Patch vuln: React-Flight CVE-2025-66478 / CVE-2025-55182

.github/dependabot.yml

@@ -0,0 +1,59 @@
+# Dependabot configuration for automatic security updates
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  # JavaScript/npm ecosystem
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+      timezone: "America/New_York"
+
+    # Limit open PRs to avoid noise
+    open-pull-requests-limit: 10
+
+    # Group minor/patch updates to reduce PR noise
+    groups:
+      # Group all patch updates together
+      patch-updates:
+        patterns:
+          - "*"
+        update-types:
+          - "patch"
+
+      # Group dev dependencies
+      dev-dependencies:
+        patterns:
+          - "*"
+        dependency-type: "development"
+        update-types:
+          - "minor"
+          - "patch"
+
+    # Reviewers for dependency PRs (add your GitHub username)
+    # reviewers:
+    #   - "your-username"
+
+    # Labels for PRs
+    labels:
+      - "dependencies"
+      - "automated"
+
+    # Commit message format
+    commit-message:
+      prefix: "chore(deps)"
+      include: "scope"
+
+  # GitHub Actions updates
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    labels:
+      - "dependencies"
+      - "ci"
+

.github/workflows/security-audit.yml

@@ -0,0 +1,74 @@
+name: Security Audit
+
+on:
+  # Run on every PR to main/master
+  pull_request:
+    branches: [main, master]
+
+  # Run on pushes to main (catches direct commits)
+  push:
+    branches: [main, master]
+
+  # Weekly scan: Sunday at 2 AM UTC
+  # Catches newly disclosed vulnerabilities in existing dependencies
+  schedule:
+    - cron: '0 2 * * 0'
+
+  # Allow manual trigger from GitHub UI
+  workflow_dispatch:
+
+jobs:
+  audit:
+    name: Dependency Security Audit
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Enable Corepack (for Yarn 4)
+        run: corepack enable
+
+      - name: Install dependencies
+        run: yarn install --immutable
+
+      - name: Run security audit (critical)
+        run: yarn npm audit --severity critical
+
+      - name: Run security audit (high) - warning only
+        run: yarn npm audit --severity high || true
+        # Non-blocking for high severity, but visible in logs
+
+      # Optional: Create GitHub issue on scheduled run failure
+      - name: Create issue on vulnerability found
+        if: failure() && github.event_name == 'schedule'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const title = '🚨 Security Vulnerability Detected';
+            const body = `A scheduled security audit found critical vulnerabilities in dependencies.\n\nRun \`yarn npm audit\` locally to see details.\n\n[View workflow run](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})`;
+
+            // Check if issue already exists
+            const issues = await github.rest.issues.listForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              state: 'open',
+              labels: 'security'
+            });
+
+            const existingIssue = issues.data.find(i => i.title === title);
+            if (!existingIssue) {
+              await github.rest.issues.create({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                title: title,
+                body: body,
+                labels: ['security', 'dependencies']
+              });
+            }
+

.husky/pre-push

@@ -0,0 +1,32 @@
+#!/usr/bin/env sh
+# =============================================================================
+# Pre-push Security Audit Hook
+# Platform: macOS / Linux / Git Bash on Windows
+# =============================================================================
+# This hook runs before 'git push' and blocks if critical vulnerabilities exist.
+# To bypass in emergencies: git push --no-verify
+# =============================================================================
+
+set -e
+
+echo ""
+echo "🔒 Running security audit before push..."
+echo ""
+
+# Run the audit
+if yarn npm audit --severity critical; then
+    echo ""
+    echo "✅ No critical vulnerabilities found. Pushing..."
+    echo ""
+    exit 0
+else
+    echo ""
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo "❌ PUSH BLOCKED: Critical security vulnerabilities found!"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo ""
+    echo "To see details:     yarn audit"
+    echo "To bypass (unsafe): git push --no-verify"
+    echo ""
+    exit 1
+fi

.husky/pre-push.bat

@@ -0,0 +1,31 @@
+@echo off
+REM =============================================================================
+REM Pre-push Security Audit Hook
+REM Platform: Windows (CMD / PowerShell)
+REM =============================================================================
+REM This hook runs before 'git push' and blocks if critical vulnerabilities exist.
+REM To bypass in emergencies: git push --no-verify
+REM =============================================================================
+
+echo.
+echo [Security] Running security audit before push...
+echo.
+
+call yarn npm audit --severity critical
+
+if %ERRORLEVEL% EQU 0 (
+    echo.
+    echo [OK] No critical vulnerabilities found. Pushing...
+    echo.
+    exit /b 0
+) else (
+    echo.
+    echo ====================================================================
+    echo [BLOCKED] PUSH BLOCKED: Critical security vulnerabilities found!
+    echo ====================================================================
+    echo.
+    echo To see details:     yarn audit
+    echo To bypass (unsafe): git push --no-verify
+    echo.
+    exit /b 1
+)