diff --git a/.snyk b/.snyk new file mode 100644 index 0000000..e72b2dd --- /dev/null +++ b/.snyk @@ -0,0 +1,19 @@ +# Snyk (https://snyk.io) policy file — managed by Lumen +# Ignores documented false positives and accepted risks. +version: v1.25.0 +language-settings: + java: + countUntriaged: false + +ignore: + # CSRF disabled on stateless JWT API chain — intentional and correct per OWASP: + # "If your application does not use cookies for authentication, CSRF is not a risk." + # The API security filter chain (Order 1) uses Authorization: Bearer tokens only. + # The portal filter chain (Order 2) correctly enables CSRF via CookieCsrfTokenRepository. + SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-CSRF: + - 'cannamanage-api/src/main/java/de/cannamanage/api/security/SecurityConfig.java': + reason: >- + Stateless JWT API — CSRF not applicable. Browser never auto-sends + Bearer tokens. Portal chain has CSRF enabled via CookieCsrfTokenRepository. + expires: 2027-06-19T00:00:00.000Z + created: 2026-06-19T07:00:00.000Z diff --git a/cannamanage-api/src/main/java/de/cannamanage/api/security/SecurityConfig.java b/cannamanage-api/src/main/java/de/cannamanage/api/security/SecurityConfig.java index a5d338a..0f2dae9 100644 --- a/cannamanage-api/src/main/java/de/cannamanage/api/security/SecurityConfig.java +++ b/cannamanage-api/src/main/java/de/cannamanage/api/security/SecurityConfig.java @@ -54,6 +54,13 @@ public class SecurityConfig { http .securityMatcher("/api/**") .cors(cors -> cors.configurationSource(corsConfigurationSource())) + // snyk:ignore java/CsrfProtectionDisabled — Intentional: this filter chain + // handles stateless JWT-authenticated API calls only. CSRF attacks exploit + // browser-managed session cookies; Bearer token auth is immune because the + // token is never sent automatically by the browser. OWASP CSRF Prevention + // Cheat Sheet: "If your application does not use cookies for authentication, + // CSRF is not a risk." The portal chain (Order 2) correctly enables CSRF via + // CookieCsrfTokenRepository for its session-based auth. .csrf(csrf -> csrf.disable()) .sessionManagement(session -> session .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) diff --git a/cannamanage-frontend/package.json b/cannamanage-frontend/package.json index ce5a7e1..e10f3ce 100644 --- a/cannamanage-frontend/package.json +++ b/cannamanage-frontend/package.json @@ -56,7 +56,7 @@ "emoji-picker-react": "4.12.2", "input-otp": "1.4.2", "lucide-react": "0.446.0", - "next": "15.5.18", + "next": "15.5.19", "next-auth": "5.0.0-beta.31", "next-intl": "^4.13.0", "react": "19.1.3", @@ -88,7 +88,7 @@ "@types/sockjs-client": "^1.5.4", "@vitejs/plugin-react": "^6.0.2", "eslint": "9.18.0", - "eslint-config-next": "15.5.18", + "eslint-config-next": "15.5.19", "eslint-config-prettier": "10.1.1", "eslint-plugin-prettier": "5.2.3", "jsdom": "^29.1.1", @@ -107,6 +107,9 @@ "@types/react": "19.0.12", "@types/react-dom": "19.0.4", "picomatch": ">=4.0.2", - "postcss": ">=8.4.31" + "postcss": ">=8.4.31", + "minimatch": ">=5.1.6", + "brace-expansion": ">=2.0.1", + "ajv": ">=8.17.1" } } diff --git a/cannamanage-frontend/pnpm-lock.yaml b/cannamanage-frontend/pnpm-lock.yaml