Skip to content

[comp] Production Deploy#2349

Merged
Marfuen merged 3 commits intoreleasefrom
main
Mar 20, 2026
Merged

[comp] Production Deploy#2349
Marfuen merged 3 commits intoreleasefrom
main

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Mar 19, 2026

This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.

@Marfuen @claude
fix(api): validate WebP files with full RIFF+WEBP signature check (#2348
0c41717 
)

* fix(api): validate WebP files with full RIFF+WEBP signature check

The RIFF prefix alone matches WAV, AVI, and other container formats.
Now checks bytes 8-11 for 'WEBP' to ensure the file is actually WebP,
preventing content scan bypass via crafted RIFF files.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(api): use byte-exact comparison for WebP and remove unused constant

- Replace toString('ascii') with Buffer.equals() to prevent high-bit
  stripping that could bypass signature check
- Remove unused BINARY_MIME_TYPES constant

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@cursor
Copy link

cursor bot commented Mar 19, 2026
edited
Loading

PR Summary

Medium Risk
Medium risk because it changes upload content validation for image/webp and upgrades better-auth across the monorepo, which can affect authentication/session behavior via dependency updates.

Overview
Hardens file upload validation for image/webp. validateFileContent now performs RIFF-specific WebP checks (requires RIFF header plus WEBP marker at offset 8) instead of accepting any RIFF-prefixed file, and adds tests covering valid WebP and common RIFF masquerades (e.g., WAV/AVI).

Updates auth dependency versions. Bumps better-auth to ^1.4.22/1.4.22 across apps/api, apps/app, apps/portal, and packages/auth, with corresponding lockfile updates.

Written by Cursor Bugbot for commit 9786589. This will update automatically on new commits. Configure here.

@vercel
Copy link

vercel bot commented Mar 19, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
app (staging) Error Error Mar 20, 2026 6:38pm
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
portal (staging) Skipped Skipped Mar 20, 2026 6:38pm

Request Review

@Marfuen @claude
chore: bump better-auth to 1.4.22 across all packages (#2350)
b3ed387 
Aligns all packages (app, api, portal, auth, root) to the same
better-auth version. Stays on 1.4.x to avoid breaking changes in 1.5.0.

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@vercel vercel bot temporarily deployed to staging – portal March 19, 2026 21:51 Inactive
@vercel vercel bot temporarily deployed to staging – app March 19, 2026 21:51 Inactive
@Marfuen Marfuen merged commit c543d68 into release Mar 20, 2026
13 checks passed
@claudfuen
Copy link
Contributor

claudfuen commented Mar 20, 2026

🎉 This PR is included in version 3.10.3 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated-pr prod-deploy released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@claudfuen @Marfuen