April 13: Security Quick Wins and Dependabot Hardening
Landed the security quick-wins bundle (password complexity, private-by-default for targets, proxy trust config), hardened the Dependabot pipeline, and merged the React 19.2.5 bump along with a clutch of smaller dep bumps.
Developer Journal
Security quick wins (#1151)
Three small-but-meaningful security changes packaged together:
Password complexity — the existing password rule was "≥ 8 chars." Added the standard complexity bar: minimum 12 characters, at least one uppercase + lowercase + digit + symbol, no reuse of the last 5 passwords, and a rejection list seeded from the top 10k common passwords. Applied on registration, password change, and admin-assigned resets. Existing accounts don't get force-migrated — the check runs on next password change.
Private-by-default for targets — the target create form had a "Share with" box that defaulted to the current user's sharing group. Flipped the default to private (empty) with a visible opt-in for sharing. "Fail closed" on sharing is the right default.
Proxy trust — the .NET gateway was trusting X-Forwarded-For from any upstream, which breaks rate limiting and audit logging if the gateway is ever reachable directly. Tightened to only trust forwarded headers from a configurable list of upstream IPs (defaulting to the docker-compose internal network). Production deploys configure this to the real reverse-proxy IP range.
Harden Dependabot pipeline (#1135)
Three Dependabot workflow tweaks:
- Exempt body checks — the PR-body-validator hook was rejecting Dependabot PRs because they don't have a populated Test Plan. Added an exemption for PRs authored by
dependabot[bot]so the CI required checks don't spin on body formatting. - Group React —
react,react-dom, and@types/reactnow update together as a single grouped PR. Previously they'd land as three separate PRs, each failing CI because the types wouldn't match the runtime until all three were bumped. - Commit prefix normalization — Dependabot was emitting inconsistent prefixes (
chore(deps),deps, and sometimes none). Standardized tochore(deps):for runtime deps andchore(deps-dev):for dev deps. Follows our conventional commit standard.
React 19.2.5 (#1134)
The grouped React bump from the new config landed clean — bundle size moved a few kb, no runtime behavior changes, and the stricter type narrowing didn't surface any new issues (the TypeScript 6 bump from last week had already shaken those out).
Other deps
-
1167 — pydantic (processing-engine)
-
1169 — eslint (frontend)
-
1171 — @rollup/rollup-linux-x64-gnu
-
1127 — @typescript-eslint/eslint-plugin
What shipped
| PR | Title |
|---|---|
| #1171 | chore(deps)(deps): bump @rollup/rollup-linux-x64-gnu |
| #1169 | chore(deps-dev)(deps-dev): bump eslint in /frontend/jwst-frontend |
| #1167 | chore(deps)(deps): bump pydantic in /processing-engine |
| #1151 | fix: security quick wins — password complexity, private-by-default, proxy trust |
| #1135 | ci: harden Dependabot — exempt body checks, group react, set commit prefixes |
| #1134 | chore(deps): bump react and react-dom to 19.2.5 |
| #1127 | chore(deps-dev): Bump @typescript-eslint/eslint-plugin |