bert.hausmans
b8286d6a84
Vulnerable dependencies upgraded: - Backend: league/commonmark >=2.8.2 (HTML injection bypass), phpunit/phpunit >=11.5.50, laravel/tinker (psysh LPE) - Frontend: axios 1.13→1.15 (SSRF + metadata exfiltration), @casl/ability updated (prototype pollution) - Removed swiper from all 3 apps (prototype pollution CVE, only used in Vuexy demo pages) XSS vectors removed: - Deleted Vuexy demo pages with v-html rendering API data: help-center/article, academy/course-details - Deleted all front-pages (landing, pricing, checkout, payment) — Vuexy marketing template, not Crewli business logic - Deleted swiper demo components and views - Fixed admin main.ts: replaced innerHTML with template literal with safe DOM construction using textContent Cookie security: - Added SameSite=Strict and Secure flags to admin cookie defaults Cleanup: - Removed swiper SCSS from all 3 apps - Removed swiper custom element config from all 3 vite configs - Portal localStorage cleanup verified: reset() clears all keys, called on both explicit logout and 401 interceptor Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Crewli — Organizer SPA
Main product UI for organisation and event staff (Vue 3 + Vuexy + Vuetify). Lives in this repo; only re-copy from Vuexy when upgrading the template.
Setup
- Install dependencies:
pnpm install
- Create
.env.local:
VITE_API_URL=http://localhost:8000/api/v1
VITE_APP_NAME="Crewli Organizer"
- Dev server uses port 5174 (see
vite.config.tsor run from repo root:make app).
pnpm dev --port 5174
Port
Runs on http://localhost:5174
Production: e.g. VITE_API_URL=https://api.crewli.app/api/v1 and host the SPA at https://app.crewli.app (see api/.env.example for FRONTEND_APP_URL and SANCTUM_STATEFUL_DOMAINS).