deps: update @eslint/eslintrc to 3.3.3

.gitea/workflows/ci.yml

@@ -8,22 +8,31 @@ on:
       - main
 
 jobs:
-  lint:
+  ci:
-    name: Lint and Test
+    name: CI
+    runs-on: ubuntu-latest
 
     steps:
       - name: Checkout Source Files
         uses: actions/checkout@v4
 
-      - name: Use Node.js v22
+      - name: Use Node.js v24
         uses: actions/setup-node@v4
         with:
-          node-version: 22
+          node-version: 24
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v2
         with:
-          version: 9
+          version: 10
+
+      - name: Ensure Dependencies are Pinned
+        uses: naomi-lgbt/dependency-pin-check@main
+        with:
+          language: javascript
+          dev-dependencies: true
+          peer-dependencies: true
+          optional-dependencies: true
 
       - name: Install Dependencies
         run: pnpm install

.gitea/workflows/security.yml

@@ -0,0 +1,177 @@
+name: Security Scan and Upload
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 0 * * 1'
+  workflow_dispatch:
+
+jobs:
+  security-audit:
+    name: Security & DefectDojo Upload
+    runs-on: ubuntu-latest
+    continue-on-error: true
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      # --- AUTO-SETUP PROJECT ---
+      - name: Ensure DefectDojo Product Exists
+        env:
+          DD_URL: ${{ secrets.DD_URL }}
+          DD_TOKEN: ${{ secrets.DD_TOKEN }}
+          PRODUCT_NAME: ${{ github.repository }} 
+          PRODUCT_TYPE_ID: 1 
+        run: |
+          sudo apt-get install jq -y > /dev/null
+          
+          echo "Checking connection to $DD_URL..."
+          
+          # Check if product exists - capture HTTP code to debug connection issues
+          RESPONSE=$(curl --write-out "%{http_code}" --silent --output /tmp/response.json \
+            -H "Authorization: Token $DD_TOKEN" \
+            "$DD_URL/api/v2/products/?name=$PRODUCT_NAME")
+          
+          # If response is not 200, print error
+          if [ "$RESPONSE" != "200" ]; then
+            echo "::error::Failed to query DefectDojo. HTTP Code: $RESPONSE"
+            cat /tmp/response.json
+            exit 1
+          fi
+
+          COUNT=$(cat /tmp/response.json | jq -r '.count')
+          
+          if [ "$COUNT" = "0" ]; then
+            echo "Creating product '$PRODUCT_NAME'..."
+            curl -s -X POST "$DD_URL/api/v2/products/" \
+              -H "Authorization: Token $DD_TOKEN" \
+              -H "Content-Type: application/json" \
+              -d '{ "name": "'"$PRODUCT_NAME"'", "description": "Auto-created by Gitea Actions", "prod_type": '$PRODUCT_TYPE_ID' }'
+          else
+            echo "Product '$PRODUCT_NAME' already exists."
+          fi
+
+      # --- 1. TRIVY (Dependencies & Misconfig) ---
+      - name: Install Trivy
+        run: |
+          sudo apt-get install wget apt-transport-https gnupg lsb-release -y
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+          echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update && sudo apt-get install trivy -y
+
+      - name: Run Trivy (FS Scan)
+        run: |
+          trivy fs . --scanners vuln,misconfig --format json --output trivy-results.json --exit-code 0
+
+      - name: Upload Trivy to DefectDojo
+        env:
+          DD_URL: ${{ secrets.DD_URL }}
+          DD_TOKEN: ${{ secrets.DD_TOKEN }}
+        run: |
+          echo "Uploading Trivy results..."
+          # Generate today's date in YYYY-MM-DD format
+          TODAY=$(date +%Y-%m-%d)
+          
+          HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
+            -H "Authorization: Token $DD_TOKEN" \
+            -F "active=true" \
+            -F "verified=true" \
+            -F "scan_type=Trivy Scan" \
+            -F "engagement_name=CI/CD Pipeline" \
+            -F "product_name=${{ github.repository }}" \
+            -F "scan_date=$TODAY" \
+            -F "auto_create_context=true" \
+            -F "file=@trivy-results.json")
+          
+          if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
+            echo "::error::Upload Failed with HTTP $HTTP_CODE"
+            echo "--- SERVER RESPONSE ---"
+            cat response.txt
+            echo "-----------------------"
+            exit 1
+          else
+            echo "Upload Success!"
+          fi
+
+      # --- 2. GITLEAKS (Secrets) ---
+      - name: Install Gitleaks
+        run: |
+          wget -qO gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.18.0/gitleaks_8.18.0_linux_x64.tar.gz
+          tar -xzf gitleaks.tar.gz
+          sudo mv gitleaks /usr/local/bin/ && chmod +x /usr/local/bin/gitleaks
+
+      - name: Run Gitleaks
+        run: gitleaks detect --source . -v --report-path gitleaks-results.json --report-format json --no-git || true
+
+      - name: Upload Gitleaks to DefectDojo
+        env:
+          DD_URL: ${{ secrets.DD_URL }}
+          DD_TOKEN: ${{ secrets.DD_TOKEN }}
+        run: |
+          echo "Uploading Gitleaks results..."  
+          TODAY=$(date +%Y-%m-%d)
+
+          HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
+            -H "Authorization: Token $DD_TOKEN" \
+            -F "active=true" \
+            -F "verified=true" \
+            -F "scan_type=Gitleaks Scan" \
+            -F "engagement_name=CI/CD Pipeline" \
+            -F "product_name=${{ github.repository }}" \
+            -F "scan_date=$TODAY" \
+            -F "auto_create_context=true" \
+            -F "file=@gitleaks-results.json")
+
+          if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
+             echo "::error::Upload Failed with HTTP $HTTP_CODE"
+             echo "--- SERVER RESPONSE ---"
+             cat response.txt
+             echo "-----------------------"
+             exit 1
+          else
+             echo "Upload Success!"
+          fi
+
+      # --- 3. SEMGREP (SAST) ---
+      - name: Install Semgrep (via pipx)
+        run: |
+          sudo apt-get install pipx -y
+          pipx install semgrep
+          # Add pipx binary path to GITHUB_PATH so next steps can see 'semgrep'
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Run Semgrep
+        run: semgrep scan --config=p/security-audit --config=p/owasp-top-ten --json --output semgrep-results.json . || true
+
+      - name: Upload Semgrep to DefectDojo
+        env:
+          DD_URL: ${{ secrets.DD_URL }}
+          DD_TOKEN: ${{ secrets.DD_TOKEN }}
+        run: |
+          echo "Uploading Semgrep results..."
+          TODAY=$(date +%Y-%m-%d)
+          
+          HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
+            -H "Authorization: Token $DD_TOKEN" \
+            -F "active=true" \
+            -F "verified=true" \
+            -F "scan_type=Semgrep JSON Report" \
+            -F "engagement_name=CI/CD Pipeline" \
+            -F "product_name=${{ github.repository }}" \
+            -F "scan_date=$TODAY" \
+            -F "auto_create_context=true" \
+            -F "file=@semgrep-results.json")
+
+          if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
+             echo "::error::Upload Failed with HTTP $HTTP_CODE"
+             echo "--- SERVER RESPONSE ---"
+             cat response.txt
+             echo "-----------------------"
+             exit 1
+          else
+             echo "Upload Success!"
+          fi

