Fix/issue 161 165 sync improvements by arunavo4 · Pull Request #166 · RayLabsHQ/gitea-mirror

arunavo4 · 2026-01-13T08:07:36Z

No description provided.

…161, #165) ## Issues Fixed ### Issue #161: Incorrect open/closed status after import - Root cause: Gitea API creates issues as open first, then closes them in a separate step - This two-step process can fail silently due to rate limiting or API errors - Solution: Added explicit verification after issue creation - If closed state wasn't applied, use PATCH to explicitly close the issue - Added comprehensive error handling and logging - Applied same fix to both issue and PR mirroring paths ### Issue #165: New issues/PRs not syncing after initial mirror - Root cause: Boolean flags (issues: true) prevented subsequent syncs - Once marked as "mirrored", new/updated items were permanently skipped - Solution: Implemented incremental sync with timestamp tracking - Track componentLastSynced timestamps for each metadata component - Use GitHub's 'since' parameter to fetch only updated items - Implement duplicate detection to prevent creating duplicates - Update timestamps only after successful sync ## Optimizations - **Efficient duplicate detection**: Uses 'since' parameter when fetching existing Gitea issues - Reduces API calls by only checking recently updated issues - Significantly faster for repos with many issues (100s or 1000s) - Reduces pagination overhead - **Improved PR detection**: Uses PR number extraction (regex) instead of title matching - More robust against PR status/title changes - Handles "[PR #123]", "[PR #123] [MERGED]", etc. - **Pagination with safety limits**: Max 10 pages (1000 items) to balance completeness and performance ## Edge Cases Handled 1. Network timeouts between create and close operations 2. Rate limiting during two-step issue creation 3. Large repos with >1000 issues/PRs 4. PR status changes affecting title format 5. Timestamp updates only on successful sync (prevents missed items on failures) ## Testing - All 111 tests passing - Verified alignment with Gitea v1.25.3 and v1.26.0-dev source code - Tested incremental sync behavior with timestamp tracking ## Files Changed - src/lib/metadata-state.ts: Added componentLastSynced timestamps - src/lib/gitea.ts: Status verification, incremental sync, optimized duplicate detection - src/lib/gitea-enhanced.ts: Timestamp management and incremental sync orchestration

- Bump version to 3.10.0 - Update Astro to 5.16.9 (from 5.16.4) - Update Better Auth to 1.4.12 (from 1.4.5) - Update React to 19.2.3 (from 19.2.1) - Update Tailwind CSS to 4.1.18 (from 4.1.17) - Update Drizzle ORM to 0.45.1 (from 0.44.7) - Update Zod to 4.3.5 (from 4.1.13) - Update other minor dependencies (lucide-react, types, etc.) - Update Bun to 1.3.6 (from 1.3.3) All tests passing (111 pass, 4 skip, 0 fail)

cloudflare-workers-and-pages · 2026-01-13T08:07:41Z

Deploying gitea-mirror-website with Cloudflare Pages

Latest commit:	`723b4f4`
Status:	✅ Deploy successful!
Preview URL:	https://cd0d1f83.gitea-mirror-website.pages.dev
Branch Preview URL:	https://fix-issue-161-165-sync-impro.gitea-mirror-website.pages.dev

View logs

github-actions · 2026-01-13T08:13:13Z

🐳 Docker Image Built Successfully

Your PR image is available for testing:

Image Tag: pr-166
Full Image Path: ghcr.io/raylabshq/gitea-mirror:pr-166

Pull and Test

docker pull ghcr.io/raylabshq/gitea-mirror:pr-166
docker run -d   -p 4321:4321   -e BETTER_AUTH_SECRET=your-secret-here   -e BETTER_AUTH_URL=http://localhost:4321   --name gitea-mirror-test ghcr.io/raylabshq/gitea-mirror:pr-166

Docker Compose Testing

services:
  gitea-mirror:
    image: ghcr.io/raylabshq/gitea-mirror:pr-166
    ports:
      - "4321:4321"
    environment:
      - BETTER_AUTH_SECRET=your-secret-here
      - BETTER_AUTH_URL=http://localhost:4321
      - BETTER_AUTH_TRUSTED_ORIGINS=http://localhost:4321

💡 Note: PR images are tagged as pr-<number> and built for both linux/amd64 and linux/arm64.
Production images (latest, version tags) use the same multi-platform set.

