- Bump github.com/bytedance/sonic from v1.14.1 to v1.15.0
- Bump github.com/gabriel-vasile/mimetype from v1.4.12 to v1.4.13
- Bump github.com/glebarez/go-sqlite from v1.21.2 to v1.22.0
- Bump github.com/gin-gonic/gin from v1.11.0 to v1.12.0
- Bump github.com/google/pprof to v0.0.0-20250317173921-a4b03ec1a45e
- Bump go.opentelemetry.io/auto/sdk to v1.2.1
- Bump go.opentelemetry.io/otel to v1.40.0
- Update various other dependencies to their latest versions
- Created a comprehensive runbook for emergency token rotation, detailing when to rotate, prerequisites, and step-by-step procedures.
- Included methods for generating secure tokens, updating configurations, and verifying new tokens.
- Added an automation script for token rotation to streamline the process.
- Implemented compliance checklist and troubleshooting sections for better guidance.
test: Implement E2E tests for emergency server and token functionality
- Added tests for the emergency server to ensure it operates independently of the main application.
- Verified that the emergency server can bypass security controls and reset security settings.
- Implemented tests for emergency token validation, rate limiting, and audit logging.
- Documented expected behaviors for emergency access and security enforcement.
refactor: Introduce security test fixtures for better test management
- Created a fixtures file to manage security-related test data and functions.
- Included helper functions for enabling/disabling security modules and testing emergency access.
- Improved test readability and maintainability by centralizing common logic.
test: Enhance emergency token tests for robustness and coverage
- Expanded tests to cover various scenarios including token validation, rate limiting, and idempotency.
- Ensured that emergency token functionality adheres to security best practices.
- Documented expected behaviors and outcomes for clarity in test results.
Phase 1 of Custom DNS Provider Plugin Support: the /api/v1/dns-providers/types
endpoint now returns types dynamically from the dnsprovider.Global() registry
instead of a hardcoded list.
Backend handler queries registry for all provider types, metadata, and fields
Response includes is_built_in flag to distinguish plugins from built-ins
Frontend types updated with DNSProviderField interface and new response shape
Fixed flaky WAF exclusion test (isolated file-based SQLite DB)
Updated operator docs for registry-driven discovery and plugin installation
Refs: #461
Upgrades validator from v10.28.0 to v10.30.1, which transitively upgrades
golang.org/x/crypto from v0.42.0 (vulnerable) to v0.46.0 (patched).
Remediates:
- GHSA-j5w8-q4qc-rx2x (SSH connection handling vulnerability)
- GHSA-f6x5-jh6r-wrfv (SSH key parsing vulnerability)
Previously attempted replace directive approach did not work because Go
embeds original dependency versions in binary metadata, which scanners read.
Direct dependency upgrade is the correct solution.
Expected impact: Reduces Medium vulnerabilities from 8 to 4 (Alpine CVEs only)
Testing: All backend unit tests passing
GitHub Actions
renovate[bot]
Jeremy