Skip to content

Merge dev into main: security fixes#14

Merged
ApiliumDevTeam merged 2 commits intomainfrom
dev
Mar 5, 2026
Merged

Merge dev into main: security fixes#14
ApiliumDevTeam merged 2 commits intomainfrom
dev

Conversation

@ApiliumDevTeam
Copy link
Collaborator

@ApiliumDevTeam ApiliumDevTeam commented Mar 5, 2026

Summary

  • Merges fix/security-alerts changes from dev into main
  • Resolves 19 GitHub security alerts: hardcoded OAuth secrets, vulnerable deps (tar, esbuild), missing workflow permissions

Changes included

  • Replace hardcoded base64 Google Antigravity OAuth credentials with env vars
  • Remove hardcoded DEFAULT_PROJECT_ID fallback (rising-fact-p41fc)
  • Bump tar 7.5.9 → 7.5.10, esbuild ^0.24.0 → ^0.25.0
  • Add permissions: contents: read to CI workflows

ApiliumDevTeam and others added 2 commits March 6, 2026 00:04
@ApiliumDevTeam @claude
Fix 19 GitHub security alerts: remove hardcoded OAuth secrets, bump v…
8903c2e 
…ulnerable deps, add workflow permissions

- Replace hardcoded base64 Google Antigravity OAuth credentials with env vars
  (MAYROS_ANTIGRAVITY_OAUTH_CLIENT_ID, MAYROS_ANTIGRAVITY_OAUTH_CLIENT_SECRET)
- Remove hardcoded DEFAULT_PROJECT_ID fallback (rising-fact-p41fc) to avoid
  Google account bans from using their first-party project ID
- Bump tar 7.5.9 → 7.5.10 (CVE hardlink path traversal)
- Bump esbuild ^0.24.0 → ^0.25.0 (dev server request forgery)
- Add least-privilege permissions (contents: read) to ci.yml and
  workflow-sanity.yml (resolves 11 code scanning alerts)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ApiliumDevTeam
Fix 19 GitHub security alerts (#13)
0bc8c49 
## Summary
- Replace hardcoded base64 Google Antigravity OAuth credentials with env
vars (`MAYROS_ANTIGRAVITY_OAUTH_CLIENT_ID`,
`MAYROS_ANTIGRAVITY_OAUTH_CLIENT_SECRET`)
- Remove hardcoded `DEFAULT_PROJECT_ID` fallback (`rising-fact-p41fc`) —
Google's first-party project ID that was causing account bans
- Bump `tar` 7.5.9 → 7.5.10 (CVE hardlink path traversal)
- Bump `esbuild` ^0.24.0 → ^0.25.0 (dev server request forgery)
- Add least-privilege `permissions: contents: read` to `ci.yml` and
`workflow-sanity.yml` (resolves 11 code scanning alerts)

## Test plan
- [x] `pnpm install` succeeds
- [x] `pnpm build` compiles
- [x] No base64 secrets remain in `extensions/google-antigravity-auth/`
- [ ] GitHub re-scans and closes alerts after merge
@ApiliumDevTeam ApiliumDevTeam merged commit c448958 into main Mar 5, 2026
ApiliumDevTeam added a commit that referenced this pull request Mar 9, 2026
@ApiliumDevTeam
Merge dev into main: security fixes (#14)
d453896 
## Summary
- Merges `fix/security-alerts` changes from `dev` into `main`
- Resolves 19 GitHub security alerts: hardcoded OAuth secrets,
vulnerable deps (tar, esbuild), missing workflow permissions

## Changes included
- Replace hardcoded base64 Google Antigravity OAuth credentials with env
vars
- Remove hardcoded `DEFAULT_PROJECT_ID` fallback (`rising-fact-p41fc`)
- Bump `tar` 7.5.9 → 7.5.10, `esbuild` ^0.24.0 → ^0.25.0
- Add `permissions: contents: read` to CI workflows
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ApiliumDevTeam