Skip to content

release: v0.47.4 — postcss security override + Docker smoke CI#383

Merged
elfensky merged 7 commits into
mainfrom
develop
May 19, 2026
Merged

release: v0.47.4 — postcss security override + Docker smoke CI#383
elfensky merged 7 commits into
mainfrom
develop

Conversation

@elfensky
Copy link
Copy Markdown
Owner

@elfensky elfensky commented May 19, 2026

Summary

Release v0.47.4 to production. Rolls up two changes since v0.47.3:

0.47.4 — postcss pinned via package.json#overrides (security)

Remediates GHSA-qx2v-qp2m-jg93 / CVE-2026-41305 (PostCSS XSS via unescaped </style> in stringified CSS, < 8.5.10). The vulnerable copy came in transitively via next@16.2.6 → postcss@8.4.31; Tailwind 4 already pulled postcss@8.5.14 independently, proving the 8.5.x line works in our pipeline.

After install all three postcss consumers (Tailwind, Next, Vite) dedupe to 8.5.15. npm install reports 0 vulnerabilities. Real-world exploit risk for this app is essentially zero (the vuln requires processing user-submitted CSS through PostCSS's stringifier — we author all our own CSS via Tailwind utilities and design tokens), but the override drops us from 1 moderate dependabot alert to 0.

Also picks up a stray dependabot bump that landed on main directly (PR #382): brace-expansion 5.0.5 → 5.0.6 (CVE-flagged ReDoS, also low real-world risk for us).

0.47.2 — Docker smoke CI for main PRs

New .github/workflows/main-pr-docker-smoke.yml (scoped to pull_request: branches: [main]) brings up the full production-shaped stack (postgres + migrate + helldiversbot, all built from working-tree Dockerfiles) and asserts both that migrate exits 0 and that the app's /api/healthcheck returns sensible JSON. Backed by a standalone docker-compose.ci.yml. Cold-cache cost ~7 minutes per main PR.

This PR should be the first one where that workflow actually runs in CI — assuming GitHub's PR workflow resolution picks up the file from the head ref. If it doesn't trigger here (because main doesn't yet have the workflow file), it'll start working on the next main PR.

Verification (local, on develop @ HEAD)

  • npm run lint — clean
  • npm run typecheck — clean
  • npm run test:unit — 1320 tests pass
  • npm run build — succeeds
  • docker compose -f docker-compose.ci.yml up --build --wait — exit 0 in 1m 11s; migrate seeded all 156 seasons, app reached healthy, curl /api/healthcheck{"alive":true,...}

Post-merge actions

  1. Tag the merge commit on main as v0.47.4 and push the tag — triggers production Docker build via release.docker.yml.
  2. Merge main back into develop so develop carries the merge commit.

Test plan

  • Existing CI (Test & Build, CodeQL, Dependency Review) green
  • Docker smoke workflow — observe whether it triggers (it's new). If it does, expect ~7 min and a healthy stack.
  • After merge: v0.47.4 tag pushed, release.docker.yml produces new images
  • On production host: sudo docker compose pull && sudo docker compose up — migrate completes, app reaches healthy
  • Dependabot alert chore(deps): bump zod from 4.1.13 to 4.2.0 in the minor-and-patch group #98 (postcss) closes once GitHub re-scans the default branch
  • main merged back into develop

🤖 Generated with Claude Code

elfensky and others added 7 commits May 18, 2026 20:44
@elfensky @claude
ci: Docker smoke test for main PRs
e9b1939 
Brings up the full production-shaped stack (postgres + migrate +
helldiversbot) from working-tree builds and asserts:
  - migrate exits 0 (catches Dockerfile.migrate / seed regressions)
  - app reaches healthy and /api/healthcheck returns sensible JSON
    (catches Dockerfile.app / runtime regressions)

Scoped to `pull_request: branches: [main]` only — runs on release and
hotfix PRs, not on the develop integration loop where the cost
(~7min cold-cache) would slow iteration.

Closes the gap exposed by the v0.47.1 hotfix: lint, typecheck,
test:unit, and build all passed locally while the migrate container
crashed at the seed step on a jsconfig-alias import that only fails
under raw Node. Local tooling resolves `@/*` (Next/Vitest); raw Node
doesn't. Only actually running the container catches that class.

New files:
- docker-compose.ci.yml — standalone (not an override of
  docker-compose.yml), swaps `image:` for `build:` and `env_file:`
  for inline `environment:` so the workflow can inject stub creds.
  Also usable locally with
  `docker compose -f docker-compose.ci.yml up --build`.
- .github/workflows/main-pr-docker-smoke.yml — uses
  `docker compose up --wait` so compose's healthcheck-gated startup
  is the assertion, plus a host-side curl on the published port.
  Dumps grouped container logs on failure, tears down always.

No GHA build cache configured yet; revisit if 7min/main-PR stings.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@elfensky
Merge pull request #380 from elfensky/feature/main-pr-docker-smoke
d8b685f 
ci: Docker smoke test for main PRs
@elfensky @claude
chore: release 0.47.2 — Docker smoke CI for main PRs
cab8e20 
Version-on-merge bump for #380 (merged via GitHub UI, which doesn't
carry the package.json + CHANGELOG rename). Pure CI tooling addition,
no runtime change — patch bump per the 0.46.2 / 0.46.3 / 0.46.4
chore precedent.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@elfensky
Merge remote-tracking branch 'origin/main' into develop
b34560e 
# Conflicts:
#	CHANGELOG.md
#	package.json
@elfensky
Merge remote-tracking branch 'origin/main' into develop
4ffd800
@elfensky @claude
chore: release 0.47.4 — pin postcss to ^8.5.10 via overrides
080c6d4 
Remediates GHSA-qx2v-qp2m-jg93 / CVE-2026-41305 (PostCSS XSS via
unescaped </style> in stringified CSS output, < 8.5.10). The
vulnerable copy came in transitively via next@16.2.6 → postcss@8.4.31.
Tailwind 4 already pulled postcss@8.5.14 independently, so we have
prior evidence the 8.5.x line works in our build pipeline.

After `npm install`, all three postcss consumers (Tailwind, Next, Vite)
dedupe to 8.5.15. `npm install` reports 0 vulnerabilities.

Real-world exploit risk is essentially zero for this app — the vuln
requires processing user-submitted CSS through PostCSS's stringifier
and embedding the output in an HTML <style> tag, and we author all
CSS ourselves via Tailwind utilities and design tokens. Fix is hygiene.

Verified end-to-end:
  - The four JS gates (lint, typecheck, 1320 unit tests, build) — all green
  - docker compose -f docker-compose.ci.yml up --build --wait → exit 0
    in 1m 11s; migrate exited 0, app reached healthy, curl /api/healthcheck
    returned {"alive":true,...}

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@elfensky
Merge branch 'chore/postcss-override' into develop
54889ad
@elfensky elfensky merged commit dd3e490 into main May 19, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@elfensky