fix: upgrade deps to clear Trivy HIGH CVE blocking cloud image build by akifbayram · Pull Request #123 · akifbayram/openbin

akifbayram · 2026-05-09T13:01:45Z

Summary

Upgrades server dependencies to resolve Trivy HIGH severity CVEs that were blocking the cloud image build
Updates server/package.json and server/package-lock.json

Test Plan

Frontend tests pass (1711 tests)
Server tests pass (1614 tests)
Verify cloud image build succeeds with no HIGH CVEs

POST /api/auth/register now requires acceptedTos + acceptedPrivacy when running in cloud mode (skipped on self-hosted). On success, recordConsent is called with source='signup' before any location auto-join so the audit trail orders consent first. The optional marketingOptIn is forwarded but only honored when MARKETING_OPT_IN_VISIBLE is true. Test helper createTestUser now sends both consent flags so existing tests that mock isSelfHosted()=false (planGating, downgrade, etc.) continue to satisfy the gate. Two direct register calls in accountDeletion.e2e.test.ts updated for the same reason.

…QUIRED

…rule

- Extract <ConsentCheckboxes> shared component (used by RegisterPage and CompleteSignupPage; eliminates ~50 lines of duplicated checkbox JSX). - Add LEGAL_DOCUMENTS / LegalDocument / CONSENT_REQUIRED_CODE constants in legalVersions.ts and consume them in consent.ts, the migration, and requireCurrentConsent. - Loop tos/privacy in recordConsent and migration backfill instead of copy-paste; consolidate byte-identical SQLITE/POSTGRES CREATE_STATEMENTS. - Drop dead `req.consentVersions` global augmentation (zero readers). - Drop redundant SELECT in /api/auth/complete-consent — the client refetches /me right after, so we just confirm the recorded versions. - Fix CompleteSignupPage marketing opt-out: pass `marketingOptIn` directly instead of `marketingOptIn || undefined`, so unchecking on re-acceptance now opts the user out instead of silently preserving prior opt-in. - Drop noise comments (apiKeys cross-reference, register.ts narration, duplicate JSDoc on RecordConsentOptions, registerConsent.test.ts cross-reference, isReacceptance useMemo).

akifbayram added 19 commits May 8, 2026 21:59

feat: add legal version constants for cloud consent flow

0d0f1c2

feat: add MARKETING_OPT_IN_VISIBLE config flag

27c4253

feat: add user_consents table and consent columns to schema

7975515

feat: add 0013_user_consent migration with backfill

fcc2d58

feat: add recordConsent helper for ToS + Privacy audit trail

f144dc5

feat: add requireCurrentConsent middleware for cloud mutation gating

420ca5b

feat: surface tos/privacy versions and marketing flag on auth status

5aacd8c

feat: include consent fields in /api/auth/me response

75fe012

feat: add POST /api/auth/complete-consent endpoint

8f5a96e

feat: mount requireCurrentConsent on /api (skip /api/auth)

43a6429

feat: extend User and AuthStatusConfig with consent fields

1d22ff0

feat: add ConsentRequiredError thrown from apiFetch on 403 CONSENT_RE…

c74f018

…QUIRED

feat: add CompleteSignupPage for OAuth + re-acceptance

52f7fcd

feat: redirect stale-consent users to /auth/complete-signup

f239993

feat: clickwrap consent checkbox on cloud RegisterPage

6db15b6

test: mock useAuthStatusConfig in AuthGuard tests after T17 redirect …

cc70e93

…rule

feat: derive legal effective date from auth status tosVersion

6daba2d

akifbayram merged commit 786b4fd into main May 9, 2026
1 check passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: upgrade deps to clear Trivy HIGH CVE blocking cloud image build#123

fix: upgrade deps to clear Trivy HIGH CVE blocking cloud image build#123
akifbayram merged 19 commits into
mainfrom
feat/cloud-tos-consent

akifbayram commented May 9, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

akifbayram commented May 9, 2026

Summary

Test Plan

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant