security: vulnerability remediation#200
Merged
Merged
Conversation
Upgrade the headful client's axios dependency so its transitive form-data package resolves past CVE-2025-7783. - bump images/chromium-headful/client axios from ^1.2.3 to ^1.14.0 - update form-data in the client lockfile from 4.0.0 to 4.0.5 Made-with: Cursor
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
ulziibay-kernel
approved these changes
Apr 2, 2026
IlyaasK
added a commit
that referenced
this pull request
Jun 26, 2026
## Summary This is the public-repo equivalent of the private dead-payload cleanup PR, with the additional public-only tracked `server/api` binary removed. What changed: - Deletes `images/chromium-headful/image-chromium/`, including old demo HTML, Streamlit config, static-content files, tint2 config, and legacy startup scripts. - Removes the broad `COPY images/chromium-headful/image-chromium/ /` from the public headful Dockerfile. - Deletes the tracked `server/api` binary artifact. - Adds `server/api` to `.dockerignore` so local rebuilt API binaries do not get sent in Docker build context. - Leaves the current supervised headful runtime path intact: the image still copies Neko config, supervisor service definitions, WebRTC client output, Envoy config, cert bootstrap, API binary from the builder stage, Chromium launcher, wrapper, Playwright daemon bundle, and extensions via current explicit Dockerfile steps. ## Why The removed `image-chromium` directory was an old payload copied directly into `/` during the headful image build. The current image no longer uses that legacy startup/demo path, and the broad root copy makes it easy for unrelated files under `image-chromium` to silently land in the final runtime image. The tracked `server/api` binary is a local build artifact. The Dockerfile compiles/copies the runtime API binary from the build stages; it does not need a checked-in executable under `server/api`. Keeping it tracked increases repository size and can invalidate Docker build context/layers when the binary changes. ## Git History / Removal Rationale | removed item | likely reason it was added | why it is removed here | | --- | --- | --- | | `entrypoint.sh`, `start_all.sh`, `xvfb_startup.sh`, `mutter_startup.sh`, `tint2_startup.sh` | Added with the WebRTC OSS launch (`5c71470`, PR #13) from the old headful demo image. These scripts manually started Xvfb, tint2, mutter, x11vnc/noVNC, then launched a demo server. | The current headful image uses supervisor service definitions, wrapper scripts, Neko/WebRTC components, and explicit Dockerfile copies. These legacy scripts are not the active process model. | | `http_server.py`, `index.html`, `static_content/index.html`, `.streamlit/config.toml` | Added with the same demo payload. The old entrypoint started a Python static server and Streamlit demo app and printed local demo instructions. | The current public runtime does not launch that demo stack. Keeping this content in `/` only preserves stale files that are not part of the current browser/session path. | | `.config/tint2/*` | Added to support the old desktop panel configuration used by the demo/Xvfb/tint2 startup scripts. | Current headful runtime behavior is managed by the current image service/config path; this tint2 payload is only reachable through the removed legacy startup scripts. | | `COPY images/chromium-headful/image-chromium/ /` | Added during the save/reuse user-data and supervisor transition. It preserved the old root payload while the image moved toward explicit supervised services. | The broad copy is now the risky part: any file under the legacy directory silently mutates the final root filesystem. Current-purpose files are already copied explicitly elsewhere in the Dockerfile. | | `server/api` | Added as a 14 MB executable in `0fba5a0` (PR #148), alongside smooth mouse movement source changes. A later PR (`9816e34`, PR #164) added `server/api` to `.gitignore`, which strongly suggests it was recognized as a local build artifact but was already tracked. | The image build compiles the API from source; the tracked binary is not referenced by Dockerfiles or runtime code. This PR removes it from git and adds `.dockerignore` coverage so local rebuilds do not pollute Docker context. | ## Validation Ran locally after merging current `main` into this branch: - `git diff --check origin/main...HEAD` - `DOCKER_BUILDKIT=1 docker build --check -f images/chromium-headful/Dockerfile .` - `cd server && go test ./e2e -run TestDoesNotExist -count=0` - `~/.agents/skills/autoreview/scripts/autoreview --mode branch --base origin/main` Autoreview result: - Clean, no accepted/actionable findings. GitHub Actions on the current-main refresh: - image builds: passed - server test/e2e job: passed - launcher test, scan, and Socket: passed ## Unknowns / Final Gates - The deleted legacy payload did not have current references after removal. Full image CI passed on the current-main refresh. - Public does not have the private CapMonster e2e test file that changed in private PR #200, so this PR does not include that private-only test hardening. - The tracked `server/api` binary is removed from git, but local developers can still build a local `server/api`; `.gitignore` and now `.dockerignore` keep it out of commits and Docker build context. ## Fast Docker Review This PR follows the fast-build guidance by removing dead build context and a broad root copy from the headful image. Against the checklist: - The old `image-chromium` root payload copy is removed, so files cannot silently land in `/` just because they sit under a legacy directory. - The tracked `server/api` binary is removed and added to `.dockerignore`, so local binary rebuilds do not invalidate image build context or layers. - The current runtime files continue to be copied explicitly where the Dockerfile needs them. - No build tools are added to runtime images, and no source copies are moved earlier in the Dockerfile. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Dead files and a broad root COPY are removed; the active supervised headful image path is unchanged and CI validated the Dockerfile build. > > **Overview** > Removes legacy **Computer Use Demo** payload from the public headful image and stops shipping a checked-in API binary. > > The entire `images/chromium-headful/image-chromium/` tree is deleted (Streamlit/static HTML, tint2 panel config, Xvfb/tint2/mutter startup scripts, and related demo entrypoints). The headful **Dockerfile** no longer does `COPY images/chromium-headful/image-chromium/ /`; runtime files continue to be copied explicitly (Neko, supervisor, Envoy, built API from `server-builder`, etc.). > > The tracked **`server/api`** executable is removed from the repo, and **`server/api`** is added to **`.dockerignore`** so local rebuilds do not bloat Docker build context or invalidate layers. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit fb7e962. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Vulnerability Remediation — 2026-04-02
Fixed
Skipped (non-actionable)
dev: truein the lockfile); not deployed to production.Deferred (needs human review)
None.
Verification
npm run buildinimages/chromium-headful/clienttestscript exists inimages/chromium-headful/client/package.json@babel/traversealertMade with Cursor
Note
Medium Risk
Updates
axiosand related transitive packages (form-data,follow-redirects,proxy-from-env, and new helpers) which can subtly affect HTTP request/redirect/proxy behavior in the headful client.Overview
Updates the headful Chromium client’s HTTP dependency stack for vulnerability remediation.
Bumps
axiosto^1.14.0inpackage.jsonand refreshespackage-lock.json, pulling in newer transitive versions (notablyform-data@4.0.5,follow-redirects@1.15.11,proxy-from-env@2.1.0) and additional small helper packages recorded in the lockfile.Written by Cursor Bugbot for commit 21b39a5. This will update automatically on new commits. Configure here.