Skip to content

fix(webui,infra): drop private npm registry, httpOnly tokens, Helm secrets, proxy hardening (FC/FH/FM)#59

Open
PenguinzTech wants to merge 2 commits into
release/v0.1.xfrom
fix/frontend-infra-hardening
Open

fix(webui,infra): drop private npm registry, httpOnly tokens, Helm secrets, proxy hardening (FC/FH/FM)#59
PenguinzTech wants to merge 2 commits into
release/v0.1.xfrom
fix/frontend-infra-hardening

Conversation

@PenguinzTech

Copy link
Copy Markdown
Contributor

Security fixes (Track A6) — frontend + infra

Targets release/v0.1.x directly (independent of the backend stack — different files).

Critical / high

  • FC1 — deleted services/webui/.npmrc (private GitHub Packages registry + NODE_AUTH_TOKEN).
  • FC3 — untracked all committed node_modules/ (root, web, services/webui, shared, tests) and gitignored node_modules/, *.tgz, .npmrc.
  • FH1 — JWTs no longer in localStorage/zustand-persist; SPA relies on the backend's httpOnly/Secure/SameSite cookies (axios withCredentials); persist stores only non-sensitive user info.
  • FH2 — Helm charts support existingSecret; values-prod.yaml references an external secret so prod no longer ships changeme-in-production; inline secretData renders for dev/alpha only.
  • FH3 — Express: helmet + CSP + trust proxy + proxyTimeout on both proxies.

Medium

  • FM1 — fixed Go-proxy route/baseURL mismatch so /api/go/* reaches the Go backend.
  • FM2 — removed NODE_AUTH_TOKEN CI build-arg; added a webui lint/typecheck/build gate before image push.
  • FM3 — prod images support @sha256 digest pinning (placeholder + TODO for CI/Renovate).

⚠️ FC2 partial — needs a decision

@penguintechinc/react-libs@1.1.5 is NOT published on public npm (404). The private-registry violation is fully removed, but the package is kept as a vendored file: tarball (which needs no registry/token) as a safe interim so the build still works. To fully close FC2, react-libs 1.1.5 must be published to public npm, then package.json can reference the public version and the tarball can be deleted. Tracked as a TODO in .gitignore and the commit body.

Follow-ups needing network/CI

  • services/webui/package-lock.json regenerated for helmet; will be re-validated by the new CI test-webui job on npm ci.
  • values-prod.yaml image digests are sha256:PIN_ME placeholders for CI/Renovate to pin.

🤖 Generated with Claude Code

…crets, harden proxy (FC/FH/FM)

Frontend + infra hardening:
- FC1: delete services/webui/.npmrc (private GitHub Packages registry + NODE_AUTH_TOKEN).
- FM2: remove NODE_AUTH_TOKEN build-arg from CI; add a webui lint/typecheck/build gate
  before the image is built/pushed.
- FC3: untrack all committed node_modules/ (root, web, services/webui, shared, tests)
  and gitignore node_modules/, *.tgz, .npmrc.
- FH1: stop storing JWTs in localStorage/zustand-persist; rely on backend httpOnly
  Secure SameSite cookies (axios withCredentials); persist only non-sensitive user info.
- FH3: add helmet + CSP + trust-proxy and proxyTimeout on both proxies (Express).
- FM1: fix Go-proxy route/baseURL mismatch so /api/go/* actually reaches the Go backend.
- FH2: Helm charts support existingSecret; values-prod uses an external secret (no more
  changeme-in-production shipped to prod); secret.yaml renders inline only for dev/alpha.
- FM3: prod images support @sha256 digest pinning (placeholder + TODO for CI/Renovate).

FC2 (partial): react-libs kept as vendored file: tarball because
@penguintechinc/react-libs@1.1.5 is NOT on public npm (404). The private-registry
violation is removed; publishing react-libs to public npm is required to fully close
FC2 (tracked as TODO in .gitignore + report).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@PenguinzTech PenguinzTech added this to the v0.1.x milestone Jul 14, 2026
@PenguinzTech PenguinzTech added the type:security Security fix label Jul 14, 2026

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, we are unable to review this pull request

The GitHub API does not allow us to fetch diffs exceeding 300 files, and this pull request has 25465

@socket-security

socket-security Bot commented Jul 14, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addednpm/​helmet@​8.1.010010010085100

View full report

- Remove unused onToggle prop from Sidebar (never referenced in Layout)
- Remove unused imports: externalApi from useApi, setTokens/clearTokens/getAccessToken from useAuth
- Fix unused parameter 'get' in useAuth zustand store
- Remove unused 'login' from useAuth hook in Login.tsx
- Fix setTokens call that doesn't exist (tokens are httpOnly cookies)
- Fix user property mapping: full_name → name, role → roles array
- Add missing privacyPolicyUrl to GDPRConfig in LoginPageBuilder
- Fix role type narrowing in Users.tsx create form
- Add "composite": true to tsconfig.server.json for monorepo support

All tsc errors now resolved; npm run typecheck passes clean.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@socket-security

Copy link
Copy Markdown

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block High
Obfuscated code: npm es-abstract is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: services/webui/package-lock.jsonnpm/eslint-plugin-react@7.37.5npm/es-abstract@1.24.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-abstract@1.24.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block High
Obfuscated code: npm yargs is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: services/webui/package-lock.jsonnpm/puppeteer@24.35.0npm/concurrently@9.1.0npm/yargs@17.7.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@17.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Low adoption: npm @humanfs/types

Location: Package overview

From: services/webui/package-lock.jsonnpm/eslint@9.39.4npm/@humanfs/types@0.15.0

ℹ Read more on: This package | This alert | What are unpopular packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Unpopular packages may have less maintenance and contain other problems.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@humanfs/types@0.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

PenguinzTech added a commit that referenced this pull request Jul 14, 2026
…ixes

Merge typecheck fixes from #59 into #64:
- Removed unused onToggle prop from Sidebar + Layout
- Removed unused imports: externalApi from useApi, setTokens/clearTokens/getAccessToken from useAuth
- Fixed unused parameter 'get' in useAuth zustand store
- Removed unused 'login' import from Login page
- Fixed user property mapping and GDPRConfig in Login
- Fixed role type narrowing in Users form

Additional #64 fixes:
- Remove unused ShortLink import from Analytics
- Remove unused barWidth variable from chart renderer
- Remove unused RoleGuard import from Links
- Remove unused user destructuring from Links

All tsc errors now resolved; npm run typecheck passes clean.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type:security Security fix

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant