From d0cf780102fbbfd85ec33c1dcb89516331b0fc34 Mon Sep 17 00:00:00 2001 From: DESIREDDY MOHITH REDDY Date: Sun, 5 Jul 2026 09:19:58 +0530 Subject: [PATCH 1/4] fix(security): resolve IPv4 signed 32-bit integer overflow in SSRF protection (#3118) --- src/lib/ssrf-protection.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/ssrf-protection.ts b/src/lib/ssrf-protection.ts index 3547600fd..81f7ece4b 100644 --- a/src/lib/ssrf-protection.ts +++ b/src/lib/ssrf-protection.ts @@ -14,7 +14,7 @@ function ipToNumber(ip: string): number { if (parts.length !== 4) return NaN; const numParts = parts.map(Number); if (numParts.some((n) => isNaN(n) || n < 0 || n > 255 || !Number.isInteger(n))) return NaN; - return ((numParts[0] << 24) | (numParts[1] << 16) | (numParts[2] << 8) | numParts[3]) >>> 0; + return (numParts[0] * 16777216) + (numParts[1] * 65536) + (numParts[2] * 256) + numParts[3]; } function isPrivateIP(ip: string): boolean { From ebf4cecb722f942aeca5dcec07f1f0880f0f1010 Mon Sep 17 00:00:00 2001 From: DESIREDDY MOHITH REDDY Date: Mon, 13 Jul 2026 11:46:56 +0530 Subject: [PATCH 2/4] fix(ci): downgrade action-setup and setup-node versions from v6 to v4 and pnpm version from 11 to 9 --- .github/workflows/automated-tests.yml | 6 ++--- .github/workflows/ci.yml | 30 ++++++++++++------------- .github/workflows/e2e.yml | 6 ++--- .github/workflows/visual-regression.yml | 6 ++--- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/workflows/automated-tests.yml b/.github/workflows/automated-tests.yml index 22438c06d..02727203a 100644 --- a/.github/workflows/automated-tests.yml +++ b/.github/workflows/automated-tests.yml @@ -15,12 +15,12 @@ jobs: - name: Checkout Code Repository Layers uses: actions/checkout@v7 - - uses: pnpm/action-setup@v6 + - uses: pnpm/action-setup@v4 with: - version: 11 + version: 9 - name: Initialize Node.js Environment - uses: actions/setup-node@v6 + uses: actions/setup-node@v4 with: node-version: 22 cache: 'pnpm' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 428bb6922..d31e6dced 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,10 +19,10 @@ jobs: steps: - uses: actions/checkout@v7 - - uses: pnpm/action-setup@v6 + - uses: pnpm/action-setup@v4 with: - version: 11 - - uses: actions/setup-node@v6 + version: 9 + - uses: actions/setup-node@v4 with: node-version: 22 cache: pnpm @@ -39,10 +39,10 @@ jobs: steps: - uses: actions/checkout@v7 - - uses: pnpm/action-setup@v6 + - uses: pnpm/action-setup@v4 with: - version: 11 - - uses: actions/setup-node@v6 + version: 9 + - uses: actions/setup-node@v4 with: node-version: 22 cache: pnpm @@ -62,10 +62,10 @@ jobs: steps: - uses: actions/checkout@v7 - - uses: pnpm/action-setup@v6 + - uses: pnpm/action-setup@v4 with: - version: 11 - - uses: actions/setup-node@v6 + version: 9 + - uses: actions/setup-node@v4 with: node-version: 22 cache: pnpm @@ -108,10 +108,10 @@ jobs: steps: - uses: actions/checkout@v7 - - uses: pnpm/action-setup@v6 + - uses: pnpm/action-setup@v4 with: - version: 11 - - uses: actions/setup-node@v6 + version: 9 + - uses: actions/setup-node@v4 with: node-version: 22 cache: pnpm @@ -128,10 +128,10 @@ jobs: steps: - uses: actions/checkout@v7 - - uses: pnpm/action-setup@v6 + - uses: pnpm/action-setup@v4 with: - version: 11 - - uses: actions/setup-node@v6 + version: 9 + - uses: actions/setup-node@v4 with: node-version: 22 cache: pnpm diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 99da69366..87b91bb5a 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -28,10 +28,10 @@ jobs: steps: - uses: actions/checkout@v7 - - uses: pnpm/action-setup@v6 + - uses: pnpm/action-setup@v4 with: - version: 11 - - uses: actions/setup-node@v6 + version: 9 + - uses: actions/setup-node@v4 with: node-version: 22 cache: pnpm diff --git a/.github/workflows/visual-regression.yml b/.github/workflows/visual-regression.yml index 401300788..48fd9581b 100644 --- a/.github/workflows/visual-regression.yml +++ b/.github/workflows/visual-regression.yml @@ -42,12 +42,12 @@ jobs: - name: Checkout uses: actions/checkout@v7 - - uses: pnpm/action-setup@v6 + - uses: pnpm/action-setup@v4 with: - version: 11 + version: 9 - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@v4 with: node-version: 22 cache: pnpm From 544876b89c847979eb2b1b240a014aba5eea5e81 Mon Sep 17 00:00:00 2001 From: DESIREDDY MOHITH REDDY Date: Mon, 13 Jul 2026 11:48:51 +0530 Subject: [PATCH 3/4] fix(ci): bypass tree-sitter native build errors on node v24 --- package.