Skip to content

1.5.0 — fork hardening, Dependabot clearance, GHCR publishing

Latest
Latest

Choose a tag to compare

View all tags
@wabolabs wabolabs released this 05 Jun 20:59
1.5.0
59e7fa8
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Fork-hardening and security release. Consolidates the upstream-merge guardrails onto master and clears the outstanding Dependabot alerts. (Supersedes the divergent, never-documented 1.4.0 sync line.)

Security

  • Cleared 21/24 Dependabot alerts (11/12 highs) — uuid 9 → 11.1.1 (only browser-shipped runtime pkg), Babel chain → 7.29.x, plus build-chain resolutions. Verified by compiling the container webpack stage. Remaining 3 are unreachable or unfixable without breaking tooling (transitive vue 2 in a third-party widget, the glob CLI-only advisory, eslint's ajv 6).

Added

  • Fork-invariants CI guard (bin/fork-check + config/fork_invariants.yml) — fails the build if an upstream merge re-introduces a Pro gate, deletes fork code, overwrites a brand asset, or drops AGPL §7(b) attribution.
  • Brand-asset checksum baseline + bin/sync-upstream gates.
  • Push guard against the fork parent.githooks/pre-push + bin/install-push-guard refuse pushes to docusealco/* (wired via bin/setup).

Changed

  • Release images now publish to GHCR (was Docker Hub, inherited un-rebranded from upstream): docker.yml pushes MAJOR.MINOR.PATCH + :latest to ghcr.io/wabolabs/wabosign for linux/amd64 + linux/arm64. A fork invariant keeps the registry on GHCR across upstream syncs.
  • Made the DocuSeal fork relationship explicit in the UI and email attribution.

Image

docker pull ghcr.io/wabolabs/wabosign:1.5.0

Also tagged :latest. See CHANGELOG.md.

Assets 2
Loading