v1.3.5 - Stabilized React state updates and patched npm CLI dependencies

CHANGELOG.md

@@ -5,7 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased](https://github.com/neverinfamous/do-manager/compare/v1.3.4...HEAD)
+## [Unreleased](https://github.com/neverinfamous/do-manager/compare/v1.3.5...HEAD)
+
+## [1.3.5](https://github.com/neverinfamous/do-manager/releases/tag/v1.3.5) - 2026-04-22
+
+### Added
+
+- P111: Implemented npm CLI dependency patching (`tar`, `minimatch`) in Docker builder and runtime stages.
+- Added `queueMicrotask` batching for asynchronous data fetching within `useEffect` bodies across 16 feature components to resolve `react-hooks/set-state-in-effect` anti-patterns.
+- Added component-level `now` state synchronization to `AlarmManager`, `JobHistory`, and `HealthDashboard` to ensure strict render purity (resolving `Date.now()` impurity lint errors).
+
+### Fixed
+
+- Fixed `react-hooks/preserve-manual-memoization` warning in `StorageViewer.tsx` by correcting dependency assertions.
+- Fixed unused variable warnings in namespace and list components.
+
+### Security
+
+- Pinned `tar` to `7.5.13` and `minimatch` to `10.2.5` via `overrides` in `package.json` to resolve downstream vulnerabilities.
 
 ## [1.3.4](https://github.com/neverinfamous/do-manager/releases/tag/v1.3.4) - 2026-04-06
 
@@ -133,7 +150,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Implemented multi-select Batch downloading, exporting, and backups.
 - Included Job Tracking, Webhooks, Alarms visualization, and Enterprise Zero-Trust compliance.
 
-[Unreleased]: https://github.com/neverinfamous/do-manager/compare/v1.3.4...HEAD
+[Unreleased]: https://github.com/neverinfamous/do-manager/compare/v1.3.5...HEAD
+[1.3.5]: https://github.com/neverinfamous/do-manager/compare/v1.3.4...v1.3.5
 [1.3.4]: https://github.com/neverinfamous/do-manager/compare/v1.3.3...v1.3.4
 [1.3.3]: https://github.com/neverinfamous/do-manager/compare/v1.3.2...v1.3.3
 [1.3.2]: https://github.com/neverinfamous/do-manager/compare/v1.3.1...v1.3.2

Dockerfile

@@ -24,8 +24,8 @@ RUN npm install -g npm@latest
 # npm bundles vulnerable versions of glob, tar, minimatch, and picomatch
 RUN cd /tmp && \
     npm pack glob@13.0.6 && \
-    npm pack tar@7.5.11 && \
-    npm pack minimatch@10.2.4 && \
+    npm pack tar@7.5.13 && \
+    npm pack minimatch@10.2.5 && \
     npm pack picomatch@4.0.4 && \
     rm -rf /usr/local/lib/node_modules/npm/node_modules/glob && \
     rm -rf /usr/local/lib/node_modules/npm/node_modules/tar && \
@@ -37,9 +37,9 @@ RUN cd /tmp && \
     (mkdir -p /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules && \
      cp -r package /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob || true) && \
     rm -rf package && \
-    tar -xzf tar-7.5.11.tgz && \
+    tar -xzf tar-7.5.13.tgz && \
     mv package /usr/local/lib/node_modules/npm/node_modules/tar && \
-    tar -xzf minimatch-10.2.4.tgz && \
+    tar -xzf minimatch-10.2.5.tgz && \
     mv package /usr/local/lib/node_modules/npm/node_modules/minimatch && \
     tar -xzf picomatch-4.0.4.tgz && \
     mkdir -p /usr/local/lib/node_modules/npm/node_modules/tinyglobby/node_modules && \
@@ -83,8 +83,8 @@ RUN npm install -g npm@latest
 # npm bundles vulnerable versions of glob, tar, minimatch, and picomatch
 RUN cd /tmp && \
     npm pack glob@13.0.6 && \
-    npm pack tar@7.5.11 && \
-    npm pack minimatch@10.2.4 && \
+    npm pack tar@7.5.13 && \
+    npm pack minimatch@10.2.5 && \
     npm pack picomatch@4.0.4 && \
     rm -rf /usr/local/lib/node_modules/npm/node_modules/glob && \
     rm -rf /usr/local/lib/node_modules/npm/node_modules/tar && \
@@ -96,9 +96,9 @@ RUN cd /tmp && \
     (mkdir -p /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules && \
      cp -r package /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob || true) && \
     rm -rf package && \
-    tar -xzf tar-7.5.11.tgz && \
+    tar -xzf tar-7.5.13.tgz && \
     mv package /usr/local/lib/node_modules/npm/node_modules/tar && \
-    tar -xzf minimatch-10.2.4.tgz && \
+    tar -xzf minimatch-10.2.5.tgz && \
     mv package /usr/local/lib/node_modules/npm/node_modules/minimatch && \
     tar -xzf picomatch-4.0.4.tgz && \
     mkdir -p /usr/local/lib/node_modules/npm/node_modules/tinyglobby/node_modules && \
@@ -108,7 +108,7 @@ RUN cd /tmp && \
 # Install runtime dependencies only
 # Security Notes:
 # - Application runtime dependencies: see package-lock.json (devDependencies, including any minimatch usage, are not installed due to `npm ci --omit=dev`)
-# - npm CLI bundled dependencies: glob@13.0.6, tar@7.5.11, minimatch@10.2.4, picomatch@4.0.4 (npm's own deps, manually patched via P111)
+# - npm CLI bundled dependencies: glob@13.0.6, tar@7.5.13, minimatch@10.2.5, picomatch@4.0.4 (npm's own deps, manually patched via P111)
 # - minimatch ReDoS: GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74 (fixed >= 10.2.3)
 # - rollup path traversal: GHSA-mw96-cpmx-2vgc (fixed >= 4.59.0 via npm audit fix)
 # - busybox CVE-2025-46394 & CVE-2024-58251 fixed via apk upgrade