📦 View in GitHub Packages

github-actions · 2026-01-13T08:14:15Z

🔍 Vulnerabilities of `gitea-mirror:scan`

📦 Image Reference gitea-mirror:scan

digest	`sha256:8ad42c66cb55e8eae3fbfe3ded97f465e94d192bf57ec750d0f32b090151ee53`
vulnerabilities
platform	linux/amd64
size	380 MB
packages	969

📦 Base Image debian:bookworm

also known as	`bookworm-20251117`
digest	`sha256:9d8be01b7374ef07c68468882782c1226c532f39145f46ad969b6fbd414ab730`
vulnerabilities

stdlib 1.23.12 (golang)

pkg:golang/stdlib@1.23.12

Affected range	`<1.24.11`
Fixed version	`1.24.11`
EPSS Score	`0.015%`
EPSS Percentile	`2nd percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.031%`
EPSS Percentile	`8th percentile`

Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.031%`
EPSS Percentile	`8th percentile`

Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.016%`
EPSS Percentile	`3rd percentile`

Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

Affected range	`<1.24.9`
Fixed version	`1.24.9`
EPSS Score	`0.016%`
EPSS Percentile	`3rd percentile`

Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

node-forge 1.3.1 (npm)

pkg:npm/node-forge@1.3.1

Uncontrolled Recursion

Affected range	`<1.3.2`
Fixed version	`1.3.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.110%`
EPSS Percentile	`30th percentile`

Description

Summary

An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs.

Details

An ASN.1 Denial of Service (Dos) vulnerability exists in the node-forge asn1.fromDer function within forge/lib/asn1.js. The ASN.1 DER parser implementation (_fromDer) recurses for every constructed ASN.1 value (SEQUENCE, SET, etc.) and lacks a guard limiting recursion depth. An attacker can craft a small DER blob containing a very large nesting depth of constructed TLVs which causes the Node.js V8 engine to exhaust its call stack and throw RangeError: Maximum call stack size exceeded, crashing or incapacitating the process handling the parse. This is a remote, low-cost Denial-of-Service against applications that parse untrusted ASN.1 objects.

Impact

This vulnerability enables an unauthenticated attacker to reliably crash a server or client using node-forge for TLS connections or certificate parsing.

This vulnerability impacts the ans1.fromDer function in node-forge before patched version 1.3.2.

Any downstream application using this component is impacted. These components may be leveraged by downstream applications in ways that enable full compromise of availability.

Interpretation Conflict

Affected range	`<1.3.2`
Fixed version	`1.3.2`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N`
EPSS Score	`0.057%`
EPSS Percentile	`18th percentile`

Description

Summary

CVE-2025-12816 has been reserved by CERT/CC

Description
An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

Details

A critical ASN.1 validation bypass vulnerability exists in the node-forge asn1.validate function within forge/lib/asn1.js. ASN.1 is a schema language that defines data structures, like the typed record schemas used in X.509, PKCS#7, PKCS#12, etc. DER (Distinguished Encoding Rules), a strict binary encoding of ASN.1, is what cryptographic code expects when verifying signatures, and the exact bytes and structure must match the schema used to compute and verify the signature. After deserializing DER, Forge uses static ASN.1 validation schemas to locate the signed data or public key, compute digests over the exact bytes required, and feed digest and signature fields into cryptographic primitives.

This vulnerability allows a specially crafted ASN.1 object to desynchronize the validator on optional boundaries, causing a malformed optional field to be semantically reinterpreted as the subsequent mandatory structure. This manifests as logic bypasses in cryptographic algorithms and protocols with optional security features (such as PKCS#12, where MACs are treated as absent) and semantic interpretation conflicts in strict protocols (such as X.509, where fields are read as the wrong type).

Impact

This flaw allows an attacker to desynchronize the validator, allowing critical components like digital signatures or integrity checks to be skipped or validated against attacker-controlled data.

This vulnerability impacts the ans1.validate function in node-forge before patched version 1.3.2.
https://github.com/digitalbazaar/forge/blob/main/lib/asn1.js.

The following components in node-forge are impacted.
lib/asn1.js
lib/x509.js
lib/pkcs12.js
lib/pkcs7.js
lib/rsa.js
lib/pbe.js
lib/ed25519.js

Any downstream application using these components is impacted.