index ca2f582..3ac2c83 100644 --- a/cannamanage-frontend/pnpm-lock.yaml +++ b/cannamanage-frontend/pnpm-lock.yaml @@ -93,14 +93,14 @@ importers: specifier: 0.446.0 version: 0.446.0(react@19.1.3) next: - specifier: 15.5.18 - version: 15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3) + specifier: 15.5.19 + version: 15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3) next-auth: specifier: 5.0.0-beta.31 - version: 5.0.0-beta.31(next@15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3) + version: 5.0.0-beta.31(next@15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3) next-intl: specifier: ^4.13.0 - version: 4.13.0(next@15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3)(typescript@5.9.3) + version: 4.13.0(next@15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3)(typescript@5.9.3) react: specifier: 19.1.3 version: 19.1.3 @@ -184,8 +184,8 @@ importers: specifier: 9.18.0 version: 9.18.0(jiti@2.6.1) eslint-config-next: - specifier: 15.5.18 - version: 15.5.18(eslint@9.18.0(jiti@2.6.1))(typescript@5.9.3) + specifier: 15.5.19 + version: 15.5.19(eslint@9.18.0(jiti@2.6.1))(typescript@5.9.3) eslint-config-prettier: specifier: 10.1.1 version: 10.1.1(eslint@9.18.0(jiti@2.6.1)) @@ -679,56 +679,56 @@ packages: '@emnapi/core': ^1.7.1 '@emnapi/runtime': ^1.7.1 - '@next/env@15.5.18': - resolution: {integrity: sha512-hAV85Ckd9QR6RvH04MEKwsfLTksvFpO47j9xwtoIuvuPnlwecpSi+uZTtm8HirVbtlI2Fnz//xpcSTjFdyJk+g==} + '@next/env@15.5.19': + resolution: {integrity: sha512-sWWluFvcv5v3Fxznmf2ZfjyoVQt/64oCnYqS90inQWGzMPK1VjvekPiz3OPHKmFT30EnHrjlbyaHLt3M0vWabw==} - '@next/eslint-plugin-next@15.5.18': - resolution: {integrity: sha512-w4MYq8M26a8PNrfto0JosLf5/3ssln1rsyP96g2DkC8uFVymStM5DLSz5ElxxrPRg2XnTMnFo3kREFlhYvxhWw==} + '@next/eslint-plugin-next@15.5.19': + resolution: {integrity: sha512-Ctwb4qYuMbHN/1oXLlTdMchwG8h8Xzwq+wGZZMgF3o6+uwyBKAI2c96bdOsl+C62PaUD0Jkh+QpNkhUeDlam0Q==} - '@next/swc-darwin-arm64@15.5.18': - resolution: {integrity: sha512-w0WvQf1n+txiwns/9pwIQteCJpZTbxzO2SE0FLcwuD4v0WEh1JPOjdyxWL21XwJsdpx8cFRjyzxzCS/siP7HcQ==} + '@next/swc-darwin-arm64@15.5.19': + resolution: {integrity: sha512-jx9wWlTKueHKPvVOndyr7WuaevWCkuYqsQ8gC0TMPKAVWG3MhcdMrjfo9tvIZNXd0QOUYXXvAcZ325y8Uq7uzg==} engines: {node: '>= 10'} cpu: [arm64] os: [darwin] - '@next/swc-darwin-x64@15.5.18': - resolution: {integrity: sha512-znn71QmDuxm+BOaglihMZfvyySMnNljkVIY5Z2TCssBmm+WqL6c19VhtH5ktFkHa8EZ2bnTUpcNcmNSQsg67og==} + '@next/swc-darwin-x64@15.5.19': + resolution: {integrity: sha512-291KFcsIQ3OenRdiUDFOR6W3wezzH4auENXm1gbm1Bjd4ANMMRgxPrWTUztQN43BnVoVuMnHCrLeECIMwgFKbA==} engines: {node: '>= 10'} cpu: [x64] os: [darwin] - '@next/swc-linux-arm64-gnu@15.5.18': - resolution: {integrity: sha512-yPPe5MNL+igZUa+OsqQJisqSfh6oarIuA1Q0BDxljGJhRQyZeP+WRHh7rs/jZUGMh5aY0YdIjXZG0VohkKkUdw==} + '@next/swc-linux-arm64-gnu@15.5.19': + resolution: {integrity: sha512-WeH+nelQyyMeE2f8FxBRZNrGipya5zHZV2vjzfCOAYyiI6am+NbnWAAldOBFQBB2w0DjJcsvrKqoFT2b7+5YoA==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] - '@next/swc-linux-arm64-musl@15.5.18': - resolution: {integrity: sha512-glaCczEWIrHsokFZ3pP08U4BpKxwIdnT+txdOM32OBgpL9Yw4aqx8NejmgtZQZOdstQ5f0L3CasIZudzCuD+nw==} + '@next/swc-linux-arm64-musl@15.5.19': + resolution: {integrity: sha512-5xTOE0lDlDCSSfp+BAif7j17VRRCjWp//ZPZy6NI0QpdrhxtQnsZguSx0xAAZ0c9XZLrLLwCe/XVe5YPrRilKw==} engines: {node: '>= 10'} cpu: [arm64] os: [linux] - '@next/swc-linux-x64-gnu@15.5.18': - resolution: {integrity: sha512-oUfg2EgJmU3R0OCOWiokGFUTvZiPfXtriXiuF3YNxRoROCdgvTedHIzYoeKH34gsZxS/V7mHbfq2hpAHwhH1/A==} + '@next/swc-linux-x64-gnu@15.5.19': + resolution: {integrity: sha512-LTxRmMgqqMv05Had879W00Fm53quiJd3Zuz8h1JSNJ3nGSlbZ/7Tjs1tKyScgN3Au3t3MyPsjPlq60fMmSHLsg==} engines: {node: '>= 10'} cpu: [x64] os: [linux] - '@next/swc-linux-x64-musl@15.5.18': - resolution: {integrity: sha512-JLxSP3KTd9iu/bvUMQxH7RJo9xKSHf55/6RPE4a6FTSZygGn7uvZbCej0AHXydwkggQGSD9UddSjwv6Xz5ESfA==} + '@next/swc-linux-x64-musl@15.5.19': + resolution: {integrity: sha512-eoNQSpA5PQfB9wBO4RA47MTDXWz1fizy9Y3Z6e4DetYIF3dvjuu8sj7aIGn/bFCU6lnFzTK34NtCaffP4NsQ7Q==} engines: {node: '>= 10'} cpu: [x64] os: [linux] - '@next/swc-win32-arm64-msvc@15.5.18': - resolution: {integrity: sha512-ir1v7enP52K2HNz3tQQvwF+x7VNxBk1ciiZ18WBPvxf4C59IqdfmHPJYK3vH7rSxpuCVw/8C712wTXNAtEp+NA==} + '@next/swc-win32-arm64-msvc@15.5.19': + resolution: {integrity: sha512-6UNt2dFuCHOe446sm/Kp69nUe8/wIhnh9bm6Xcqw4qEWCOppLMOvhTBVgvM7invVUNr4SPpP6NOQsACtn2IN9Q==} engines: {node: '>= 10'} cpu: [arm64] os: [win32] - '@next/swc-win32-x64-msvc@15.5.18': - resolution: {integrity: sha512-LIu5me6QTANCd25E7I5uIEfvgQ06RK7tvHAbYo3zCb3VpxQEPvMcSpd87NwUABDT6MbGPdEGR5VRiK4PPTJhQg==} + '@next/swc-win32-x64-msvc@15.5.19': + resolution: {integrity: sha512-PhmojAHyqMne56HBLGu9dhDnHPuFmEjrXSQMM/nW0J6j849lk3ESrVtqNJcCk8CKOV7brpTTbaYAjwKPzKM69w==} engines: {node: '>= 10'} cpu: [x64] os: [win32] @@ -2802,8 +2802,8 @@ packages: resolution: {integrity: sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==} engines: {node: '>=10'} - eslint-config-next@15.5.18: - resolution: {integrity: sha512-HuoJU6uUPD00eyiud78IBnT4HLhztFj2V+ild2Uon5ZUrYZKe0Olu2QRD99e9IgL4/H1eg5Onka3BsfRW2U0Xw==} + eslint-config-next@15.5.19: + resolution: {integrity: sha512-UZwkuhBCNxVZfo93MSHRDOVNWXooJJGcAUyTAVIp0+9QFhH4SqJxWY0s6Mk9C2kMi777HPMn3dseOrZshWpG9Q==} peerDependencies: eslint: ^7.23.0 || ^8.0.0 || ^9.0.0 typescript: '>=3.3.1' @@ -3655,8 +3655,8 @@ packages: typescript: optional: true - next@15.5.18: - resolution: {integrity: sha512-eKL8zUJkX9Y5lE+RX/2YJoItVdGlIscyVyboeD9wSpp0PaGqjoA4tTpT2qPqz9ax+5IzGESyLSeZ/RCwbSZ2uQ==} + next@15.5.19: + resolution: {integrity: sha512-xNOW6tYshGX1/Oi3F8uuk4gpDeWsSUE/1Z0G5uUMekIxaQ0xc03UXd9II0VQHYMWviMeA0OHpJFAKsHf8bTYVg==} engines: {node: ^18.18.0 || ^19.8.0 || >= 20.0.0} hasBin: true peerDependencies: @@ -5051,34 +5051,34 @@ snapshots: '@tybys/wasm-util': 0.10.2 optional: true - '@next/env@15.5.18': {} + '@next/env@15.5.19': {} - '@next/eslint-plugin-next@15.5.18': + '@next/eslint-plugin-next@15.5.19': dependencies: fast-glob: 3.3.1 - '@next/swc-darwin-arm64@15.5.18': + '@next/swc-darwin-arm64@15.5.19': optional: true - '@next/swc-darwin-x64@15.5.18': + '@next/swc-darwin-x64@15.5.19': optional: true - '@next/swc-linux-arm64-gnu@15.5.18': + '@next/swc-linux-arm64-gnu@15.5.19': optional: true - '@next/swc-linux-arm64-musl@15.5.18': + '@next/swc-linux-arm64-musl@15.5.19': optional: true - '@next/swc-linux-x64-gnu@15.5.18': + '@next/swc-linux-x64-gnu@15.5.19': optional: true - '@next/swc-linux-x64-musl@15.5.18': + '@next/swc-linux-x64-musl@15.5.19': optional: true - '@next/swc-win32-arm64-msvc@15.5.18': + '@next/swc-win32-arm64-msvc@15.5.19': optional: true - '@next/swc-win32-x64-msvc@15.5.18': + '@next/swc-win32-x64-msvc@15.5.19': optional: true '@nodelib/fs.scandir@2.1.5': @@ -7020,9 +7020,9 @@ snapshots: escape-string-regexp@4.0.0: {} - eslint-config-next@15.5.18(eslint@9.18.0(jiti@2.6.1))(typescript@5.9.3): + eslint-config-next@15.5.19(eslint@9.18.0(jiti@2.6.1))(typescript@5.9.3): dependencies: - '@next/eslint-plugin-next': 15.5.18 + '@next/eslint-plugin-next': 15.5.19 '@rushstack/eslint-patch': 1.16.1 '@typescript-eslint/eslint-plugin': 8.61.0(@typescript-eslint/parser@8.61.0(eslint@9.18.0(jiti@2.6.1))(typescript@5.9.3))(eslint@9.18.0(jiti@2.6.1))(typescript@5.9.3) '@typescript-eslint/parser': 8.61.0(eslint@9.18.0(jiti@2.6.1))(typescript@5.9.3) @@ -7875,22 +7875,22 @@ snapshots: negotiator@1.0.0: {} - next-auth@5.0.0-beta.31(next@15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3): + next-auth@5.0.0-beta.31(next@15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3): dependencies: '@auth/core': 0.41.2 - next: 15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3) + next: 15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3) react: 19.1.3 next-intl-swc-plugin-extractor@4.13.0: {} - next-intl@4.13.0(next@15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3)(typescript@5.9.3): + next-intl@4.13.0(next@15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3))(react@19.1.3)(typescript@5.9.3): dependencies: '@formatjs/intl-localematcher': 0.8.10 '@parcel/watcher': 2.5.6 '@swc/core': 1.15.41 icu-minify: 4.13.0 negotiator: 1.0.0 - next: 15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3) + next: 15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3) next-intl-swc-plugin-extractor: 4.13.0 po-parser: 2.1.1 react: 19.1.3 @@ -7900,9 +7900,9 @@ snapshots: transitivePeerDependencies: - '@swc/helpers' - next@15.5.18(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3): + next@15.5.19(@playwright/test@1.60.0)(react-dom@19.1.3(react@19.1.3))(react@19.1.3): dependencies: - '@next/env': 15.5.18 + '@next/env': 15.5.19 '@swc/helpers': 0.5.15 caniuse-lite: 1.0.30001799 postcss: 8.4.31 @@ -7910,14 +7910,14 @@ snapshots: react-dom: 19.1.3(react@19.1.3) styled-jsx: 5.1.6(react@19.1.3) optionalDependencies: - '@next/swc-darwin-arm64': 15.5.18 - '@next/swc-darwin-x64': 15.5.18 - '@next/swc-linux-arm64-gnu': 15.5.18 - '@next/swc-linux-arm64-musl': 15.5.18 - '@next/swc-linux-x64-gnu': 15.5.18 - '@next/swc-linux-x64-musl': 15.5.18 - '@next/swc-win32-arm64-msvc': 15.5.18 - '@next/swc-win32-x64-msvc': 15.5.18 + '@next/swc-darwin-arm64': 15.5.19 + '@next/swc-darwin-x64': 15.5.19 + '@next/swc-linux-arm64-gnu': 15.5.19 + '@next/swc-linux-arm64-musl': 15.5.19 + '@next/swc-linux-x64-gnu': 15.5.19 + '@next/swc-linux-x64-musl': 15.5.19 + '@next/swc-win32-arm64-msvc': 15.5.19 + '@next/swc-win32-x64-msvc': 15.5.19 '@playwright/test': 1.60.0 sharp: 0.34.5 transitivePeerDependencies: