chore: DEPLOY_BIND for published port + drizzle-orm security bump #4

Merged

pregno merged 2 commits from chore/deploy-hardening into main 2026-06-11 18:35:48 +02:00

Conversation 0 Commits 2 Files changed 4 +262 -242

pregno commented 2026-06-11 18:30:47 +02:00

Owner

Copy link

Two hardening items from the repo-wide review:

1. DEPLOY_BIND knob for the published deploy port. docker-compose.deploy.yml published nginx as 9001:80, binding to 0.0.0.0 on every host interface — with no auth on the proxied /api/. The mapping is now ${DEPLOY_BIND:-0.0.0.0}:9001:80; default unchanged, documented in .env.example. Recommended: set DEPLOY_BIND to the host's Tailscale IP (or 127.0.0.1 behind Tailscale Serve) on the deploy host.

2. drizzle-orm 0.36 → 0.45.2 closes GHSA-gpj5-g38j-94v9 (high, SQL injection via SQL identifiers — not exploitable in this codebase since all identifiers are static, but latent + flagged by audit). drizzle-kit bumped ^0.28 → ^0.31.10 to keep the documented orm/kit pairing. No query-code changes needed. pnpm audit --prod is now clean; 294 tests green; typecheck clean.

Pre-existing issue found while verifying (NOT caused by this PR): drizzle-kit generate cannot no-op on main — drizzle/meta/_journal.json lists migrations 0000–0007 but meta/ only has snapshots 0000–0002 (0003–0007 were committed without snapshots), so generate diffs against the stale 0002 snapshot. Identical behavior on old and new versions; needs a separate fix (regenerate missing snapshots).

Two hardening items from the repo-wide review: 1. **`DEPLOY_BIND` knob for the published deploy port.** `docker-compose.deploy.yml` published nginx as `9001:80`, binding to 0.0.0.0 on every host interface — with no auth on the proxied `/api/`. The mapping is now `${DEPLOY_BIND:-0.0.0.0}:9001:80`; default unchanged, documented in `.env.example`. **Recommended:** set `DEPLOY_BIND` to the host's Tailscale IP (or 127.0.0.1 behind Tailscale Serve) on the deploy host. 2. **drizzle-orm 0.36 → 0.45.2** closes GHSA-gpj5-g38j-94v9 (high, SQL injection via SQL identifiers — not exploitable in this codebase since all identifiers are static, but latent + flagged by audit). drizzle-kit bumped ^0.28 → ^0.31.10 to keep the documented orm/kit pairing. No query-code changes needed. `pnpm audit --prod` is now clean; 294 tests green; typecheck clean. **Pre-existing issue found while verifying (NOT caused by this PR):** `drizzle-kit generate` cannot no-op on main — `drizzle/meta/_journal.json` lists migrations 0000–0007 but `meta/` only has snapshots 0000–0002 (0003–0007 were committed without snapshots), so generate diffs against the stale 0002 snapshot. Identical behavior on old and new versions; needs a separate fix (regenerate missing snapshots).

pregno added 2 commits 2026-06-11 18:30:47 +02:00

chore(deploy): allow binding published port via DEPLOY_BIND 8c6c36b353

chore(server): bump drizzle-orm to close GHSA-gpj5-g38j-94v9 c925dc5b3d

pregno merged commit 4b6ba937f6 into main 2026-06-11 18:35:48 +02:00

pregno deleted branch chore/deploy-hardening 2026-06-11 18:35:49 +02:00

pregno referenced this pull request from a commit 2026-06-11 18:35:50 +02:00

Merge pull request 'chore: DEPLOY_BIND for published port + drizzle-orm security bump' (#4) from chore/deploy-hardening into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

pregno/polymarket-screener!4

No description provided.