v1.3.4 - Dependency updates, CI Health & Security patches

[neverinfamous]

v1.3.4

Highlights

• Dependency Updates: Secured all NPM dependencies to their latest compatible versions, resolving multiple Dependabot CVEs without manual intervention.
• Documentation Refinements: Synched platform limits to comply with Docker Hub validation lengths and included an environment setup template.
• CI Health Improvements: Updated Docker actions to Node 24 runtimes ahead of deprecation, pinned security actions, and added Dependabot support for Docker base images.

CI/CD

• CI Health: Updated Docker actions (docker/build-push-action@v7, setup-buildx-action@v4, login-action@v4, metadata-action@v6) to native Node 24 runtimes to comply with the upcoming June 2026 deprecation deadline.
• CI Health: Pinned trufflesecurity/trufflehog to robust @v3 tag to avoid floating reference risks.
• CI Health: Added docker package ecosystem to Dependabot configuration to receive base image updates.

Documentation

• Doc Audit: Refined repository documentation, fixed Docker Hub character limits on DOCKER_README.md, and created .env.example.

Changed

• Dependency Updates: Updated npm dependencies to their latest wanted/latest compatible versions.

Security

• Dependabot: Fixed Prototype Pollution via parse() in NodeJS flatted.
• Dependabot: Fixed a malicious WebSocket 64-bit length handling issue in Undici that could overflow the parser and crash the client.
• Dependabot: Fixed an HTTP Request/Response Smuggling issue in Undici.
• Dependabot: Fixed a CRLF injection issue in undici via the upgrade option.
• Dependabot: Fixed incorrect glob matching in picomatch caused by method injection in POSIX character classes.

---

Compare: v1.3.3...v1.3.4

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	do-manager	13908f9	Apr 06 2026, 12:40 PM

[Copilot]

Pull request overview

Release prep for v1.3.4, focusing on dependency/security updates, CI action refreshes, and documentation/release artifacts.

Changes:

• Updated build/CI tooling (Vite chunking config, Docker GitHub Actions, TruffleHog pin) and Dependabot to track Docker base images.
• Bumped npm dependencies + added picomatch override and Dockerfile P111 patching.
• Refreshed docs/release artifacts (README/DOCKER_README badges, changelog + release notes, added .env.example and UNRELEASED.md).

Reviewed changes

Copilot reviewed 34 out of 35 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
vite.config.ts	Switches manualChunks to a function-based strategy (Rollup/Vite 8 compatible).
UNRELEASED.md	Adds an Unreleased header placeholder.
src/hooks/useSelection.ts	Simplifies useState typing for Set<string> initialization.
src/components/features/WebhookManager.tsx	Removes redundant useState<string> generic for error.
src/components/features/StorageViewer.tsx	Simplifies several useState generics (error, editingKey, selectedKeys).
src/components/features/SqlConsole.tsx	Removes redundant useState<string> generic for error.
src/components/features/NamespaceList.tsx	Removes redundant useState<string> generic for error.
src/components/features/MetricsDashboard.tsx	Removes redundant useState<string> generic for error.
src/components/features/JobHistory.tsx	Removes redundant useState<string> generic for error.
src/components/features/InstanceList.tsx	Removes redundant useState<string> generic for error.
src/components/features/InstanceDiffDialog.tsx	Removes redundant useState<string> generic for error.
src/components/features/ImportKeysDialog.tsx	Simplifies state generics for error, counters, and strings.
src/components/features/HealthDashboard.tsx	Removes redundant useState<string> generic for error.
src/components/features/GlobalSearch.tsx	Simplifies state generics for error and selectedNamespaces.
src/components/features/BackupManager.tsx	Removes redundant useState<string> generic for error.
src/components/features/AlarmManager.tsx	Removes redundant useState<string> generic for error.
releases/v1.3.4.md	Adds v1.3.4 release notes content.
README.md	Replaces hardcoded version badge with GitHub release badge; removes stale “Last Updated”.
package.json	Bumps version to 1.3.4 and updates dependencies/devDependencies/overrides (adds picomatch).
Dockerfile	Extends npm P111 patching to include picomatch in builder + runtime stages.
DOCKER_README.md	Updates version badge + shortens header description; generalizes tag example.
CHANGELOG.md	Major restructure into Keep-a-Changelog style + adds v1.3.4 entry.
.github/workflows/secrets-scanning.yml	Pins TruffleHog to a specific v3 release tag.
.github/workflows/docs-drift-detector.md	Removes agentic docs drift workflow source.
.github/workflows/docs-drift-detector.lock.yml	Removes compiled lock workflow for docs drift detector.
.github/workflows/docker-publish.yml	Updates Docker actions to newer major versions.
.github/workflows/dependency-maintenance.md	Removes agentic dependency maintenance workflow source.
.github/workflows/dependency-maintenance.lock.yml	Removes compiled lock workflow for dependency maintenance.
.github/workflows/ci-health-monitor.md	Removes agentic CI health monitor workflow source.
.github/workflows/ci-health-monitor.lock.yml	Removes compiled lock workflow for CI health monitor.
.github/workflows/agentics-maintenance.yml	Removes generated agentics maintenance workflow.
.github/dependabot.yml	Adds Dependabot updates for the Docker ecosystem.
.env.example	Adds an environment template for local/container configuration.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The Dockerfile now patches npm’s bundled picomatch, but the later # Security Notes block still lists only glob, tar, and minimatch. Please update the Security Notes to include the patched picomatch version so the documented runtime contents match what the image actually ships (and stays in sync with package.json overrides).

[Copilot]

This changelog entry says TruffleHog was pinned to a "robust @V3" tag, but the workflow is pinned to trufflesecurity/trufflehog@v3.94.2. Update the wording to match the actual pin (or adjust the workflow if you intended to use the floating @v3 major tag).

Suggested change

	- **CI Health:** Pinned `trufflesecurity/trufflehog` to robust `@v3` tag to avoid floating reference risks.
	- **CI Health:** Pinned `trufflesecurity/trufflehog` exactly to `@v3.94.2` to avoid floating reference risks.

[Copilot]

This release’s CI/CD section doesn’t mention that several agentic/maintenance workflows were removed in this PR (docs drift detector, dependency maintenance, CI health monitor, and the generated agentics-maintenance workflow). If that removal is intentional, it should be called out here (and/or in the PR description) since it materially changes CI/automation coverage; otherwise, restore the removed workflows.

[Copilot]

This release note says TruffleHog was pinned to a "robust @V3" tag, but the workflow is pinned to trufflesecurity/trufflehog@v3.94.2. Please update the wording to match the actual pin (or change the workflow if you intended a floating major tag).

Suggested change

	- **CI Health:** Pinned `trufflesecurity/trufflehog` to robust `@v3` tag to avoid floating reference risks.
	- **CI Health:** Pinned `trufflesecurity/trufflehog` to exact version `@v3.94.2` to avoid floating reference risks.

[Copilot]

.env.example includes PORT and NODE_ENV, but the repo doesn’t reference these variables and the Docker image’s default CMD hardcodes --port 8787. Either wire these env vars into the runtime/compose instructions (so changing them has an effect) or remove them from the template to avoid implying they are supported configuration knobs.

Suggested change

	# Server & General
	PORT=8787
	NODE_ENV=production