Fix code scanning and dependabot security alerts (#756)

* Fix code scanning and dependabot security alerts Code scanning fixes (14 alerts): - Fix XSS in OG image route by validating request origin against allowlist - Fix incomplete URL sanitization in blog layout using exact hostname matching - Bind port-check socket to 127.0.0.1 instead of 0.0.0.0 - Add explicit permissions to 7 GitHub Actions workflows Dependabot fixes: - Update @isaacs/brace-expansion 5.0.0 -> 5.0.1 (CVE-2026-25547) - Update bytes 1.10.1 -> 1.11.1 (CVE-2026-25541) - Update time 0.3.41 -> 0.3.47 (CVE-2026-25727) - Update cryptography 45.0.7 -> 46.0.5 (CVE-2026-26007) - Update python-multipart 0.0.20 -> 0.0.22 (CVE-2026-24486) - Update urllib3 2.6.2 -> 2.6.3 in test lockfiles (CVE-2026-21441) - Update Werkzeug 3.1.4 -> 3.1.5 (CVE-2026-21860) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * Address PR review feedback - Replace plano.katanemo.com with planoai.dev in allowed hosts - Add planoai.dev to OG route and blog layout allowlists - Revert socket bind to 0.0.0.0 (intentional for port-in-use check) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-02 14:35:14 +02:00 · 2026-02-14 12:27:07 -08:00 · 2026-02-14 12:27:07 -08:00 · 1df43872a6
commit 1df43872a6
parent 38646fdac2
16 changed files with 6293 additions and 1979 deletions
--- a/package-lock.json
+++ b/package-lock.json
@ -47,6 +47,38 @@
        "typescript": "^5"
      }
    },
+    "apps/katanemo-www": {
+      "name": "@katanemo/katanemo-www",
+      "version": "0.1.0",
+      "dependencies": {
+        "@katanemo/shared-styles": "*",
+        "@katanemo/ui": "*",
+        "next": "^16.1.6",
+        "react": "19.2.0",
+        "react-dom": "19.2.0"
+      },
+      "devDependencies": {
+        "@biomejs/biome": "2.2.0",
+        "@katanemo/tailwind-config": "*",
+        "@katanemo/tsconfig": "*",
+        "@tailwindcss/postcss": "^4",
+        "@types/node": "^20",
+        "@types/react": "^19",
+        "@types/react-dom": "^19",
+        "tailwindcss": "^4",
+        "tw-animate-css": "^1.4.0",
+        "typescript": "^5"
+      }
+    },
+    "apps/katanemo-www/node_modules/react": {
+      "version": "19.2.0",
+      "resolved": "https://registry.npmjs.org/react/-/react-19.2.0.tgz",
+      "integrity": "sha512-tmbWg6W31tQLeB5cdIBOicJDJRR2KzXsV7uSK9iNfLWQ5bIZfxuPEHp7M8wiHyHnn0DD1i7w3Zmin0FtkrwoCQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
    "apps/www": {
      "name": "@katanemo/www",
      "version": "0.1.0",
@ -4188,9 +4220,9 @@
      }
    },
    "node_modules/@isaacs/brace-expansion": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/@isaacs/brace-expansion/-/brace-expansion-5.0.0.tgz",
-      "integrity": "sha512-ZT55BDLV0yv0RBm2czMiZ+SqCGO7AvmOM3G/w2xhVPH+te0aKgFjmBvGlL1dH+ql2tgGO3MVrbb3jCKyvpgnxA==",
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/@isaacs/brace-expansion/-/brace-expansion-5.0.1.tgz",
+      "integrity": "sha512-WMz71T1JS624nWj2n2fnYAuPovhv7EUhk69R6i9dsVyzxt5eM3bjwvgk9L+APE1TRscGysAVMANkB0jh0LQZrQ==",
      "license": "MIT",
      "dependencies": {
        "@isaacs/balanced-match": "^4.0.1"
@ -4340,6 +4372,10 @@
      "integrity": "sha512-dfLbk+PwWvFzSxwk3n5ySL0hfBog779o8h68wK/7/APo/7cgyWp5jcXockbxdk5kFRkbeXWm4Fbi9FrdN381sA==",
      "license": "Apache-2.0"
    },
+    "node_modules/@katanemo/katanemo-www": {
+      "resolved": "apps/katanemo-www",
+      "link": true
+    },
    "node_modules/@katanemo/shared-styles": {
      "resolved": "packages/shared-styles",
      "link": true