Skip to content

chore: resolve GH security findings and refresh dependencies#113

Merged
smnmsr merged 14 commits into
mainfrom
chore/gh-security-and-dependency-updates
Apr 21, 2026
Merged

chore: resolve GH security findings and refresh dependencies#113
smnmsr merged 14 commits into
mainfrom
chore/gh-security-and-dependency-updates

Conversation

@smnmsr
Copy link
Copy Markdown
Collaborator

@smnmsr smnmsr commented Apr 21, 2026
edited
Loading

This PR closes the open GitHub security findings, refreshes PHP and npm dependencies, and hardens CI/security automation so updates and checks are more reliable across platforms.

Details

  • app.js - replaces hash-based querySelector usage with safe ID lookup to resolve the CodeQL DOM-XSS finding.
  • tests.yml - adds explicit workflow token permissions to satisfy least-privilege guidance.
  • composer.lock and package-lock.json - updates backend/frontend dependencies, including patched vite@8.0.9 for Dependabot advisories.
  • admin-pages.spec.mjs - switches Artisan command execution to argument-based calls so admin smoke tests run on both Windows and Unix.
  • dependabot.yml - removes overlapping update entries and keeps valid grouped updates for major vs minor/patch.
  • security.yml - adds dedicated lockfile consistency checks plus Composer/NPM audit gates (Composer fails on medium+, npm fails on high+).
  • deploy.yml, e2e.yml, and lint.yml - tightens workflow permissions and pins third-party actions to stable version tags.

Notes

  • Custom CodeQL workflow was removed again so the repository continues using GitHub default CodeQL setup (actions + JS/TS), avoiding duplicate/invalid advanced+default processing.
  • Branch also includes Boost-managed guideline/skill file refresh under .github/skills and .github/copilot-instructions.md triggered by dependency updates.

Reviewer Setup

In this PR vs origin/main, changes were made in dependencies, CI workflows, and frontend assets. You likely need to run:

composer update
npm install
npm run build
npm run e2e:install

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 21, 2026
edited
Loading

✅ Playwright report published: https://fuermenschen.github.io/hfm/pr-113/
This link updates on each run for this PR. Older PRs/branches remain available under their own subfolder.

@smnmsr smnmsr force-pushed the chore/gh-security-and-dependency-updates branch from 373f66c to d0c7932 Compare April 21, 2026 08:20
@smnmsr smnmsr marked this pull request as ready for review April 21, 2026 08:30
Copilot AI review requested due to automatic review settings April 21, 2026 08:30
Copilot AI reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses GitHub security findings and improves update/CI reliability by hardening workflows and refreshing PHP/npm dependencies, including adjustments for safer frontend hash navigation and cross-platform E2E execution.

Changes:

  • Mitigates a CodeQL DOM-XSS finding by replacing hash-based querySelector with getElementById and safe decoding.
  • Refreshes PHP and npm dependencies (lockfiles) and updates automation around audits/lockfile consistency.
  • Improves CI portability and least-privilege defaults (workflow permissions; Windows/Unix-safe E2E Artisan execution).

Reviewed changes

Copilot reviewed 34 out of 36 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
resources/js/app.js Reworks hash scroll logic to avoid selector injection (safer ID lookup).
e2e/admin-pages.spec.mjs Uses argument-based php artisan execution for cross-platform E2E stability.
composer.lock Updates PHP dependency lockfile to patched/newer versions.
package-lock.json Updates npm dependency lockfile (incl. patched Vite version).
app/Services/Webling/Letter/Template/InvoiceLetterTemplate.php Minor header text handling adjustment while rendering invoice letters.
.github/workflows/tests.yml Adds explicit default GITHUB_TOKEN permissions (least privilege).
.github/workflows/security.yml Adds lockfile consistency checks and Composer/npm audit gates.
.github/workflows/lint.yml Tightens default permissions; scopes write permission to the job that needs it.
.github/workflows/e2e.yml Updates third-party action versions used for report publish/commenting.
.github/workflows/deploy.yml Pins deploy actions to tagged versions and tightens workflow permissions.
.github/dependabot.yml Simplifies Dependabot config; keeps grouped updates by semver impact.
.github/copilot-instructions.md Updates repository Copilot guidance (incl. Laravel major version and skills list).
.github/skills/pr-description/SKILL.md Formatting/cleanup of skill documentation content.
.github/skills/pest-testing/SKILL.md Expands Pest syntax guidance to include test() as well as it().
.github/skills/livewire-development/SKILL.md Clarifies Livewire v4 component generation formats and conventions.
.github/skills/laravel-best-practices/SKILL.md Adds a consolidated Laravel best-practices skill definition.
.github/skills/laravel-best-practices/rules/validation.md Adds validation best-practices reference content.
.github/skills/laravel-best-practices/rules/testing.md Adds testing best-practices reference content.
.github/skills/laravel-best-practices/rules/style.md Adds conventions/style best-practices reference content.
.github/skills/laravel-best-practices/rules/security.md Adds security best-practices reference content.
.github/skills/laravel-best-practices/rules/scheduling.md Adds scheduling best-practices reference content.
.github/skills/laravel-best-practices/rules/routing.md Adds routing/controller best-practices reference content.
.github/skills/laravel-best-practices/rules/queue-jobs.md Adds queue/job best-practices reference content.
.github/skills/laravel-best-practices/rules/migrations.md Adds migration best-practices reference content.
.github/skills/laravel-best-practices/rules/mail.md Adds mail best-practices reference content.
.github/skills/laravel-best-practices/rules/http-client.md Adds HTTP client best-practices reference content.
.github/skills/laravel-best-practices/rules/events-notifications.md Adds events/notifications best-practices reference content.
.github/skills/laravel-best-practices/rules/error-handling.md Adds error-handling best-practices reference content.
.github/skills/laravel-best-practices/rules/eloquent.md Adds Eloquent best-practices reference content.
.github/skills/laravel-best-practices/rules/db-performance.md Adds DB performance best-practices reference content.
.github/skills/laravel-best-practices/rules/config.md Adds configuration best-practices reference content.
.github/skills/laravel-best-practices/rules/collections.md Adds collection best-practices reference content.
.github/skills/laravel-best-practices/rules/caching.md Adds caching best-practices reference content.
.github/skills/laravel-best-practices/rules/blade-views.md Adds Blade/view best-practices reference content.
.github/skills/laravel-best-practices/rules/architecture.md Adds architecture best-practices reference content.
.github/skills/laravel-best-practices/rules/advanced-queries.md Adds advanced query patterns reference content.

Comment thread .github/workflows/lint.yml
@smnmsr smnmsr merged commit 127abb5 into main Apr 21, 2026
6 checks passed
@smnmsr smnmsr deleted the chore/gh-security-and-dependency-updates branch April 21, 2026 11:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@smnmsr