Adds pnpm-workspace.yaml overrides to pin transitive dependencies to patched versions, eliminating all 36 npm audit findings (21 high, 10 moderate, 5 low).

SECURITY.md

@@ -0,0 +1,20 @@
+# Security Policy
+
+## Supported Versions
+
+The latest release is always supported with security updates. Older releases
+receive fixes on a best-effort basis.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| latest  | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities by opening a **private** GitHub Security
+Advisory at `https://github.com/BloopAI/vibe-kanban/security/advisories/new`.
+
+Include a description of the issue, steps to reproduce, and your assessment of
+impact. You will receive an acknowledgement within 72 hours. If the report is
+accepted, a patch will be released as soon as possible and you will be credited
+in the release notes.

crates/git/src/cli.rs

@@ -824,8 +824,8 @@ impl GitCli {
             let combined = match (stdout.is_empty(), stderr.is_empty()) {
                 (true, true) => "Command failed with no output".to_string(),
                 (false, false) => format!("--- stderr\n{stderr}\n--- stdout\n{stdout}"),
-                (false, true) => format!("--- stderr\n{stdout}"),
-                (true, false) => format!("--- stdout\n{stderr}"),
+                (false, true) => format!("--- stdout\n{stdout}"),
+                (true, false) => format!("--- stderr\n{stderr}"),
             };
             return Err(GitCliError::CommandFailed(combined));
         }

crates/remote/src/routes/github_app.rs

@@ -500,6 +500,9 @@ async fn handle_callback(
     let Some(installation_id) = query.installation_id else {
         return redirect_error(None, "Missing installation_id");
     };
+    if installation_id <= 0 {
+        return redirect_error(None, "Invalid installation_id");
+    }
 
     let Some(state_token) = query.state else {
         return redirect_error(None, "Missing state parameter");

crates/server/src/main.rs

@@ -3,6 +3,7 @@ use axum::Router;
 use deployment::{Deployment, DeploymentError};
 use server::{
     DeploymentImpl, middleware::origin::validate_origin, routes, runtime::relay_registration,
+    startup,
 };
 use services::services::container::ContainerService;
 use sqlx::Error as SqlxError;
@@ -12,7 +13,6 @@ use tokio_util::sync::CancellationToken;
 use tower_http::validate_request::ValidateRequestHeaderLayer;
 use tracing_subscriber::{EnvFilter, prelude::*};
 use utils::{
-    assets::asset_dir,
     port_file::write_port_file_with_proxy,
     sentry::{self as sentry_utils, SentrySource, sentry_layer},
 };
@@ -49,46 +49,9 @@ async fn main() -> Result<(), VibeKanbanError> {
         .with(sentry_layer())
         .init();
 
-    // Create asset directory if it doesn't exist
-    if !asset_dir().exists() {
-        std::fs::create_dir_all(asset_dir())?;
-    }
-
-    // Copy old database to new location for safe downgrades
-    let old_db = asset_dir().join("db.sqlite");
-    let new_db = asset_dir().join("db.v2.sqlite");
-    if !new_db.exists() && old_db.exists() {
-        tracing::info!(
-            "Copying database to new location: {:?} -> {:?}",
-            old_db,
-            new_db
-        );
-        std::fs::copy(&old_db, &new_db).expect("Failed to copy database file");
-        tracing::info!("Database copy complete");
-    }
-
     let shutdown_token = CancellationToken::new();
 
-    let deployment = DeploymentImpl::new(shutdown_token.clone()).await?;
-    deployment.update_sentry_scope().await?;
-    deployment
-        .container()
-        .cleanup_orphan_executions()
-        .await
-        .map_err(DeploymentError::from)?;
-    deployment
-        .container()
-        .backfill_before_head_commits()
-        .await
-        .map_err(DeploymentError::from)?;
-    deployment
-        .container()
-        .backfill_repo_names()
-        .await
-        .map_err(DeploymentError::from)?;
-    deployment
-        .track_if_analytics_allowed("session_start", serde_json::json!({}))
-        .await;
+    let deployment = startup::initialize_deployment(shutdown_token.clone()).await?;
     // Preload global executor options cache for all executors with DEFAULT presets
     tokio::spawn(async move {
         executors::executors::utils::preload_global_executor_options_cache().await;

package.json

@@ -59,7 +59,7 @@
     "esbuild": "^0.27.2",
     "jwt-decode": "^4.0.0",
     "typescript": "^5.7.0",
-    "vite": "^7.3.1"
+    "vite": "^7.3.2"
   },
   "engines": {
     "node": ">=20",

packages/local-web/package.json

@@ -75,7 +75,7 @@
     "immer": "^11.1.3",
     "jwt-decode": "^4.0.0",
     "lexical": "^0.36.2",
-    "lodash": "^4.17.21",
+    "lodash": "^4.18.1",
     "lucide-react": "^0.539.0",
     "posthog-js": "^1.276.0",
     "react": "^18.2.0",
@@ -120,10 +120,10 @@
     "eslint-plugin-react-hooks": "^4.6.0",
     "eslint-plugin-react-refresh": "^0.4.5",
     "eslint-plugin-unused-imports": "^4.1.4",
-    "postcss": "^8.4.32",
+    "postcss": "^8.5.10",
     "prettier": "^3.6.1",
     "tailwindcss": "^3.4.0",
     "typescript": "^5.9.2",
-    "vite": "^7.3.1"
+    "vite": "^7.3.2"
   }
 }

packages/remote-web/package.json

@@ -41,11 +41,11 @@
     "@vitejs/plugin-react": "^4.2.1",
     "autoprefixer": "^10.4.16",
     "babel-plugin-react-compiler": "^1.0.0",
-    "postcss": "^8.4.32",
+    "postcss": "^8.5.10",
     "tailwind-scrollbar": "^3.1.0",
     "tailwindcss": "^3.4.0",
     "tailwindcss-animate": "^1.0.7",
     "typescript": "^5.9.2",
-    "vite": "^7.3.1"
+    "vite": "^7.3.2"
   }
 }

packages/web-core/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@vibe/web-core",
   "private": true,
-  "version": "0.1.18",
+  "version": "0.1.44",
   "type": "module",
   "exports": {
     "./project-fallback-page": "./src/project-routes/ProjectFallbackPage.tsx",
@@ -69,9 +69,9 @@
     "immer": "^11.1.3",
     "jwt-decode": "^4.0.0",
     "lexical": "^0.36.2",
-    "lodash": "^4.17.21",
+    "lodash": "^4.18.1",
     "lucide-react": "^0.539.0",
-    "mermaid": "^11.4.0",
+    "mermaid": "^11.15.0",
     "posthog-js": "^1.276.0",
     "react": "^18.2.0",
     "react-compiler-runtime": "^1.0.0",
@@ -125,10 +125,10 @@
     "eslint-plugin-react-hooks": "^4.6.0",
     "eslint-plugin-react-refresh": "^0.4.5",
     "eslint-plugin-unused-imports": "^4.1.4",
-    "postcss": "^8.4.32",
+    "postcss": "^8.5.10",
     "prettier": "^3.6.1",
     "tailwindcss": "^3.4.0",
     "typescript": "^5.9.2",
-    "vite": "^7.3.1"
+    "vite": "^7.3.2"
   }
 }