Bump actions/setup-node from 4 to 6#2
Open
dependabot[bot] wants to merge 1 commit into
Open
Conversation
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v4...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
naman7474
added a commit
that referenced
this pull request
Jul 5, 2026
Closes the "GitHub access to one repo → read the whole org" security-review blocker. Default stays "shared" (whole-org read, zero behavior change); an owner can flip a project to "walled" so reads require project membership. Enforced at the application guard layer (RLS stays org-only): - New ensureProjectVisible / canReadProject guards (guards.ts) + projectVisibility reader (permissions.ts). Applied to every projectId read route: dashboard overview/insights, ingest graph/proposed/decisions-search, and the documents/ features/conflicts/counts reads. - orgOverview hides walled projects from non-members. - projectMembers becomes an authoritative roster: connectOrJoin (auto-join, create, cross-service join) and createProject now backfill an active project_members row (owner for creators, member for joiners). Invites already did. Plus a one-off scripts/backfill-project-members.ts for existing projects. - Owner-only visibility toggle on the Members page (reuses the settings patch endpoint); projectOverview now returns the current visibility. core 97/97 (new visibility.api.test.ts: shared read-all, walled 403 vs member 200 across overview/graph/proposed/insights, org-overview hiding, roster backfill), guards + permissions 100% coverage, web tsc + build clean. Migration-free (projects.settings jsonb). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
naman7474
added a commit
that referenced
this pull request
Jul 5, 2026
Follow-up to #2: reads were walled uniformly but write/mutation routes still checked only org membership, so any org member outside a wall could mutate a walled project — and the doc-lifecycle mutations had no role check even on shared projects (a pre-existing PRD §15 gap). New guard `requireProjectRole(roles)` (no shared bypass — a write role is a write role) + `canManageDocTx` (§15: registrant ∨ doc owner ∨ owner/pm; canRatifyTx is now an alias since it's the same predicate). - Doc lifecycle (state / unregister / resync): §15 enforced INSIDE the services (covers every caller), closing the shared-project hole too. - State mappings + property → owner/pm (decision: owner/pm, not owner-only — PMs administer product-layer config). - Connector plumbing + graph mutations (POST connections/allowlist, graph derive/nodes/edges) and POST /repos → owner/pm. - GET connections + allowlist and POST /documents (register) → project-visible. - Worker paths untouched (cross-org trusted, correct); Slack ratify buttons were already walled-safe via getProjectRoleTx (null for non-members). Tests: extended with a WRITE matrix mirroring the read one — visibility.api.test (member/outsider 403 vs owner OK on connector+graph writes) and documents.api.test (member 403 on doc state, §15). core 100/100; guards + permissions 100% coverage. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
naman7474
added a commit
that referenced
this pull request
Jul 5, 2026
invite() checked only org membership and inserted the project_members row with a caller-controlled, unvalidated role. Two one-line exploits, both now closed: 1. Self-invite past a wall: any org member could POST /…/:walledProject/invite with their own handle → invited row → their next connect flips it active (the #2 roster-backfill path) → inside the wall. 2. Privilege escalation to owner on ANY project: pass role:"owner" → the same flow mints owner. Post-#2, owner/pm gates every write, so this was the master key to settings, visibility, mappings, connector plumbing, and ratification. Fix (in the service, so CLI + web + any caller inherit it): - whitelist role ∈ {member, pm, owner} (400 otherwise); - only owners/PMs may invite at all (getProjectRoleTx, not org membership); - only an owner may grant owner/pm — a PM can invite members only. Accept path audited: activateInvites matches by handle + status='invited' and only flips status/memberId, never the role (as-stored) — no user-controlled input there. Tests: invite matrix in visibility.api.test — outsider self-invite 403, member invite 403, member/pm granting owner 403, bogus role 400, owner-grants-any and pm-grants-member OK. core 101/101. Decision for PRD §21 log: PMs may invite members (not owner-only) — mirrors the mappings owner/pm call. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
naman7474
added a commit
that referenced
this pull request
Jul 7, 2026
…, #1) Bootstrap lockstep.yaml with a run-once /lockstep-setup skill and resolve a repo's consumes by closed-world matching against the org's own dependency graph. - server: produced-surface catalog — listProjectSurfaces + GET /surfaces, syncProducedSurfaces + POST /surfaces (idempotent produces→contracts), and registerDependency now auto-resolves + self-heals producedRepoId from the catalog. - cli: `lockstep scan` (walk repo → produces + graph-resolved consumes, tiered proposal, --json/--apply), extractOutbound detector (fetch/axios/gRPC/import), writeManifest (merge-preserving, reuses applyFile), trackedFiles. - skill: SETUP_SKILL_MD wired into init as a 5th artifact and the sole yaml writer; capture hook stays read-only. - backlog: prune IMPROVEMENTS.md — remove shipped #2 + #11, reframe #1, renumber. Tests: cli 66/66, core 104/104; new modules ≥90% coverage. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
naman7474
added a commit
that referenced
this pull request
Jul 7, 2026
Move #1 (consumes autodetection) into the "shipped & removed" banner alongside #2 and #11; keep the remaining future-depth bits (GraphQL/base-URL coverage, service-level shorthand, gateway/mesh/OTel import) as an explicit non-blocker note. Renumber the rest to 9 items and refresh the pitch-guidance honest-gaps line. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/setup-node from 4 to 6.
Release notes
Sourced from actions/setup-node's releases.
... (truncated)
Commits
48b55a0Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)ab72c7eUpgrade@actionsdependencies (#1525)53b8394Bump minimatch from 3.1.2 to 3.1.5 (#1498)54045abScope test lockfiles by package manager and update cache tests (#1495)c882bffReplace uuid with crypto.randomUUID() (#1378)774c1d6feat(node-version-file): support parsingdevEnginesfield (#1283)efcb663fix: remove hardcoded bearer (#1467)d02c89dFix npm audit issues (#1491)6044e13Docs: bump actions/checkout from v5 to v6 (#1468)8e49463Fix README typo (#1226)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)