diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 356b0263f7..3ba752efaa 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -21,3 +21,38 @@ updates: directory: / schedule: interval: weekly + + - package-ecosystem: npm + directory: /devTools + schedule: + interval: "weekly" + + - package-ecosystem: docker + directory: /docker/backend + schedule: + interval: "weekly" + + - package-ecosystem: docker + directory: /docker/embedded + schedule: + interval: "weekly" + + - package-ecosystem: docker + directory: /docker/frontend + schedule: + interval: "weekly" + + - package-ecosystem: npm + directory: /frontend + schedule: + interval: "weekly" + + - package-ecosystem: cargo + directory: /frontend/src-tauri + schedule: + interval: "weekly" + + - package-ecosystem: pip + directory: /testing/cucumber + schedule: + interval: "weekly" diff --git a/.github/scripts/requirements_pre_commit.txt b/.github/scripts/requirements_pre_commit.txt index 459e46c2c6..b98227afb1 100644 --- a/.github/scripts/requirements_pre_commit.txt +++ b/.github/scripts/requirements_pre_commit.txt @@ -4,9 +4,9 @@ # # pip-compile --generate-hashes --output-file='.github\scripts\requirements_pre_commit.txt' --strip-extras '.github\scripts\requirements_pre_commit.in' # -cfgv==3.4.0 \ - --hash=sha256:b7265b1f29fd3316bfcd2b330d63d024f2bfd8bcb8b0272f8e19a504856c48f9 \ - --hash=sha256:e52591d4c5f5dead8e0f673fb16db7949d2cfb3f7da4582893288f0ded8fe560 +cfgv==3.5.0 \ + --hash=sha256:a8dc6b26ad22ff227d2634a65cb388215ce6cc96bbcc5cfde7641ae87e8dacc0 \ + --hash=sha256:d5b1034354820651caa73ede66a6294d6e95c1b00acc5e9b098e917404669132 # via pre-commit distlib==0.4.0 \ --hash=sha256:9659f7d87e46584a30b5780e43ac7a2143098441670ff0a49d5f9034c54a6c16 \ @@ -28,9 +28,9 @@ platformdirs==4.5.0 \ --hash=sha256:70ddccdd7c99fc5942e9fc25636a8b34d04c24b335100223152c2803e4063312 \ --hash=sha256:e578a81bb873cbb89a41fcc904c7ef523cc18284b7e3b3ccf06aca1403b7ebd3 # via virtualenv -pre-commit==4.3.0 \ - --hash=sha256:2b0747ad7e6e967169136edffee14c16e148a778a54e4f967921aa1ebf2308d8 \ - --hash=sha256:499fe450cc9d42e9d58e606262795ecb64dd05438943c62b66f6a8673da30b16 +pre-commit==4.5.0 \ + --hash=sha256:25e2ce09595174d9c97860a95609f9f852c0614ba602de3561e267547f2335e1 \ + --hash=sha256:dc5a065e932b19fc1d4c653c6939068fe54325af8e741e74e88db4d28a4dd66b # via -r .github/scripts/requirements_pre_commit.in pyyaml==6.0.3 \ --hash=sha256:00c4bdeba853cc34e7dd471f16b4114f4162dc03e6b7afcc2128711f0eca823c \ diff --git a/.github/scripts/requirements_sync_readme.in b/.github/scripts/requirements_sync_readme.in index 8141b83103..f7501c6d0e 100644 --- a/.github/scripts/requirements_sync_readme.in +++ b/.github/scripts/requirements_sync_readme.in @@ -1 +1,2 @@ tomlkit +tomli-w diff --git a/.github/scripts/requirements_sync_readme.txt b/.github/scripts/requirements_sync_readme.txt index eb0cd9bf7f..a5cf36a683 100644 --- a/.github/scripts/requirements_sync_readme.txt +++ b/.github/scripts/requirements_sync_readme.txt @@ -4,6 +4,10 @@ # # pip-compile --generate-hashes --output-file='.github\scripts\requirements_sync_readme.txt' --strip-extras '.github\scripts\requirements_sync_readme.in' # +tomli-w==1.2.0 \ + --hash=sha256:188306098d013b691fcadc011abd66727d3c414c571bb01b1a174ba8c983cf90 \ + --hash=sha256:2dd14fac5a47c27be9cd4c976af5a12d87fb1f0b4512f81d69cce3b35ae25021 + # via -r .github/scripts/requirements_sync_readme.in tomlkit==0.13.3 \ --hash=sha256:430cf247ee57df2b94ee3fbe588e71d362a941ebb545dec29b53961d61add2a1 \ --hash=sha256:c89c649d79ee40629a9fda55f8ace8c6a1b42deb912b2a8fd8d942ddadb606b0 diff --git a/.github/workflows/check_toml.yml b/.github/workflows/check_toml.yml index 2f3c4d7e55..dd5a28ac36 100644 --- a/.github/workflows/check_toml.yml +++ b/.github/workflows/check_toml.yml @@ -199,8 +199,7 @@ jobs: python-version: "3.12" - name: Install Python dependencies - run: | - pip install tomli-w + run: pip install --require-hashes -r ./.github/scripts/requirements_sync_readme.txt - name: Run Python script to check files id: run-check diff --git a/.github/workflows/deploy-on-v2-commit.yml b/.github/workflows/deploy-on-v2-commit.yml index f2f90ccfa1..4309d5233d 100644 --- a/.github/workflows/deploy-on-v2-commit.yml +++ b/.github/workflows/deploy-on-v2-commit.yml @@ -23,10 +23,10 @@ jobs: egress-policy: audit - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Get commit hashes for frontend and backend id: commit-hashes @@ -86,14 +86,14 @@ jobs: - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_API }} - name: Build and push frontend image if: steps.check-frontend.outputs.exists == 'false' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . file: ./docker/frontend/Dockerfile @@ -106,7 +106,7 @@ jobs: - name: Build and push backend image if: steps.check-backend.outputs.exists == 'false' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . file: ./docker/backend/Dockerfile diff --git a/.github/workflows/sync_files_v2.yml b/.github/workflows/sync_files_v2.yml index 8d8a6710b2..d72ba8a9da 100644 --- a/.github/workflows/sync_files_v2.yml +++ b/.github/workflows/sync_files_v2.yml @@ -53,8 +53,7 @@ jobs: cache: "pip" # caching pip dependencies - name: Install Python dependencies - run: | - pip install tomli-w + run: pip install --require-hashes -r ./.github/scripts/requirements_sync_readme.txt - name: Sync translation TOML files run: | @@ -65,9 +64,6 @@ jobs: git add frontend/public/locales/*/translation.toml git diff --staged --quiet || git commit -m ":memo: Sync translation files (TOML)" || echo "No changes detected" - - name: Install README dependencies - run: pip install --require-hashes -r ./.github/scripts/requirements_sync_readme.txt - - name: Sync README.md run: | python scripts/counter_translation_v3.py diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d4c63e8a39..6541be4237 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.14.2 + rev: v0.14.8 hooks: - id: ruff args: @@ -22,7 +22,7 @@ repos: files: \.(html|css|js|py|md)$ exclude: (.vscode|.devcontainer|app/core/src/main/resources|app/proprietary/src/main/resources|Dockerfile|.*/pdfjs.*|.*/thirdParty.*|bootstrap.*|.*\.min\..*|.*diff\.js) - repo: https://github.com/gitleaks/gitleaks - rev: v8.28.0 + rev: v8.30.0 hooks: - id: gitleaks - repo: https://github.com/pre-commit/pre-commit-hooks diff --git a/build.gradle b/build.gradle index e9b010c9e9..cb5580ef32 100644 --- a/build.gradle +++ b/build.gradle @@ -8,7 +8,7 @@ plugins { id "com.diffplug.spotless" version "8.1.0" id "com.github.jk1.dependency-license-report" version "3.0.1" //id "nebula.lint" version "19.0.3" - id "org.sonarqube" version "7.1.0.6387" + id "org.sonarqube" version "7.2.2.6593" } import com.github.jk1.license.render.