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/package.json b/package.json index 7a4549cba..845a81609 100644 --- a/package.json +++ b/package.json @@ -118,13 +118,10 @@ "@scarf/scarf", "@sentry/cli", "@swc/core", - "@tree-sitter-grammars/tree-sitter-yaml", "core-js-pure", "core-js", "esbuild", "sharp", - "tree-sitter-json", - "tree-sitter", "unrs-resolver" ] } From 0c9239411c24e1a43c044cde79ffeef99485d8b2 Mon Sep 17 00:00:00 2001 From: DESIREDDY MOHITH REDDY Date: Mon, 13 Jul 2026 11:53:20 +0530 Subject: [PATCH 4/4] fix(ci): downgrade all other bumped github actions to valid versions --- .github/workflows/auto-unassign.yml | 2 +- .github/workflows/automated-tests.yml | 2 +- .github/workflows/ci.yml | 14 +++++++------- .github/workflows/codeql.yml | 2 +- .github/workflows/duplicate-issue-check.yml | 2 +- .github/workflows/e2e.yml | 2 +- .github/workflows/gssoc-labels.yml | 8 ++++---- .github/workflows/issue-assignment.yml | 2 +- .github/workflows/issue-closed-star.yml | 2 +- .github/workflows/labeler.yml | 4 ++-- .github/workflows/pr-merged-star.yml | 2 +- .github/workflows/pr-star-required.yml | 2 +- .github/workflows/stale.yml | 2 +- .github/workflows/visual-regression.yml | 4 ++-- .github/workflows/welcome.yml | 2 +- 15 files changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/auto-unassign.yml b/.github/workflows/auto-unassign.yml index 82f18a74f..55cc2f4a9 100644 --- a/.github/workflows/auto-unassign.yml +++ b/.github/workflows/auto-unassign.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check assigned issues and unassign stale ones - uses: actions/github-script@v9 + uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/automated-tests.yml b/.github/workflows/automated-tests.yml index 02727203a..a20fe39e4 100644 --- a/.github/workflows/automated-tests.yml +++ b/.github/workflows/automated-tests.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout Code Repository Layers - uses: actions/checkout@v7 + uses: actions/checkout@v4 - uses: pnpm/action-setup@v4 with: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d31e6dced..50c9b220d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,7 @@ jobs: name: Type check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v4 - uses: pnpm/action-setup@v4 with: @@ -37,7 +37,7 @@ jobs: name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v4 - uses: pnpm/action-setup@v4 with: @@ -60,7 +60,7 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v4 - uses: pnpm/action-setup@v4 with: @@ -84,7 +84,7 @@ jobs: - name: Upload coverage to Codecov if: hashFiles('coverage/lcov.info') != '' - uses: codecov/codecov-action@v7 + uses: codecov/codecov-action@v4 with: files: ./coverage/lcov.info flags: unit @@ -106,7 +106,7 @@ jobs: SUPABASE_SERVICE_ROLE_KEY: placeholder-service-key NEXT_PUBLIC_APP_URL: http://localhost:3000 steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v4 - uses: pnpm/action-setup@v4 with: @@ -126,7 +126,7 @@ jobs: name: Dependency audit runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v4 - uses: pnpm/action-setup@v4 with: @@ -146,7 +146,7 @@ jobs: name: Environment security check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v4 - name: Check SERVICE_ROLE_KEY exposure run: bash scripts/check-env-security.sh diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 75e41c1a0..1c03ae1bc 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@v4 - name: Initialize CodeQL uses: github/codeql-action/init@v4 diff --git a/.github/workflows/duplicate-issue-check.yml b/.github/workflows/duplicate-issue-check.yml index 0baeb6a23..916f67a6f 100644 --- a/.github/workflows/duplicate-issue-check.yml +++ b/.github/workflows/duplicate-issue-check.