.npmrc

@@ -0,0 +1,25 @@
+# Package Manager Configuration
+# Force pnpm usage - breaks npm/yarn intentionally
+node-linker=pnpm
+
+# Security: Disable all lifecycle scripts
+ignore-scripts=true
+enable-pre-post-scripts=false
+
+# Security: Require packages to be 10+ days old before installation
+minimum-release-age=14400
+
+# Security: Verify package integrity hashes
+verify-store-integrity=true
+
+# Security: Enforce strict trust policies
+trust-policy=strict
+
+# Security: Strict peer dependency resolution
+strict-peer-dependencies=true
+
+# Performance: Use symlinks for node_modules
+symlink=true
+
+# Lockfile: Ensure lockfile is not modified during install
+frozen-lockfile=false

README.md

@@ -93,7 +93,7 @@ All style changes should be proposed in our [chat server](https://chat.nhcarriga
 
 ## Feedback and Bugs
 
-If you have feedback or a bug report, please feel free to open an issue!
+If you have feedback or a bug report, please [log a ticket on our forum](https://support.nhcarrigan.com).
 
 ## Contributing
 

package.json

@@ -32,7 +32,7 @@
   "dependencies": {
     "@eslint-community/eslint-plugin-eslint-comments": "4.4.1",
     "@eslint/compat": "1.2.4",
-    "@eslint/eslintrc": "3.2.0",
+    "@eslint/eslintrc": "3.3.3",
     "@eslint/js": "9.17.0",
     "@stylistic/eslint-plugin": "2.12.1",
     "@typescript-eslint/eslint-plugin": "8.19.0",

