v1.3.6 - Dependency updates

CHANGELOG.md

@@ -5,7 +5,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased](https://github.com/neverinfamous/do-manager/compare/v1.3.5...HEAD)
+## [Unreleased](https://github.com/neverinfamous/do-manager/compare/v1.3.6...HEAD)
+
+## [1.3.6](https://github.com/neverinfamous/do-manager/releases/tag/v1.3.6) - 2026-05-05
+
+### Changed
+
+- **Dependency Updates**:
+  - Updated npm packages: `@cloudflare/workers-types`, `eslint`, `globals`, `jose`, `lucide-react`, `postcss`, `typescript-eslint`, `vite`, `wrangler`.
+  - Updated Docker build-time dependencies (`tar` to `7.5.14`).
 
 ## [1.3.5](https://github.com/neverinfamous/do-manager/releases/tag/v1.3.5) - 2026-04-22
 
@@ -150,7 +158,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Implemented multi-select Batch downloading, exporting, and backups.
 - Included Job Tracking, Webhooks, Alarms visualization, and Enterprise Zero-Trust compliance.
 
-[Unreleased]: https://github.com/neverinfamous/do-manager/compare/v1.3.5...HEAD
+[Unreleased]: https://github.com/neverinfamous/do-manager/compare/v1.3.6...HEAD
+[1.3.6]: https://github.com/neverinfamous/do-manager/compare/v1.3.5...v1.3.6
 [1.3.5]: https://github.com/neverinfamous/do-manager/compare/v1.3.4...v1.3.5
 [1.3.4]: https://github.com/neverinfamous/do-manager/compare/v1.3.3...v1.3.4
 [1.3.3]: https://github.com/neverinfamous/do-manager/compare/v1.3.2...v1.3.3

Dockerfile

@@ -24,7 +24,7 @@ RUN npm install -g npm@latest
 # npm bundles vulnerable versions of glob, tar, minimatch, and picomatch
 RUN cd /tmp && \
     npm pack glob@13.0.6 && \
-    npm pack tar@7.5.13 && \
+    npm pack tar@7.5.14 && \
     npm pack minimatch@10.2.5 && \
     npm pack picomatch@4.0.4 && \
     rm -rf /usr/local/lib/node_modules/npm/node_modules/glob && \
@@ -37,7 +37,7 @@ RUN cd /tmp && \
     (mkdir -p /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules && \
      cp -r package /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob || true) && \
     rm -rf package && \
-    tar -xzf tar-7.5.13.tgz && \
+    tar -xzf tar-7.5.14.tgz && \
     mv package /usr/local/lib/node_modules/npm/node_modules/tar && \
     tar -xzf minimatch-10.2.5.tgz && \
     mv package /usr/local/lib/node_modules/npm/node_modules/minimatch && \
@@ -83,7 +83,7 @@ RUN npm install -g npm@latest
 # npm bundles vulnerable versions of glob, tar, minimatch, and picomatch
 RUN cd /tmp && \
     npm pack glob@13.0.6 && \
-    npm pack tar@7.5.13 && \
+    npm pack tar@7.5.14 && \
     npm pack minimatch@10.2.5 && \
     npm pack picomatch@4.0.4 && \
     rm -rf /usr/local/lib/node_modules/npm/node_modules/glob && \
@@ -96,7 +96,7 @@ RUN cd /tmp && \
     (mkdir -p /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules && \
      cp -r package /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob || true) && \
     rm -rf package && \
-    tar -xzf tar-7.5.13.tgz && \
+    tar -xzf tar-7.5.14.tgz && \
     mv package /usr/local/lib/node_modules/npm/node_modules/tar && \
     tar -xzf minimatch-10.2.5.tgz && \
     mv package /usr/local/lib/node_modules/npm/node_modules/minimatch && \
@@ -108,7 +108,7 @@ RUN cd /tmp && \
 # Install runtime dependencies only
 # Security Notes:
 # - Application runtime dependencies: see package-lock.json (devDependencies, including any minimatch usage, are not installed due to `npm ci --omit=dev`)
-# - npm CLI bundled dependencies: glob@13.0.6, tar@7.5.13, minimatch@10.2.5, picomatch@4.0.4 (npm's own deps, manually patched via P111)
+# - npm CLI bundled dependencies: glob@13.0.6, tar@7.5.14, minimatch@10.2.5, picomatch@4.0.4 (npm's own deps, manually patched via P111)
 # - minimatch ReDoS: GHSA-7r86-cg39-jmmj, GHSA-23c5-xmqv-rm74 (fixed >= 10.2.3)
 # - rollup path traversal: GHSA-mw96-cpmx-2vgc (fixed >= 4.59.0 via npm audit fix)
 # - busybox CVE-2025-46394 & CVE-2024-58251 fixed via apk upgrade