Skip to content

security: vulnerability remediation#200

Merged
ulziibay-kernel merged 1 commit into
mainfrom
security/vuln-remediation
Apr 2, 2026
Merged

security: vulnerability remediation#200
ulziibay-kernel merged 1 commit into
mainfrom
security/vuln-remediation

Conversation

@kernel-internal

@kernel-internal kernel-internal Bot commented Apr 2, 2026

Copy link
Copy Markdown
Contributor

Vulnerability Remediation — 2026-04-02

Fixed

CVE Package Severity Old Version New Version Manifest
CVE-2025-7783 form-data warn 4.0.0 4.0.5 images/chromium-headful/client/package-lock.json

Skipped (non-actionable)

Alert Type Package Severity Reason
criticalCVE @babel/traverse warn Dev-only transitive dependency in the headful client build toolchain (dev: true in the lockfile); not deployed to production.

Deferred (needs human review)

None.

Verification

  • npm run build in images/chromium-headful/client
  • No test script exists in images/chromium-headful/client/package.json
  • Post-fix Socket rescan reports only the skipped dev-only @babel/traverse alert

Made with Cursor


Note

Medium Risk
Updates axios and related transitive packages (form-data, follow-redirects, proxy-from-env, and new helpers) which can subtly affect HTTP request/redirect/proxy behavior in the headful client.

Overview
Updates the headful Chromium client’s HTTP dependency stack for vulnerability remediation.

Bumps axios to ^1.14.0 in package.json and refreshes package-lock.json, pulling in newer transitive versions (notably form-data@4.0.5, follow-redirects@1.15.11, proxy-from-env@2.1.0) and additional small helper packages recorded in the lockfile.

Written by Cursor Bugbot for commit 21b39a5. This will update automatically on new commits. Configure here.

Upgrade the headful client's axios dependency so its transitive form-data package resolves past CVE-2025-7783.

- bump images/chromium-headful/client axios from ^1.2.3 to ^1.14.0
- update form-data in the client lockfile from 4.0.0 to 4.0.5

Made-with: Cursor
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addednpm/​resize-observer-polyfill@​1.5.19910010075100
Addednpm/​simple-markdown@​0.7.39910010075100
Addednpm/​sweetalert2@​11.4.899989195100
Addednpm/​sass-loader@​10.4.19810010088100
Updatednpm/​axios@​1.2.6 ⏵ 1.14.091 -7100 +3110095100
Addednpm/​sass@​1.57.110010010095100

View full report

@ulziibay-kernel ulziibay-kernel self-requested a review April 2, 2026 21:49
@ulziibay-kernel ulziibay-kernel merged commit 10dd568 into main Apr 2, 2026
7 checks passed
@ulziibay-kernel ulziibay-kernel deleted the security/vuln-remediation branch April 2, 2026 21:50
IlyaasK added a commit that referenced this pull request Jun 26, 2026
## Summary

This is the public-repo equivalent of the private dead-payload cleanup
PR, with the additional public-only tracked `server/api` binary removed.

What changed:
- Deletes `images/chromium-headful/image-chromium/`, including old demo
HTML, Streamlit config, static-content files, tint2 config, and legacy
startup scripts.
- Removes the broad `COPY images/chromium-headful/image-chromium/ /`
from the public headful Dockerfile.
- Deletes the tracked `server/api` binary artifact.
- Adds `server/api` to `.dockerignore` so local rebuilt API binaries do
not get sent in Docker build context.
- Leaves the current supervised headful runtime path intact: the image
still copies Neko config, supervisor service definitions, WebRTC client
output, Envoy config, cert bootstrap, API binary from the builder stage,
Chromium launcher, wrapper, Playwright daemon bundle, and extensions via
current explicit Dockerfile steps.

## Why

The removed `image-chromium` directory was an old payload copied
directly into `/` during the headful image build. The current image no
longer uses that legacy startup/demo path, and the broad root copy makes
it easy for unrelated files under `image-chromium` to silently land in
the final runtime image.

The tracked `server/api` binary is a local build artifact. The
Dockerfile compiles/copies the runtime API binary from the build stages;
it does not need a checked-in executable under `server/api`. Keeping it
tracked increases repository size and can invalidate Docker build
context/layers when the binary changes.