pnpm-lock.yaml

@@ -15,8 +15,8 @@ importers:
         specifier: 1.2.4
         version: 1.2.4(eslint@9.7.0)
       '@eslint/eslintrc':
-        specifier: 3.2.0
+        specifier: 3.3.3
-        version: 3.2.0
+        version: 3.3.3
       '@eslint/js':
         specifier: 9.17.0
         version: 9.17.0
@@ -271,8 +271,8 @@ packages:
     resolution: {integrity: sha512-BlYOpej8AQ8Ev9xVqroV7a02JK3SkBAaN9GfMMH9W6Ch8FlQlkjGw4Ir7+FgYwfirivAf4t+GtzuAxqfukmISA==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
-  '@eslint/eslintrc@3.2.0':
+  '@eslint/eslintrc@3.3.3':
-    resolution: {integrity: sha512-grOjVNN8P3hjJn/eIETF1wwd12DdnwFDoyceUJLYYdkpbwq3nLi+4fqrTAONx7XDALqlL220wC/RHSC/QTI/0w==}
+    resolution: {integrity: sha512-Kr+LPIUVKz2qkx1HAMH8q1q6azbqBAsXJUxBl/ODDuVPX45Z9DfwB8tPjTi6nNZ8BuM3nbJxC5zCAg5elnBUTQ==}
     engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0}
 
   '@eslint/js@9.17.0':
@@ -344,46 +344,55 @@ packages:
     resolution: {integrity: sha512-2Rn36Ubxdv32NUcfm0wB1tgKqkQuft00PtM23VqLuCUR4N5jcNWDoV5iBC9jeGdgS38WK66ElncprqgMUOyomw==}
     cpu: [arm]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-arm-musleabihf@4.19.0':
     resolution: {integrity: sha512-gJuzIVdq/X1ZA2bHeCGCISe0VWqCoNT8BvkQ+BfsixXwTOndhtLUpOg0A1Fcx/+eA6ei6rMBzlOz4JzmiDw7JQ==}
     cpu: [arm]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-arm64-gnu@4.19.0':
     resolution: {integrity: sha512-0EkX2HYPkSADo9cfeGFoQ7R0/wTKb7q6DdwI4Yn/ULFE1wuRRCHybxpl2goQrx4c/yzK3I8OlgtBu4xvted0ug==}
     cpu: [arm64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-arm64-musl@4.19.0':
     resolution: {integrity: sha512-GlIQRj9px52ISomIOEUq/IojLZqzkvRpdP3cLgIE1wUWaiU5Takwlzpz002q0Nxxr1y2ZgxC2obWxjr13lvxNQ==}
     cpu: [arm64]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-linux-powerpc64le-gnu@4.19.0':
     resolution: {integrity: sha512-N6cFJzssruDLUOKfEKeovCKiHcdwVYOT1Hs6dovDQ61+Y9n3Ek4zXvtghPPelt6U0AH4aDGnDLb83uiJMkWYzQ==}
     cpu: [ppc64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-riscv64-gnu@4.19.0':
     resolution: {integrity: sha512-2DnD3mkS2uuam/alF+I7M84koGwvn3ZVD7uG+LEWpyzo/bq8+kKnus2EVCkcvh6PlNB8QPNFOz6fWd5N8o1CYg==}
     cpu: [riscv64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-s390x-gnu@4.19.0':
     resolution: {integrity: sha512-D6pkaF7OpE7lzlTOFCB2m3Ngzu2ykw40Nka9WmKGUOTS3xcIieHe82slQlNq69sVB04ch73thKYIWz/Ian8DUA==}
     cpu: [s390x]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-x64-gnu@4.19.0':
     resolution: {integrity: sha512-HBndjQLP8OsdJNSxpNIN0einbDmRFg9+UQeZV1eiYupIRuZsDEoeGU43NQsS34Pp166DtwQOnpcbV/zQxM+rWA==}
     cpu: [x64]
     os: [linux]
+    libc: [glibc]
 
   '@rollup/rollup-linux-x64-musl@4.19.0':
     resolution: {integrity: sha512-HxfbvfCKJe/RMYJJn0a12eiOI9OOtAUF4G6ozrFUK95BNyoJaSiBjIOHjZskTUffUrB84IPKkFG9H9nEvJGW6A==}
     cpu: [x64]
     os: [linux]
+    libc: [musl]
 
   '@rollup/rollup-win32-arm64-msvc@4.19.0':
     resolution: {integrity: sha512-HxDMKIhmcguGTiP5TsLNolwBUK3nGGUEoV/BO9ldUBoMLBssvh4J0X8pf11i1fTV7WShWItB1bKAKjX4RQeYmg==}
@@ -804,15 +813,6 @@ packages:
       supports-color:
         optional: true
 
