v1.3.4 - Dependency updates, CI Health & Security patches

[neverinfamous]

v1.3.4

Highlights

• Dependency Updates: Secured all NPM dependencies to their latest compatible versions, resolving multiple Dependabot CVEs without manual intervention.
• Documentation Refinements: Synched platform limits to comply with Docker Hub validation lengths and included an environment setup template.
• CI Health Improvements: Updated Docker actions to Node 24 runtimes ahead of deprecation, pinned security actions, and added Dependabot support for Docker base images.

CI/CD

• CI Health: Updated Docker actions (docker/build-push-action@v7, setup-buildx-action@v4, login-action@v4, metadata-action@v6) to native Node 24 runtimes to comply with the upcoming June 2026 deprecation deadline.
• CI Health: Pinned trufflesecurity/trufflehog to robust @v3 tag to avoid floating reference risks.
• CI Health: Added docker package ecosystem to Dependabot configuration to receive base image updates.

Documentation

• Doc Audit: Refined repository documentation, fixed Docker Hub character limits on DOCKER_README.md, and created .env.example.

Changed

• Dependency Updates: Updated npm dependencies to their latest wanted/latest compatible versions.

Security

• Dependabot: Fixed Prototype Pollution via parse() in NodeJS flatted (CVE-2024-XXXX)
• Dependabot: Fixed Malicious WebSocket 64-bit length overflows parser and crashes the client in Undici (CVE-2024-XXXX)
• Dependabot: Fixed HTTP Request/Response Smuggling issue in Undici (CVE-2024-XXXX)
• Dependabot: Fixed CRLF Injection in undici via upgrade option (CVE-2024-XXXX)
• Dependabot: Fixed Method Injection in POSIX Character Classes causes incorrect Glob Matching in picomatch (CVE-2024-XXXX)

---

Compare: v1.3.3...v1.3.4

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	do-manager	2c1d4b2	Apr 06 2026, 12:25 PM

[Copilot]

Pull request overview

Bumps the project to v1.3.4 with dependency upgrades, CI/workflow maintenance, Docker hardening updates, and documentation/release-note refreshes.

Changes:

• Updated NPM dependencies (including new/updated overrides) and bumped package.json version to 1.3.4.
• Refreshed CI workflows (Docker action major bumps, TruffleHog pin) and expanded Dependabot coverage to include Docker.
• Documentation + release metadata updates (README/DOCKER_README badges, CHANGELOG + new release notes, .env.example), plus a Vite Rollup chunking tweak.

Reviewed changes

Copilot reviewed 34 out of 35 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
vite.config.ts	Switches Rollup manualChunks to a function-based splitter for core vendor groups.
UNRELEASED.md	Adds an “Unreleased” placeholder document.
tsconfig.app.json	Adjusts TS compiler options (notably path-alias related settings).
src/hooks/useSelection.ts	Simplifies useState typing for Set-backed selection state.
src/components/features/WebhookManager.tsx	Simplifies error state typing.
src/components/features/StorageViewer.tsx	Simplifies state typing and refactors initial state expressions for selection/editing.
src/components/features/SqlConsole.tsx	Simplifies error state typing.
src/components/features/NamespaceList.tsx	Simplifies error state typing.
src/components/features/MetricsDashboard.tsx	Simplifies error state typing.
src/components/features/JobHistory.tsx	Simplifies error state typing.
src/components/features/InstanceList.tsx	Simplifies error state typing.
src/components/features/InstanceDiffDialog.tsx	Simplifies error state typing.
src/components/features/ImportKeysDialog.tsx	Simplifies multiple state typings (error, counts, filenames, pasted JSON).
src/components/features/HealthDashboard.tsx	Simplifies error state typing.
src/components/features/GlobalSearch.tsx	Simplifies error + Set state initialization typings.
src/components/features/BackupManager.tsx	Simplifies error state typing.
src/components/features/AlarmManager.tsx	Simplifies error state typing.
releases/v1.3.4.md	Adds release notes for v1.3.4 (highlights, CI/CD, docs, security notes).
README.md	Replaces fixed version badge with a GitHub Releases badge; removes “Last Updated”.
package.json	Bumps version to 1.3.4 and updates dependency/devDependency versions and overrides.
Dockerfile	Extends npm “P111” patching to include picomatch alongside existing bundled dep patches.
DOCKER_README.md	Updates version badge and tightens/shortens the project description + tag guidance.
CHANGELOG.md	Rewrites/condenses changelog structure and adds v1.3.4 entry + link refs.
.github/workflows/secrets-scanning.yml	Pins TruffleHog action to a specific v3 release.
.github/workflows/docker-publish.yml	Updates Docker GitHub Actions to newer major versions (Buildx/Login/Metadata/Build-Push).
.github/workflows/docs-drift-detector.md	Removes the docs drift detector workflow source (agentic workflow).
.github/workflows/docs-drift-detector.lock.yml	Removes the compiled lock workflow for docs drift detector.
.github/workflows/dependency-maintenance.md	Removes the dependency maintenance agent workflow source.
.github/workflows/dependency-maintenance.lock.yml	Removes the compiled lock workflow for dependency maintenance.
.github/workflows/ci-health-monitor.md	Removes the CI health monitor agent workflow source.
.github/workflows/ci-health-monitor.lock.yml	Removes the compiled lock workflow for CI health monitor.
.github/workflows/agentics-maintenance.yml	Removes the generated “agentic maintenance” workflow.
.github/dependabot.yml	Adds Docker ecosystem updates to Dependabot configuration.
.env.example	Adds an environment template for local/server + Cloudflare + optional Zero Trust variables.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