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check for duplicate issues - uses: actions/github-script@v9 + uses: actions/github-script@v7 with: script: | const issue = context.payload.issue; diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 87b91bb5a..5be7f9ab7 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -26,7 +26,7 @@ jobs: PLAYWRIGHT_SERVER_MODE: start CI: true steps: - - uses: actions/checkout@v7 + - uses: actions/checkout@v4 - uses: pnpm/action-setup@v4 with: diff --git a/.github/workflows/gssoc-labels.yml b/.github/workflows/gssoc-labels.yml index ed7795dfd..d7db1c705 100644 --- a/.github/workflows/gssoc-labels.yml +++ b/.github/workflows/gssoc-labels.yml @@ -18,12 +18,12 @@ jobs: if: github.event_name == 'pull_request_target' steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Detect and apply type labels - uses: actions/github-script@v9 + uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | @@ -106,7 +106,7 @@ jobs: } - name: Post admin checklist comment - uses: actions/github-script@v9 + uses: actions/github-script@v7 if: github.event.action == 'opened' with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -147,7 +147,7 @@ jobs: github.event.review.state == 'approved' steps: - name: Check for gssoc:approved label - uses: actions/github-script@v9 + uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/issue-assignment.yml b/.github/workflows/issue-assignment.yml index 64966cf2b..17e0d8a31 100644 --- a/.github/workflows/issue-assignment.yml +++ b/.github/workflows/issue-assignment.yml @@ -15,7 +15,7 @@ jobs: if: github.event.issue.pull_request == null steps: - name: Handle assignment request - uses: actions/github-script@v9 + uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/issue-closed-star.yml b/.github/workflows/issue-closed-star.yml index 11a85ec2b..a676483bf 100644 --- a/.github/workflows/issue-closed-star.yml +++ b/.github/workflows/issue-closed-star.yml @@ -12,7 +12,7 @@ jobs: if: github.event.issue.state_reason == 'completed' runs-on: ubuntu-latest steps: - - uses: actions/github-script@v9 + - uses: actions/github-script@v7 with: script: | await github.rest.issues.createComment({ diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 28a0bcacb..08e6fbf23 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -9,8 +9,8 @@ jobs: issues: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@v7 - - uses: actions/labeler@v6 + - uses: actions/checkout@v4 + - uses: actions/labeler@v5 continue-on-error: true with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/pr-merged-star.yml b/.github/workflows/pr-merged-star.yml index 112bdf8ec..24aed70fe 100644 --- a/.github/workflows/pr-merged-star.yml +++ b/.github/workflows/pr-merged-star.yml @@ -12,7 +12,7 @@ jobs: if: github.event.pull_request.merged == true runs-on: ubuntu-latest steps: - - uses: actions/github-script@v9 + - uses: actions/github-script@v7 with: script: | await github.rest.issues.createComment({ diff --git a/.github/workflows/pr-star-required.yml b/.github/workflows/pr-star-required.yml index 53ce21220..3e9c4226e 100644 --- a/.github/workflows/pr-star-required.yml +++ b/.github/workflows/pr-star-required.yml @@ -15,7 +15,7 @@ jobs: name: Star required runs-on: ubuntu-latest steps: - - uses: actions/github-script@v9 + - uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: | diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 9ca08b5b9..63ec77b15 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -9,7 +9,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v10 + - uses: actions/stale@v9 with: stale-issue-message: > This issue has been inactive for 21 days. If you are still working on it or it is still relevant, please leave a comment — otherwise it will be closed in 7 days. diff --git a/.github/workflows/visual-regression.yml b/.github/workflows/visual-regression.yml index 48fd9581b..b28e11b3c 100644 --- a/.github/workflows/visual-regression.yml +++ b/.github/workflows/visual-regression.yml @@ -40,7 +40,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@v4 - uses: pnpm/action-setup@v4 with: @@ -65,7 +65,7 @@ jobs: run: npx playwright test -c playwright.visual.config.mjs - name: Upload visual regression artifacts - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@v4 if: failure() with: name: visual-regression-artifacts diff --git a/.github/workflows/welcome.yml b/.github/workflows/welcome.yml index 448cc6936..5362816f1 100644 --- a/.github/workflows/welcome.yml +++ b/.github/workflows/welcome.yml @@ -14,7 +14,7 @@ jobs: welcome: runs-on: ubuntu-latest steps: - - uses: actions/github-script@v9 + - uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} script: |