bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: round 4 — frontend hardening (deps, XSS, cookie security)

Browse Source 
Vulnerable dependencies upgraded:
- Backend: league/commonmark >=2.8.2 (HTML injection bypass),
  phpunit/phpunit >=11.5.50, laravel/tinker (psysh LPE)
- Frontend: axios 1.13→1.15 (SSRF + metadata exfiltration),
  @casl/ability updated (prototype pollution)
- Removed swiper from all 3 apps (prototype pollution CVE,
  only used in Vuexy demo pages)

XSS vectors removed:
- Deleted Vuexy demo pages with v-html rendering API data:
  help-center/article, academy/course-details
- Deleted all front-pages (landing, pricing, checkout, payment) —
  Vuexy marketing template, not Crewli business logic
- Deleted swiper demo components and views
- Fixed admin main.ts: replaced innerHTML with template literal
  with safe DOM construction using textContent

Cookie security:
- Added SameSite=Strict and Secure flags to admin cookie defaults

Cleanup:
- Removed swiper SCSS from all 3 apps
- Removed swiper custom element config from all 3 vite configs
- Portal localStorage cleanup verified: reset() clears all keys,
  called on both explicit logout and 401 interceptor

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-14 07:15:00 +02:00
parent 52f6380ac0
commit b8286d6a84
51 changed files with 694 additions and 7224 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
apps/admin/package.json
View File

@@ -33,7 +33,7 @@
"@vueuse/core": "10.11.1",
"@vueuse/math": "10.11.1",
"apexcharts": "3.54.1",
"axios": "^1.13.2",
"axios": "^1.15.0",
"bootstrap-daterangepicker": "^3.1.0",
"chart.js": "4.5.1",
"cookie-es": "1.2.2",
@@ -49,7 +49,6 @@
"prismjs": "1.30.0",
"roboto-fontface": "0.10.0",
"shepherd.js": "13.0.3",
"swiper": "11.2.10",
"ufo": "1.6.1",
"unplugin-vue-define-options": "1.5.5",
"vee-validate": "^4.15.1",