-  debug@4.3.4:
-    resolution: {integrity: sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==}
-    engines: {node: '>=6.0'}
-    peerDependencies:
-      supports-color: '*'
-    peerDependenciesMeta:
-      supports-color:
-        optional: true
-
   debug@4.3.5:
     resolution: {integrity: sha512-pt0bNEmneDIvdL1Xsd9oDQ/wrQRkXDT4AUWlNZNPKvW5x/jyO9VFXkJUP07vQ2upmw5PlaITaPKc31jK13V+jg==}
     engines: {node: '>=6.0'}
@@ -1235,10 +1235,6 @@ packages:
   hosted-git-info@2.8.9:
     resolution: {integrity: sha512-mxIDAb9Lsm6DoOJ7xH+5+X4y1LU/4Hi50L9C5sIswK3JzULS4bwk1FvjdBgvYR4bzT4tuUQiC15FE2f5HbLvYw==}
 
-  ignore@5.2.4:
-    resolution: {integrity: sha512-MAb38BcSbH0eHNBxn7ql2NH/kX33OkB3lZ1BNdh7ENeRChHTYsTvWrMubiIAMNS2llXEEgZ1MUOBtXChP3kaFQ==}
-    engines: {node: '>= 4'}
-
   ignore@5.3.1:
     resolution: {integrity: sha512-5Fytz/IraMjqpwfd34ke28PTVMjZjJG2MPn5t7OE4eUCUNf8BAa7b5WUS9/Qvr6mwOQS7Mk6vdsMno5he+T8Xw==}
     engines: {node: '>= 4'}
@@ -1436,8 +1432,8 @@ packages:
   js-tokens@4.0.0:
     resolution: {integrity: sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==}
 
-  js-yaml@4.1.0:
+  js-yaml@4.1.1:
-    resolution: {integrity: sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==}
+    resolution: {integrity: sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==}
     hasBin: true
 
   jsdoc-type-pratt-parser@4.1.0:
@@ -2266,20 +2262,20 @@ snapshots:
   '@eslint/config-array@0.17.1':
     dependencies:
       '@eslint/object-schema': 2.1.4
-      debug: 4.3.5
+      debug: 4.3.7
       minimatch: 3.1.2
     transitivePeerDependencies:
       - supports-color
 
-  '@eslint/eslintrc@3.2.0':
+  '@eslint/eslintrc@3.3.3':
     dependencies:
       ajv: 6.12.6
       debug: 4.3.7
-      espree: 10.1.0
+      espree: 10.3.0
       globals: 14.0.0
       ignore: 5.3.1
       import-fresh: 3.3.0
-      js-yaml: 4.1.0
+      js-yaml: 4.1.1
       minimatch: 3.1.2
       strip-json-comments: 3.1.1
     transitivePeerDependencies:
@@ -2459,7 +2455,7 @@ snapshots:
     dependencies:
       '@typescript-eslint/types': 7.17.0
       '@typescript-eslint/visitor-keys': 7.17.0
-      debug: 4.3.4
+      debug: 4.3.7
       globby: 11.1.0
       is-glob: 4.0.3
       minimatch: 9.0.5
@@ -2878,10 +2874,6 @@ snapshots:
     dependencies:
       ms: 2.1.3
 
-  debug@4.3.4:
-    dependencies:
-      ms: 2.1.2
-
   debug@4.3.5:
     dependencies:
       ms: 2.1.2
@@ -3269,7 +3261,7 @@ snapshots:
       '@eslint-community/eslint-utils': 4.4.0(eslint@9.7.0)
       '@eslint-community/regexpp': 4.11.0
       '@eslint/config-array': 0.17.1
-      '@eslint/eslintrc': 3.2.0
+      '@eslint/eslintrc': 3.3.3
       '@eslint/js': 9.7.0
       '@humanwhocodes/module-importer': 1.0.1
       '@humanwhocodes/retry': 0.3.0
@@ -3490,7 +3482,7 @@ snapshots:
       array-union: 2.1.0
       dir-glob: 3.0.1
       fast-glob: 3.3.1
-      ignore: 5.2.4
+      ignore: 5.3.1
       merge2: 1.4.1
       slash: 3.0.0
 
@@ -3532,8 +3524,6 @@ snapshots:
 
   hosted-git-info@2.8.9: {}
 
-  ignore@5.2.4: {}
-
   ignore@5.3.1: {}
 
   import-fresh@3.3.0:
@@ -3735,7 +3725,7 @@ snapshots:
 
   js-tokens@4.0.0: {}
 
-  js-yaml@4.1.0:
+  js-yaml@4.1.1:
     dependencies:
       argparse: 2.0.1