compilerOptions.paths is still configured for the @/* alias, but baseUrl was removed. TypeScript requires baseUrl to be set when using paths, otherwise alias resolution will fail (and imports like @/lib/utils used throughout src/ will break tsc -b). Restore "baseUrl": "." (or move it to a shared tsconfig that tsconfig.app.json extends) so the alias works for typechecking.

[Copilot]

The 1.3.4 Security section is missing a newline before the next release header, causing ## [1.3.3] to be appended to the last bullet and breaking the markdown structure. Insert a blank line/newline so ## [1.3.3] - 2026-03-07 starts on its own line.

Suggested change

	- **Dependabot:** Fixed Method Injection in POSIX Character Classes causes incorrect Glob Matching in picomatch (CVE-2024-XXXX)## [1.3.3] - 2026-03-07
	- **Dependabot:** Fixed Method Injection in POSIX Character Classes causes incorrect Glob Matching in picomatch (CVE-2024-XXXX)
	## [1.3.3] - 2026-03-07

[Copilot]

Release notes list multiple security fixes as CVE-2024-XXXX, which are placeholder identifiers and not valid CVE references. For a published release note, replace these with the actual CVE/GHSA IDs (or omit the IDs and describe the packages/vulnerability generically) to avoid misleading users.

Suggested change

	- **Dependabot:** Fixed Prototype Pollution via parse() in NodeJS flatted (CVE-2024-XXXX)
	- **Dependabot:** Fixed Malicious WebSocket 64-bit length overflows parser and crashes the client in Undici (CVE-2024-XXXX)
	- **Dependabot:** Fixed HTTP Request/Response Smuggling issue in Undici (CVE-2024-XXXX)
	- **Dependabot:** Fixed CRLF Injection in undici via upgrade option (CVE-2024-XXXX)
	- **Dependabot:** Fixed Method Injection in POSIX Character Classes causes incorrect Glob Matching in picomatch (CVE-2024-XXXX)
	- **Dependabot:** Fixed Prototype Pollution via parse() in NodeJS flatted.
	- **Dependabot:** Fixed a malicious WebSocket 64-bit length handling issue in Undici that could overflow the parser and crash the client.
	- **Dependabot:** Fixed an HTTP Request/Response Smuggling issue in Undici.
	- **Dependabot:** Fixed a CRLF injection issue in undici via the `upgrade` option.
	- **Dependabot:** Fixed incorrect glob matching in picomatch caused by method injection in POSIX character classes.

[Copilot]

This changelog section includes placeholder CVE identifiers (CVE-2024-XXXX). These aren’t valid CVE references and can confuse consumers of the changelog. Prefer linking the real CVE/GHSA IDs from advisories, or remove the IDs and keep the entries as package-level security patch notes.

Suggested change

	- **Dependabot:** Fixed Prototype Pollution via parse() in NodeJS flatted (CVE-2024-XXXX)
	- **Dependabot:** Fixed Malicious WebSocket 64-bit length overflows parser and crashes the client in Undici (CVE-2024-XXXX)
	- **Dependabot:** Fixed HTTP Request/Response Smuggling issue in Undici (CVE-2024-XXXX)
	- **Dependabot:** Fixed CRLF Injection in undici via upgrade option (CVE-2024-XXXX)
	- **Dependabot:** Fixed Method Injection in POSIX Character Classes causes incorrect Glob Matching in picomatch (CVE-2024-XXXX)## [1.3.3] - 2026-03-07
	- **Dependabot:** Fixed Prototype Pollution via parse() in NodeJS flatted.
	- **Dependabot:** Fixed malicious WebSocket 64-bit length overflow parsing and client crash issue in Undici.
	- **Dependabot:** Fixed HTTP Request/Response Smuggling issue in Undici.
	- **Dependabot:** Fixed CRLF injection in undici via the `upgrade` option.
	- **Dependabot:** Fixed method injection in POSIX character classes causing incorrect glob matching in picomatch.
	## [1.3.3] - 2026-03-07