chore: fix security vulnerabilities via Go upgrades and npm overrides (WH-3695)#110
Merged
danielBWeka merged 9 commits intorelease/v0.4from Feb 8, 2026
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request addresses 58 security vulnerabilities through Go dependency upgrades and a frontend migration from Create React App to Vite. The changes fix 1 critical, 21 high, 33 medium, and 3 low severity CVEs affecting both Go and npm dependencies.
Changes:
- Upgraded Go dependencies including helm (v3.16.1 → v3.19.0), golang.org/x/crypto (v0.31.0 → v0.45.0), golang.org/x/oauth2 (v0.21.0 → v0.30.0), and kubernetes libraries (v0.31.x → v0.34.0)
- Migrated optional web frontend from Create React App to Vite 6.x, removing all CRA-related npm vulnerabilities
- Updated Go version specification to 1.24.0 with toolchain go1.24.2
Reviewed changes
Copilot reviewed 8 out of 10 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| go.mod | Updated Go version to 1.24.0 and upgraded direct dependencies including helm, kubernetes, and golang.org packages |
| go.sum | Updated checksums for all upgraded Go dependencies |
| internal/local/web/frontend/vite.config.js | New Vite configuration with React plugin and API proxy to localhost:8080 |
| internal/local/web/frontend/package.json | Replaced react-scripts with Vite and updated scripts for dev/build/preview |
| internal/local/web/frontend/index.html | New Vite HTML entry point with script module reference |
| internal/local/web/frontend/public/index.html | Removed Create React App HTML template |
| internal/local/web/frontend/src/main.jsx | Updated import to use .jsx extension for App component |
| internal/local/web/frontend/src/App.jsx | Removed unnecessary comment |
| internal/local/web/frontend/README.md | Updated documentation for Vite migration |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
danielBWeka
changed the title
commit 073f477 Author: Daniel Binyamin <daniel.binyamin@weka.io> Date: Sun Feb 1 12:51:35 2026 +0200 chore: GitHub Actions release workflow for homecli (WH-3686) (#113) * release github action * updates * adjustments * only release/v.0.4 * fix vulnerability * copilot fixes commit 8afeca4 Author: Daniel Binyamin <daniel.binyamin@weka.io> Date: Sun Feb 1 10:12:00 2026 +0200 feat: homecli remote-access commands (#109) * Add remote session cli commands * get image from configMap * enable remote access values for LWH * copy using sidecar deployment * remove http.go * fix copy recordings * lint + fixes * fixes * pre-commit * fixes 2 * sort recordings list * fix error handling * validate tmte server flags * fixes 4 * Squashed commit of the following: commit c4606e9 Merge: a335aa3 511a9db Author: vyeveweka <vitalii.yevenko@weka.io> Date: Fri Jan 30 16:39:32 2026 +0200 Merge pull request #112 from weka/chore/v.yevenko/WH-3694-disable-redis-fix chore: disable redis fix commit 511a9db Author: Vitalii Yevenko <vitalii.yevenko@weka.io> Date: Fri Jan 30 12:23:14 2026 +0200 disabled redis for LWH commit 249a960 Author: Vitalii Yevenko <vitalii.yevenko@weka.io> Date: Thu Jan 29 22:00:15 2026 +0200 fixed redis deployment commit a335aa3 Merge: b3e913b 53deac1 Author: vyeveweka <vitalii.yevenko@weka.io> Date: Thu Jan 29 17:02:26 2026 +0200 Merge pull request #111 from weka/chore/v.yevenko/WH-3694-disable-redis chore: disable redis commit 53deac1 Author: Vitalii Yevenko <vitalii.yevenko@weka.io> Date: Thu Jan 29 14:15:40 2026 +0200 disable redis * fix merge conflict commit c4606e9 Merge: a335aa3 511a9db Author: vyeveweka <vitalii.yevenko@weka.io> Date: Fri Jan 30 16:39:32 2026 +0200 Merge pull request #112 from weka/chore/v.yevenko/WH-3694-disable-redis-fix chore: disable redis fix commit 511a9db Author: Vitalii Yevenko <vitalii.yevenko@weka.io> Date: Fri Jan 30 12:23:14 2026 +0200 disabled redis for LWH commit 249a960 Author: Vitalii Yevenko <vitalii.yevenko@weka.io> Date: Thu Jan 29 22:00:15 2026 +0200 fixed redis deployment commit a335aa3 Merge: b3e913b 53deac1 Author: vyeveweka <vitalii.yevenko@weka.io> Date: Thu Jan 29 17:02:26 2026 +0200 Merge pull request #111 from weka/chore/v.yevenko/WH-3694-disable-redis chore: disable redis commit 53deac1 Author: Vitalii Yevenko <vitalii.yevenko@weka.io> Date: Thu Jan 29 14:15:40 2026 +0200 disable redis
eladda-weka
approved these changes
Feb 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Vulnerabilities Fixed (58 Total)
Critical (1)
High (21)
Medium (33)
Low (3)
Summary
Fix Methods
Go Updates (
go.mod)Frontend Migration: Create React App → Vite
Migrated the web frontend from Create React App (
react-scripts5.0.1) to Vite 6.x, eliminating all CRA transitive dependencies that contained vulnerabilities.Before: ~1,500+ npm packages (via react-scripts)
After: ~115 npm packages (via vite)