These components may be leveraged by downstream applications in ways that enable full compromise of integrity, leading to potential availability and confidentiality compromises.

gnupg2 2.2.40-1.1+deb12u1 (deb)

pkg:deb/debian/gnupg2@2.2.40-1.1%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`<2.2.40-1.1+deb12u2`
Fixed version	`2.2.40-1.1+deb12u2`
EPSS Score	`0.012%`
EPSS Percentile	`1st percentile`

Description

In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)

gnupg2 2.4.8-5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124221)
[trixie] - gnupg2 2.4.7-21+deb13u1
[bookworm] - gnupg2 2.2.40-1.1+deb12u2
https://gpg.fail/memcpy
https://dev.gnupg.org/T7906
https://www.openwall.com/lists/oss-security/2025/12/28/5
gpg/gnupg@115d138 (gnupg-2.5.14)
gpg/gnupg@4ecc512 (gnupg-2.4.9)
gpg/gnupg@1e929ab (gnupg-2.2.51)

pam 1.5.2-6+deb12u1 (deb)

pkg:deb/debian/pam@1.5.2-6%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

Affected range	`<1.5.2-6+deb12u2`
Fixed version	`1.5.2-6+deb12u2`
EPSS Score	`0.037%`
EPSS Percentile	`11th percentile`

Description

A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

[experimental] - pam 1.7.0-4

pam 1.7.0-5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107919)
[bookworm] - pam 1.5.2-6+deb12u2
https://www.openwall.com/lists/oss-security/2025/06/17/1
GHSA-f9p8-gjr4-j9gx
Fixed by: linux-pam/linux-pam@475bd60 (v1.7.1)
Fixed by: linux-pam/linux-pam@592d84e (v1.7.1)
Fixed by: linux-pam/linux-pam@976c200 (v1.7.1)

github-actions · 2026-01-13T08:14:17Z

Recommended fixes for local `gitea-mirror:scan`

Base image is debian:bookworm

Name	bookworm-20251117
Digest	sha256:9d8be01b7374ef07c68468882782c1226c532f39145f46ad969b6fbd414ab730
Vulnerabilities
Pushed	1 month ago
Size	48 MB
Packages	126
Flavor	debian
OS	12

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
`bookworm` Newer image for same tag Also known as: 12.13 12 bookworm-20260112	Benefits: Same OS detected Newer image for same tag Tag was pushed more recently Image has similar size Image contains equal number of packages bookworm was pulled 14K times last month Image details: Size: 48 MB Flavor: debian OS: 12	1 day ago

Change base image

Tag	Details	Pushed
`stable-slim` Tag is preferred tag Also known as: stable-20260112-slim	Benefits: Same OS detected Image is smaller by 18 MB Image contains 15 fewer packages Tag is preferred tag Tag was pushed more recently Image introduces no new vulnerability but removes 5 Tag is using slim variant stable-slim is the fourth most popular tag with 46K pulls per month Image details: Size: 30 MB Flavor: debian OS: 12 Slim: ✅	1 day ago
`stable` Image introduces no new vulnerability but removes 5 Also known as: stable-20260112	Benefits: Same OS detected Image contains 15 fewer packages Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 stable is the 7th most popular tag with 32K pulls per month Image details: Size: 49 MB Flavor: debian OS: 12	1 day ago
`bookworm-slim` Image introduces 2 low vulnerabilities Also known as: 12.13-slim 12-slim bookworm-20260112-slim	Benefits: Same OS detected Image is smaller by 19 MB Tag was pushed more recently Image contains equal number of packages Tag is using slim variant bookworm-slim was pulled 13K times last month Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	1 day ago
`testing-slim` Major OS version update Also known as: testing-20260112-slim	Benefits: Same OS detected Image is smaller by 18 MB Image contains 17 fewer packages Tag was pushed more recently Image introduces no new vulnerability but removes 8 Major OS version update Tag is using slim variant testing-slim is the sixth most popular tag with 33K pulls per month Image details: Size: 29 MB Flavor: debian OS: 13 Slim: ✅	1 day ago
`sid-slim` Major OS version update Also known as: sid-20260112-slim	Benefits: Same OS detected Image is smaller by 18 MB Image contains 17 fewer packages Tag was pushed more recently Image introduces no new vulnerability but removes 5 Major OS version update Tag is using slim variant sid-slim is the 9th most popular tag with 15K pulls per month Image details: Size: 29 MB Flavor: debian OS: 13 Slim: ✅	1 day ago
`testing` Major OS version update Also known as: testing-20260112	Benefits: Same OS detected Image contains 17 fewer packages Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 8 Major OS version update testing is the 8th most popular tag with 18K pulls per month Image details: Size: 49 MB Flavor: debian OS: 13	1 day ago
`sid` Major OS version update Also known as: sid-20260112	Benefits: Same OS detected Image contains 17 fewer packages Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 5 Major OS version update sid was pulled 5.3K times last month Image details: Size: 49 MB Flavor: debian OS: 13	1 day ago

github-actions · 2026-01-13T08:14:49Z

Overview

Image reference	`ghcr.io/raylabshq/gitea-mirror:latest`	`gitea-mirror:scan`
- digest	`ff1933e3d9c4`	`8ad42c66cb55`
- tag	`latest`	`scan`
- provenance	`723b4f4`	oven-sh/bun@`abb1b0c`
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	329 MB	380 MB (+51 MB)
- packages	969	969
Base Image	`debian:bookworm`	`debian:bookworm`
- vulnerabilities

Labels (8 changes)

± 8 changed

-org.opencontainers.image.created=2026-01-13T08:07:57.125Z
+org.opencontainers.image.created=2025-11-21T19:33:53.930Z
-org.opencontainers.image.description=Gitea Mirror auto-syncs GitHub repos to your self-hosted Gitea/Forgejo, with a sleek Web UI and easy Docker deployment.
+org.opencontainers.image.description=Incredibly fast JavaScript runtime, bundler, test runner, and package manager – all in one
-org.opencontainers.image.licenses=AGPL-3.0
+org.opencontainers.image.licenses=NOASSERTION
-org.opencontainers.image.revision=723b4f4dc6866c05846084ba86de24c7389fd3c5
+org.opencontainers.image.revision=abb1b0c4d75acabf1742b951a1f739068c94a7bd
-org.opencontainers.image.source=https://github.com/RayLabsHQ/gitea-mirror
+org.opencontainers.image.source=https://github.com/oven-sh/bun
-org.opencontainers.image.title=gitea-mirror
+org.opencontainers.image.title=bun
-org.opencontainers.image.url=https://github.com/RayLabsHQ/gitea-mirror
+org.opencontainers.image.url=https://github.com/oven-sh/bun
-org.opencontainers.image.version=pr-166
+org.opencontainers.image.version=1.3.3-debian

arunavo4 added 2 commits January 13, 2026 13:09

arunavo4 self-assigned this Jan 13, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix/issue 161 165 sync improvements#166

Fix/issue 161 165 sync improvements#166
arunavo4 wants to merge 2 commits intomainfrom
fix/issue-161-165-sync-improvements

arunavo4 commented Jan 13, 2026

Uh oh!

cloudflare-workers-and-pages bot commented Jan 13, 2026

Uh oh!

github-actions bot commented Jan 13, 2026

Uh oh!

github-actions bot commented Jan 13, 2026

Summary

Details

Impact

Summary

Details

Impact

Uh oh!

github-actions bot commented Jan 13, 2026

Uh oh!

github-actions bot commented Jan 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

arunavo4 commented Jan 13, 2026

Uh oh!

cloudflare-workers-and-pages bot commented Jan 13, 2026

Deploying gitea-mirror-website with Cloudflare Pages

Uh oh!

github-actions bot commented Jan 13, 2026

🐳 Docker Image Built Successfully

Pull and Test

Docker Compose Testing

Uh oh!

github-actions bot commented Jan 13, 2026

🔍 Vulnerabilities of gitea-mirror:scan

Summary

Details

Impact

Summary

Details

Impact

Uh oh!

github-actions bot commented Jan 13, 2026

Recommended fixes for local gitea-mirror:scan

Refresh base image

Change base image

Uh oh!

github-actions bot commented Jan 13, 2026

Overview

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

🔍 Vulnerabilities of `gitea-mirror:scan`

Recommended fixes for local `gitea-mirror:scan`