_REFRESH_SECRETenvironment variables (will not start without them)DB_SSL_REJECT_UNAUTHORIZED=falseTest plan
curl -I)🤖 Generated with Claude Code