fix(security): suppress CSRF false positive + upgrade next 15.5.19 + dep overrides
Deploy to TrueNAS / deploy (push) Failing after 4m7s
Deploy to TrueNAS / deploy (push) Failing after 4m7s
- Add .snyk policy file to suppress CSRF disabled false positive on JWT API chain - Add inline documentation explaining why CSRF is intentionally disabled for stateless JWT - Upgrade next.js 15.5.18 → 15.5.19 (latest stable 15.x patch) - Upgrade eslint-config-next to match - Add pnpm overrides for transitive CVEs: minimatch>=5.1.6, brace-expansion>=2.0.1, ajv>=8.17.1
This commit is contained in:
Patrick Plate
@@ -0,0 +1,19 @@
|
||||
# Snyk (https://snyk.io) policy file — managed by Lumen
|
||||
# Ignores documented false positives and accepted risks.
|
||||
version: v1.25.0
|
||||
language-settings:
|
||||
java:
|
||||
countUntriaged: false
|
||||
|
||||
ignore:
|
||||
# CSRF disabled on stateless JWT API chain — intentional and correct per OWASP:
|
||||
# "If your application does not use cookies for authentication, CSRF is not a risk."
|
||||
# The API security filter chain (Order 1) uses Authorization: Bearer tokens only.
|
||||
# The portal filter chain (Order 2) correctly enables CSRF via CookieCsrfTokenRepository.
|
||||
SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-CSRF:
|
||||
- 'cannamanage-api/src/main/java/de/cannamanage/api/security/SecurityConfig.java':
|
||||
reason: >-
|
||||
Stateless JWT API — CSRF not applicable. Browser never auto-sends
|
||||
Bearer tokens. Portal chain has CSRF enabled via CookieCsrfTokenRepository.
|
||||
expires: 2027-06-19T00:00:00.000Z
|
||||
created: 2026-06-19T07:00:00.000Z
|
||||
Reference in New Issue
Block a user