📦 deps: Bump typescript from 5.9.3 to 6.0.2#2
Open
dependabot[bot] wants to merge 1 commit intomainfrom
Open
Conversation
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/typescript-6.0.2
branch
from
63f03dd to
0e2439c
Compare
Contributor
|
@dependabot rebase |
dependabot
bot
changed the title
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/typescript-6.0.2
branch
from
0e2439c to
3780142
Compare
Contributor
|
@dependabot rebase |
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/typescript-6.0.2
branch
from
3780142 to
e3354fc
Compare
s-b-e-n-s-o-n
added a commit
that referenced
this pull request
Apr 13, 2026
Phase 3 security bundle #2 — the last three security ship-blockers on the go-live checklist. Each fix is contained to the package that owns the bug, each has regression coverage, and each is verified under `-race`. * 🔒 **Kill the client ACL `/containers/json` amplification vector** (`clientacl/cache.go` — new file). Before: every inbound request from an allowed CIDR fired a fresh upstream `/containers/json` lookup so we could map source IP → caller container. A burst of N concurrent requests from one IP amplified into N Docker API calls + N JSON decodes, which is both a DoS lever against the Docker daemon and a steady tax on normal traffic. After: a tiny in-process cache with two defenses stacked: - **Singleflight per IP.** Concurrent misses for the same IP share one in-flight call via a `chan struct{}` barrier. 16 callers → 1 upstream call (locked in by `TestClientCacheCoalescesConcurrentMissesPerIP`). - **10-second success TTL + 256-entry LRU-ish cap.** Sequential callers within the window get the cached verdict instantly. Errors are never cached so a transient upstream blip recovers on the next caller instead of pinning everyone to a stale failure. Eviction scrubs expired entries first, then drops the oldest surviving entry if still at cap — a proper LRU linked list is overkill for a 256-entry cache with a 10-second TTL. Six tests exhaustively cover TTL-hit/miss, concurrent coalesce, per-IP independence, error non-caching, not-found caching, and eviction past cap. Wired in via `newACLDeps` so production gets the cache and tests can still inject a fake resolver through `aclDeps`. * 🐛 **Preserve large integers in ownership body mutation** (`ownership/middleware.go:mutateJSONBody`). The old path used `json.Unmarshal(body, &decoded)` where `decoded` is `map[string]any`, which coerces every JSON number to `float64`. Any container-create field above 2^53 — `Memory`, `MemorySwap`, `PidsLimit`, `NanoCpus` — silently lost precision on the re-encode pass even though ownership itself only writes the `Labels` object. Fix: switch to `json.NewDecoder(bytes.NewReader(body)).UseNumber()` so numbers decode to `json.Number`, which marshals back verbatim. New `TestMutateJSONBodyPreservesLargeIntegers` locks in 2^53+1 (smallest integer float64 loses) and a near-int64-max MemorySwap round-tripping exactly through a Labels-injection mutation. * 📝 **Document the Docker filter negation story** (`ownership/middleware.go:decodeDockerFilters`). The audit flagged this as a potential silent-dropper for unknown shapes. Re-read of the code shows the `default` branch in the type switch already errors out — so the function is fail-fast by design, not a dropper. What was missing was the rationale: added a block comment spelling out (1) Docker has two wire formats (list and object-with-keys) and we handle both, (2) `label!=value` negation is transparent because it lives inside the string value and ownership doesn't parse `!=`, (3) unknown future shapes return an error so a new Docker API encoding surfaces as a rejected request instead of a silently weakened ownership check. New `TestDecodeDockerFilters` cases pin negation pass-through and rejection of numeric/bool filter values. `go test -race ./...` passes clean, `golangci-lint run ./...` reports zero issues.
Bumps [typescript](https://github.com/microsoft/TypeScript) from 5.9.3 to 6.0.2. - [Release notes](https://github.com/microsoft/TypeScript/releases) - [Commits](microsoft/TypeScript@v5.9.3...v6.0.2) --- updated-dependencies: - dependency-name: typescript dependency-version: 6.0.2 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/typescript-6.0.2
branch
from
e3354fc to
a1f34a4
Compare
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps typescript from 5.9.3 to 6.0.2.
Release notes
Sourced from typescript's releases.
Commits
607a22aBump version to 6.0.2 and LKG9e72ab7🤖 Pick PR #63239 (Fix missing lib files in reused pro...) into release-6.0 (#...35ff23d🤖 Pick PR #63163 (Port anyFunctionType subtype fix an...) into release-6.0 (#...e175b69Bump version to 6.0.1-rc and LKGaf4caacUpdate LKG8efd7e8Merge remote-tracking branch 'origin/main' into release-6.0206ed1aDeprecate assert in import() (#63172)e688ac8Update dependencies (#63156)29b300dBump the github-actions group across 1 directory with 2 updates (#63205)0c2c7a3DOM update (#63183)