* diff --git a/devTools/package-lock.json b/devTools/package-lock.json index 743ae59698..634fcad9a6 100644 --- a/devTools/package-lock.json +++ b/devTools/package-lock.json @@ -9,7 +9,7 @@ "version": "1.0.0", "devDependencies": { "@stylistic/stylelint-plugin": "^4.0.0", - "stylelint": "^16.26.0", + "stylelint": "^16.26.1", "stylelint-config-standard": "^39.0.1" } }, @@ -78,6 +78,7 @@ } ], "license": "MIT", + "peer": true, "engines": { "node": ">=18" }, @@ -85,6 +86,26 @@ "@csstools/css-tokenizer": "^3.0.4" } }, + "node_modules/@csstools/css-syntax-patches-for-csstree": { + "version": "1.0.22", + "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.0.22.tgz", + "integrity": "sha512-qBcx6zYlhleiFfdtzkRgwNC7VVoAwfK76Vmsw5t+PbvtdknO9StgRk7ROvq9so1iqbdW4uLIDAsXRsTfUrIoOw==", + "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/csstools" + }, + { + "type": "opencollective", + "url": "https://opencollective.com/csstools" + } + ], + "license": "MIT-0", + "engines": { + "node": ">=18" + } + }, "node_modules/@csstools/css-tokenizer": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/@csstools/css-tokenizer/-/css-tokenizer-3.0.4.tgz", @@ -101,6 +122,7 @@ } ], "license": "MIT", + "peer": true, "engines": { "node": ">=18" } @@ -896,6 +918,7 @@ "integrity": "sha512-eohl3hKTiVyD1ilYdw9T0OiB4hnjef89e3dMYKz+mVKDzj+5IteTseASUsOB+EU9Tf6VNTCjDePcP6wkDGmLKQ==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@keyv/serialize": "^1.1.1" } @@ -1104,6 +1127,7 @@ } ], "license": "MIT", + "peer": true, "dependencies": { "nanoid": "^3.3.11", "picocolors": "^1.1.1", @@ -1153,6 +1177,7 @@ "integrity": "sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "cssesc": "^3.0.0", "util-deprecate": "^1.0.2" @@ -1344,9 +1369,9 @@ "license": "ISC" }, "node_modules/stylelint": { - "version": "16.26.0", - "resolved": "https://registry.npmjs.org/stylelint/-/stylelint-16.26.0.tgz", - "integrity": "sha512-Y/3AVBefrkqqapVYH3LBF5TSDZ1kw+0XpdKN2KchfuhMK6lQ85S4XOG4lIZLcrcS4PWBmvcY6eS2kCQFz0jukQ==", + "version": "16.26.1", + "resolved": "https://registry.npmjs.org/stylelint/-/stylelint-16.26.1.tgz", + "integrity": "sha512-v20V59/crfc8sVTAtge0mdafI3AdnzQ2KsWe6v523L4OA1bJO02S7MO2oyXDCS6iWb9ckIPnqAFVItqSBQr7jw==", "dev": true, "funding": [ { @@ -1359,8 +1384,10 @@ } ], "license": "MIT", + "peer": true, "dependencies": { "@csstools/css-parser-algorithms": "^3.0.5", + "@csstools/css-syntax-patches-for-csstree": "^1.0.19", "@csstools/css-tokenizer": "^3.0.4", "@csstools/media-query-list-parser": "^4.0.3", "@csstools/selector-specificity": "^5.0.0", @@ -1373,7 +1400,7 @@ "debug": "^4.4.3", "fast-glob": "^3.3.3", "fastest-levenshtein": "^1.0.16", - "file-entry-cache": "^11.1.0", + "file-entry-cache": "^11.1.1", "global-modules": "^2.0.0", "globby": "^11.1.0", "globjoin": "^0.1.4", diff --git a/devTools/package.json b/devTools/package.json index 043ba50fda..6791ae887b 100644 --- a/devTools/package.json +++ b/devTools/package.json @@ -7,7 +7,7 @@ }, "devDependencies": { "@stylistic/stylelint-plugin": "^4.0.0", - "stylelint": "^16.26.0", + "stylelint": "^16.26.1", "stylelint-config-standard": "^39.0.1" } } diff --git a/docker/embedded/Dockerfile b/docker/embedded/Dockerfile index 439c49e6f3..12067bc7a8 100644 --- a/docker/embedded/Dockerfile +++ b/docker/embedded/Dockerfile @@ -37,7 +37,7 @@ RUN DISABLE_ADDITIONAL_FEATURES=false \ # Stage 2: Runtime image based on Debian stable-slim # Contains Java runtime + LibreOffice + Calibre + all PDF tools -FROM debian:stable-slim@sha256:7cb087f19bcc175b96fbe4c2aef42ed00733a659581a80f6ebccfd8fe3185a3d +FROM debian:stable-slim@sha256:1c25564b03942d874bf6a2b71f2062b71af8bc1475aa873c523e6f7c8fa29e60 SHELL ["/bin/bash", "-o", "pipefail", "-c"] ENV DEBIAN_FRONTEND=noninteractive diff --git a/docker/embedded/Dockerfile.fat b/docker/embedded/Dockerfile.fat