## Git History / Removal Rationale

| removed item | likely reason it was added | why it is removed here |
| --- | --- | --- |
| `entrypoint.sh`, `start_all.sh`, `xvfb_startup.sh`,
`mutter_startup.sh`, `tint2_startup.sh` | Added with the WebRTC OSS
launch (`5c71470`, PR #13) from the old headful demo image. These
scripts manually started Xvfb, tint2, mutter, x11vnc/noVNC, then
launched a demo server. | The current headful image uses supervisor
service definitions, wrapper scripts, Neko/WebRTC components, and
explicit Dockerfile copies. These legacy scripts are not the active
process model. |
| `http_server.py`, `index.html`, `static_content/index.html`,
`.streamlit/config.toml` | Added with the same demo payload. The old
entrypoint started a Python static server and Streamlit demo app and
printed local demo instructions. | The current public runtime does not
launch that demo stack. Keeping this content in `/` only preserves stale
files that are not part of the current browser/session path. |
| `.config/tint2/*` | Added to support the old desktop panel
configuration used by the demo/Xvfb/tint2 startup scripts. | Current
headful runtime behavior is managed by the current image service/config
path; this tint2 payload is only reachable through the removed legacy
startup scripts. |
| `COPY images/chromium-headful/image-chromium/ /` | Added during the
save/reuse user-data and supervisor transition. It preserved the old
root payload while the image moved toward explicit supervised services.
| The broad copy is now the risky part: any file under the legacy
directory silently mutates the final root filesystem. Current-purpose
files are already copied explicitly elsewhere in the Dockerfile. |
| `server/api` | Added as a 14 MB executable in `0fba5a0` (PR #148),
alongside smooth mouse movement source changes. A later PR (`9816e34`,
PR #164) added `server/api` to `.gitignore`, which strongly suggests it
was recognized as a local build artifact but was already tracked. | The
image build compiles the API from source; the tracked binary is not
referenced by Dockerfiles or runtime code. This PR removes it from git
and adds `.dockerignore` coverage so local rebuilds do not pollute
Docker context. |

## Validation

Ran locally after merging current `main` into this branch:
- `git diff --check origin/main...HEAD`
- `DOCKER_BUILDKIT=1 docker build --check -f
images/chromium-headful/Dockerfile .`
- `cd server && go test ./e2e -run TestDoesNotExist -count=0`
- `~/.agents/skills/autoreview/scripts/autoreview --mode branch --base
origin/main`

Autoreview result:
- Clean, no accepted/actionable findings.


GitHub Actions on the current-main refresh:
- image builds: passed
- server test/e2e job: passed
- launcher test, scan, and Socket: passed

## Unknowns / Final Gates

- The deleted legacy payload did not have current references after
removal. Full image CI passed on the current-main refresh.
- Public does not have the private CapMonster e2e test file that changed
in private PR #200, so this PR does not include that private-only test
hardening.
- The tracked `server/api` binary is removed from git, but local
developers can still build a local `server/api`; `.gitignore` and now
`.dockerignore` keep it out of commits and Docker build context.

## Fast Docker Review

This PR follows the fast-build guidance by removing dead build context
and a broad root copy from the headful image.

Against the checklist:
- The old `image-chromium` root payload copy is removed, so files cannot
silently land in `/` just because they sit under a legacy directory.
- The tracked `server/api` binary is removed and added to
`.dockerignore`, so local binary rebuilds do not invalidate image build
context or layers.
- The current runtime files continue to be copied explicitly where the
Dockerfile needs them.
- No build tools are added to runtime images, and no source copies are
moved earlier in the Dockerfile.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Dead files and a broad root COPY are removed; the active supervised
headful image path is unchanged and CI validated the Dockerfile build.
> 
> **Overview**
> Removes legacy **Computer Use Demo** payload from the public headful
image and stops shipping a checked-in API binary.
> 
> The entire `images/chromium-headful/image-chromium/` tree is deleted
(Streamlit/static HTML, tint2 panel config, Xvfb/tint2/mutter startup
scripts, and related demo entrypoints). The headful **Dockerfile** no
longer does `COPY images/chromium-headful/image-chromium/ /`; runtime
files continue to be copied explicitly (Neko, supervisor, Envoy, built
API from `server-builder`, etc.).
> 
> The tracked **`server/api`** executable is removed from the repo, and
**`server/api`** is added to **`.dockerignore`** so local rebuilds do
not bloat Docker build context or invalidate layers.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
fb7e962. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants