Skip to content

release: v0.9.6 — security hardening (Next 16.2.6 + transitive CVE pa…#18

Merged
I4cTime merged 1 commit into
mainfrom
develop
May 14, 2026
Merged

release: v0.9.6 — security hardening (Next 16.2.6 + transitive CVE pa…#18
I4cTime merged 1 commit into
mainfrom
develop

Conversation

@I4cTime
Copy link
Copy Markdown
Owner

@I4cTime I4cTime commented May 13, 2026

…tches)

Closes 18 open Dependabot alerts in electron/pnpm-lock.yaml. Build-target unchanged: the renderer still ships as a Next.js static export packaged in Electron 39.8.5, and Next's server-runtime surfaces (Middleware, Image Optimization API, RSC server cache, WS upgrade routes) are not reachable at runtime — but patching closes the alerts and removes stale vendored deps from the bundle.

Direct bumps

  • next: ^16.2.3 -> ^16.2.6 (electron/renderer/package.json) Fixes 13 alerts: high×6 (segment-prefetch bypass incl. the 16.2.6 incomplete-fix follow-up GHSA-26hh-7cqf-hhc6, i18n proxy bypass, dynamic route param injection, SSRF on WS upgrades, RSC DoS, Cache Components connection-exhaustion DoS), medium×5 (CSP-nonce XSS, beforeInteractive XSS, RSC response cache poisoning, image-API DoS, postcss-via-next), low×2 (proxy redirect cache poisoning, RSC cache-key collisions).

pnpm.overrides added to electron/package.json

  • postcss@<8.5.10 -> ^8.5.10 (now 8.5.14 across next + @tailwindcss/postcss) GHSA-qx2v-qp2m-jg93: XSS via unescaped </style> in stringify output.
  • ip-address@<=10.1.0 -> ^10.1.1 (now 10.2.0 via electron-builder -> node-gyp -> socks). GHSA-v2v4-37r5-5v8g: XSS in Address6 HTML methods. Build-time only.
  • @xmldom/xmldom@<0.8.13 -> ^0.8.13 (now 0.8.13 via electron-builder -> plist). Closes high×3: GHSA-f6ww-3ggp-fr8h (DocumentType injection), GHSA-j759-j44w-7fr8 (comment injection), GHSA-x6wf-f3px-wcqx (PI injection). Build-time only.

Overrides are version-pinned narrowly so they auto-disengage once upstreams legitimately upgrade past the patched floors.

Version bump 0.9.5 -> 0.9.6 in all sources

  • electron/package.json
  • electron/renderer/package.json
  • src/game_setup_hub/init.py
  • assets/io.github.protonshift.metainfo.xml (new entry, 2026-05-13)
  • .github/ISSUE_TEMPLATE/bug_report.yml placeholder
  • electron/renderer/src/components/nav-bar.tsx fallback string

Verification

  • pnpm install (workspace) clean.
  • tsc on electron main: clean.
  • next build (static export, Next 16.2.6): clean, 8/8 routes prerendered.
  • 35 previously-fixed Electron CVEs (38.x/39.x) already closed by the current ^39.8.5 pin — no Electron change needed this round.

@I4cTime @cursoragent
release: v0.9.6 — security hardening (Next 16.2.6 + transitive CVE pa…
7794f19 
…tches)

Closes 18 open Dependabot alerts in electron/pnpm-lock.yaml. Build-target
unchanged: the renderer still ships as a Next.js static export packaged in
Electron 39.8.5, and Next's server-runtime surfaces (Middleware, Image
Optimization API, RSC server cache, WS upgrade routes) are not reachable
at runtime — but patching closes the alerts and removes stale vendored
deps from the bundle.

Direct bumps
- next: ^16.2.3 -> ^16.2.6 (electron/renderer/package.json)
  Fixes 13 alerts: high×6 (segment-prefetch bypass incl. the 16.2.6
  incomplete-fix follow-up GHSA-26hh-7cqf-hhc6, i18n proxy bypass, dynamic
  route param injection, SSRF on WS upgrades, RSC DoS, Cache Components
  connection-exhaustion DoS), medium×5 (CSP-nonce XSS, beforeInteractive
  XSS, RSC response cache poisoning, image-API DoS, postcss-via-next),
  low×2 (proxy redirect cache poisoning, RSC cache-key collisions).

pnpm.overrides added to electron/package.json
- postcss@<8.5.10 -> ^8.5.10 (now 8.5.14 across next + @tailwindcss/postcss)
  GHSA-qx2v-qp2m-jg93: XSS via unescaped </style> in stringify output.
- ip-address@<=10.1.0 -> ^10.1.1 (now 10.2.0 via electron-builder ->
  node-gyp -> socks). GHSA-v2v4-37r5-5v8g: XSS in Address6 HTML methods.
  Build-time only.
- @xmldom/xmldom@<0.8.13 -> ^0.8.13 (now 0.8.13 via electron-builder ->
  plist). Closes high×3: GHSA-f6ww-3ggp-fr8h (DocumentType injection),
  GHSA-j759-j44w-7fr8 (comment injection), GHSA-x6wf-f3px-wcqx (PI
  injection). Build-time only.

Overrides are version-pinned narrowly so they auto-disengage once upstreams
legitimately upgrade past the patched floors.

Version bump 0.9.5 -> 0.9.6 in all sources
- electron/package.json
- electron/renderer/package.json
- src/game_setup_hub/__init__.py
- assets/io.github.protonshift.metainfo.xml (new <release> entry, 2026-05-13)
- .github/ISSUE_TEMPLATE/bug_report.yml placeholder
- electron/renderer/src/components/nav-bar.tsx fallback string

Verification
- pnpm install (workspace) clean.
- tsc on electron main: clean.
- next build (static export, Next 16.2.6): clean, 8/8 routes prerendered.
- 35 previously-fixed Electron CVEs (38.x/39.x) already closed by the
  current ^39.8.5 pin — no Electron change needed this round.

Co-authored-by: Cursor <cursoragent@cursor.com>
@I4cTime I4cTime merged commit 54b2568 into main May 14, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@I4cTime