index 028a7067ac..1fe61b67a7 100644 --- a/docker/embedded/Dockerfile.fat +++ b/docker/embedded/Dockerfile.fat @@ -37,7 +37,7 @@ RUN DISABLE_ADDITIONAL_FEATURES=false \ # Stage 2: Runtime image based on Debian stable-slim # Contains Java runtime + LibreOffice + Calibre + all PDF tools + extra fonts for air-gapped environments -FROM debian:stable-slim@sha256:7cb087f19bcc175b96fbe4c2aef42ed00733a659581a80f6ebccfd8fe3185a3d +FROM debian:stable-slim@sha256:1c25564b03942d874bf6a2b71f2062b71af8bc1475aa873c523e6f7c8fa29e60 SHELL ["/bin/bash", "-o", "pipefail", "-c"] ENV DEBIAN_FRONTEND=noninteractive diff --git a/testing/cucumber/requirements.txt b/testing/cucumber/requirements.txt index 80c32cc3c1..aa078aa00f 100644 --- a/testing/cucumber/requirements.txt +++ b/testing/cucumber/requirements.txt @@ -7,10 +7,10 @@ behave==1.3.3 \ --hash=sha256:2b8f4b64ed2ea756a5a2a73e23defc1c4631e9e724c499e46661778453ebaf51 \ --hash=sha256:89bdb62af8fb9f147ce245736a5de69f025e5edfb66f1fbe16c5007493f842c0 - # via -r requirements.in -certifi==2025.10.5 \ - --hash=sha256:0f212c2744a9bb6de0c56639a6f68afe01ecd92d91f14ae897c4fe7bbeeef0de \ - --hash=sha256:47c09d31ccf2acf0be3f701ea53595ee7e0b8fa08801c6624be771df09ae7b43 + # via -r testing/cucumber/requirements.in +certifi==2025.11.12 \ + --hash=sha256:97de8790030bbd5c2d96b7ec782fc2f7820ef8dba6db909ccf95449f2d062d4b \ + --hash=sha256:d8ab5478f2ecd78af242878415affce761ca6bc54a22a27e026d7c25357c3316 # via requests charset-normalizer==3.4.4 \ --hash=sha256:027f6de494925c0ab2a55eab46ae5129951638a49a34d87f4c3eda90f696b4ad \ @@ -137,9 +137,9 @@ cucumber-expressions==18.0.1 \ --hash=sha256:86230d503cdda7ef35a1f2072a882d7d57c740aa4c163c82b07f039b6bc60c42 \ --hash=sha256:86ce41bf28ee520408416f38022e5a083d815edf04a0bd1dae46d474ca597c60 # via behave -cucumber-tag-expressions==8.0.0 \ - --hash=sha256:4af80282ff0349918c332428176089094019af6e2a381a2fd8f1c62a7a6bb7e8 \ - --hash=sha256:bfe552226f62a4462ee91c9643582f524af84ac84952643fb09057580cbb110a +cucumber-tag-expressions==8.1.0 \ + --hash=sha256:1de26f183b1e8748e881189edd4bcdf4a80d7ed1011ad7b38cf141fcdcc51094 \ + --hash=sha256:acc56dd19b7bd0b931fc7b124ebbb6737def0775be41186ace7f5e566338ce7d # via behave idna==3.11 \ --hash=sha256:771a87f49d9defaf64091e6e6fe9c18d4833f140bd19464795bc32d966ca37ea \ @@ -290,15 +290,15 @@ pycryptodome==3.23.0 \ --hash=sha256:dea827b4d55ee390dc89b2afe5927d4308a8b538ae91d9c6f7a5090f397af1aa \ --hash=sha256:e3f2d0aaf8080bda0587d58fc9fe4766e012441e2eed4269a77de6aea981c8be \ --hash=sha256:eb8f24adb74984aa0e5d07a2368ad95276cf38051fe2dc6605cbcf482e04f2a7 - # via -r requirements.in + # via -r testing/cucumber/requirements.in pypdf==6.4.0 \ --hash=sha256:4769d471f8ddc3341193ecc5d6560fa44cf8cd0abfabf21af4e195cc0c224072 \ --hash=sha256:55ab9837ed97fd7fcc5c131d52fcc2223bc5c6b8a1488bbf7c0e27f1f0023a79 - # via -r requirements.in -reportlab==4.4.4 \ - --hash=sha256:299b3b0534e7202bb94ed2ddcd7179b818dcda7de9d8518a57c85a58a1ebaadb \ - --hash=sha256:cb2f658b7f4a15be2cc68f7203aa67faef67213edd4f2d4bdd3eb20dab75a80d - # via -r requirements.in + # via -r testing/cucumber/requirements.in +reportlab==4.4.5 \ + --hash=sha256:0457d642aa76df7b36b0235349904c58d8f9c606a872456ed04436aafadc1510 \ + --hash=sha256:849773d7cd5dde2072fedbac18c8bc909506c8befba8f088ba7b09243c6684cc + # via -r testing/cucumber/requirements.in requests==2.32.5 \ --hash=sha256:2462f94637a34fd532264295e186976db0f5d453d1cdd31473c85a6a161affb6 \ --hash=sha256:dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf