diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
index 691f74c..d5c2a42 100644
--- a/.github/workflows/secret-scan.yml
+++ b/.github/workflows/secret-scan.yml
@@ -14,10 +14,10 @@ on:
jobs:
gitleaks-scan:
+ if: github.actor != 'dependabot[bot]'
runs-on: ubuntu-24.04
permissions:
contents: read
- security-events: write
issues: write
env:
CODEQL_ACTION_ANALYSIS_KEY: gitleaks
@@ -49,7 +49,7 @@ jobs:
# (either not a PR, or a PR from the same repo)
# ---------------------------------------------------------------------
- name: Upload Gitleaks Report
- if: always() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request')
+ if: always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
uses: actions/upload-artifact@v6
with:
name: gitleaks-report
@@ -59,6 +59,10 @@ jobs:
# LAYER 1: Output redaction
# Public-safe summary – shows only secret descriptions, hides file paths.
# ---------------------------------------------------------------------
+ - name: Ensure jq is installed
+ if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+ run: sudo apt-get update && sudo apt-get install -y jq
+
- name: Post Gitleaks summary
if: always()
run: |
@@ -91,7 +95,7 @@ jobs:
# Create issue only in trusted repo context (avoids using tokens on forks)
# ---------------------------------------------------------------------
- name: Create issue for detected secrets
- if: failure() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request')
+ if: failure() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -111,7 +115,7 @@ jobs:
# Send ntfy alert only for trusted repo context.
# ---------------------------------------------------------------------
- name: Send ntfy notification
- if: failure() && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request')
+ if: failure() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
run: |
curl -d "🚨 Gitleaks found secrets in repo: $GITHUB_REPOSITORY on commit $GITHUB_SHA" \
- https://ntfy.neteng.pro/${{ secrets.NTFY_TOPIC }}
+ https://ntfy.neteng.pro/${{ secrets.NTFY_TOPIC }}
diff --git a/.gitignore b/.gitignore
index dba39b8..508d190 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,8 +15,7 @@ devices-list.json
# SvelteKit
-.svelte-kit/*
-!.svelte-kit/tsconfig.json
+.svelte-kit
# Lighthouse
.lighthouseci
diff --git a/.svelte-kit/tsconfig.json b/.svelte-kit/tsconfig.json
deleted file mode 100644
index 64aad07..0000000
--- a/.svelte-kit/tsconfig.json
+++ /dev/null
@@ -1,52 +0,0 @@
-{
- "compilerOptions": {
- "paths": {
- "$lib": [
- "../src/lib"
- ],
- "$lib/*": [
- "../src/lib/*"
- ],
- "$app/types": [
- "./types/index.d.ts"
- ]
- },
- "rootDirs": [
- "..",
- "./types"
- ],
- "verbatimModuleSyntax": true,
- "isolatedModules": true,
- "lib": [
- "esnext",
- "DOM",
- "DOM.Iterable"
- ],
- "moduleResolution": "bundler",
- "module": "esnext",
- "noEmit": true,
- "target": "esnext"
- },
- "include": [
- "ambient.d.ts",
- "non-ambient.d.ts",
- "./types/**/$types.d.ts",
- "../vite.config.js",
- "../vite.config.ts",
- "../src/**/*.js",
- "../src/**/*.ts",
- "../src/**/*.svelte",
- "../tests/**/*.js",
- "../tests/**/*.ts",
- "../tests/**/*.svelte"
- ],
- "exclude": [
- "../node_modules/**",
- "../src/service-worker.js",
- "../src/service-worker/**/*.js",
- "../src/service-worker.ts",
- "../src/service-worker/**/*.ts",
- "../src/service-worker.d.ts",
- "../src/service-worker/**/*.d.ts"
- ]
-}
\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f6035bc..82b6344 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -24,6 +24,37 @@ version increments reflecting both user-visible and operational impact.
---
+## [1.25.22] - 2026-01-01
+
+### Added
+
+- Conditional guards to ensure artifacts, issues, and external notifications are only created when workflows run in a trusted context (non-PR runs or PRs originating from the same repository).
+- Redacted, public-safe Gitleaks scan summaries in GitHub Actions step output to prevent accidental exposure of sensitive file paths or values.
+- Optional installation of `jq` gated to trusted execution contexts to support future structured output (e.g., SARIF) while preserving fork safety.
+
+### Changed
+
+- Updated the Gitleaks secret scanning workflow to explicitly exclude Dependabot pull requests, avoiding failures caused by unavailable organization secrets in bot-triggered PRs.
+- Refined workflow trust boundaries to distinguish between forked pull requests and trusted repository contexts.
+- Updated `.gitignore` to stop tracking generated `.svelte-kit` files.
+- Bumped project version to `v1.25.22`.
+- Updated dependencies:
+ - `stylelint-order` `^7.0.0` → `^7.0.1`
+ - `posthog-js` `^1.310.1` → `^1.313.0`
+ - `globals` `^16.5.0` → `^17.0.0`
+
+### Removed
+
+- Removed Mastodon verification in `src/routes/posts/+page.svelte`, as it was not functioning properly. This route will remain unverified.
+
+### Security
+
+- Hardened secret-handling logic in CI by preventing the use of organization-level secrets, write permissions, and external notifications in untrusted pull request contexts.
+- Ensured Gitleaks license usage is restricted to safe execution paths, eliminating false-negative or false-positive failures caused by GitHub Actions secret scoping rules.
+- Added transitive dependency override for `qs` to `^6.14.1`, in order to address CVE-2025-15284.
+
+---
+
## [1.25.21] - 2025-12-27
### Added
@@ -2090,7 +2121,7 @@ This enables analytics filtering and CSP hardening for the audit environment.
---
-## 1.12.0 – 2025-06-04
+## [1.12.0] – 2025-06-04
### Added
@@ -2118,7 +2149,8 @@ This enables analytics filtering and CSP hardening for the audit environment.
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.21...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.25.22...HEAD
+[1.25.22]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.22
[1.25.21]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.21
[1.25.20]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.20
[1.25.19]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.25.19
@@ -2190,5 +2222,6 @@ This enables analytics filtering and CSP hardening for the audit environment.
[1.12.4]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.4
[1.12.3]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.3
[1.12.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.1
+[1.12.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.12.0
diff --git a/package-lock.json b/package-lock.json
index f86bc07..aa95822 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,17 +1,17 @@
{
"name": "@networkpro/web",
- "version": "1.25.21",
+ "version": "1.25.22",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "@networkpro/web",
- "version": "1.25.21",
+ "version": "1.25.22",
"hasInstallScript": true,
"license": "CC-BY-4.0 OR GPL-3.0-or-later",
"dependencies": {
"dompurify": "^3.3.1",
- "posthog-js": "^1.310.1",
+ "posthog-js": "^1.313.0",
"semver": "^7.7.3",
"svelte": "5.46.1"
},
@@ -33,7 +33,7 @@
"eslint-config-prettier": "^10.1.8",
"eslint-plugin-jsdoc": "^61.5.0",
"eslint-plugin-svelte": "^3.13.1",
- "globals": "^16.5.0",
+ "globals": "^17.0.0",
"globby": "^16.1.0",
"jsdom": "27.4.0",
"lightningcss": "^1.30.2",
@@ -48,7 +48,7 @@
"stylelint": "^16.26.1",
"stylelint-config-html": "^1.1.0",
"stylelint-config-recommended": "^17.0.0",
- "stylelint-order": "^7.0.0",
+ "stylelint-order": "^7.0.1",
"svelte-check": "^4.3.5",
"svelte-eslint-parser": "^1.4.1",
"svelte-preprocess": "^6.0.3",
@@ -936,9 +936,9 @@
}
},
"node_modules/@eslint-community/eslint-utils": {
- "version": "4.9.0",
- "resolved": "https://registry.npmjs.org/@eslint-community/eslint-utils/-/eslint-utils-4.9.0.tgz",
- "integrity": "sha512-ayVFHdtZ+hsq1t2Dy24wCmGXGe4q9Gu3smhLYALJrr473ZH27MsnSL+LKUlimp4BWJqMDMLmPpx/Q9R3OAlL4g==",
+ "version": "4.9.1",
+ "resolved": "https://registry.npmjs.org/@eslint-community/eslint-utils/-/eslint-utils-4.9.1.tgz",
+ "integrity": "sha512-phrYmNiYppR7znFEdqgfWHXR6NCkZEK7hwWDHZUjit/2/U0r6XvkDl0SYnoM51Hq7FhCGdLDT6zxCCOY1hexsQ==",
"dev": true,
"license": "MIT",
"dependencies": {
@@ -1140,9 +1140,9 @@
}
},
"node_modules/@exodus/bytes": {
- "version": "1.6.0",
- "resolved": "https://registry.npmjs.org/@exodus/bytes/-/bytes-1.6.0.tgz",
- "integrity": "sha512-y32mI9627q5LR/L8fLc4YyDRJQOi+jK0D9okzLilAdiU3F9we3zC7Y7CFrR/8vAvUyv7FgBAYcNHtvbmhKCFcw==",
+ "version": "1.7.0",
+ "resolved": "https://registry.npmjs.org/@exodus/bytes/-/bytes-1.7.0.tgz",
+ "integrity": "sha512-5i+BtvujK/vM07YCGDyz4C4AyDzLmhxHMtM5HpUyPRtJPBdFPsj290ffXW+UXY21/G7GtXeHD2nRmq0T1ShyQQ==",
"dev": true,
"license": "MIT",
"engines": {
@@ -2495,9 +2495,9 @@
}
},
"node_modules/@typescript-eslint/types": {
- "version": "8.50.1",
- "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.50.1.tgz",
- "integrity": "sha512-v5lFIS2feTkNyMhd7AucE/9j/4V9v5iIbpVRncjk/K0sQ6Sb+Np9fgYS/63n6nwqahHQvbmujeBL7mp07Q9mlA==",
+ "version": "8.51.0",
+ "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.51.0.tgz",
+ "integrity": "sha512-TizAvWYFM6sSscmEakjY3sPqGwxZRSywSsPEiuZF6d5GmGD9Gvlsv0f6N8FvAAA0CD06l3rIcWNbsN1e5F/9Ag==",
"dev": true,
"license": "MIT",
"engines": {
@@ -3450,9 +3450,9 @@
}
},
"node_modules/caniuse-lite": {
- "version": "1.0.30001761",
- "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001761.tgz",
- "integrity": "sha512-JF9ptu1vP2coz98+5051jZ4PwQgd2ni8A+gYSN7EA7dPKIMf0pDlSUxhdmVOaV3/fYK5uWBkgSXJaRLr4+3A6g==",
+ "version": "1.0.30001762",
+ "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001762.tgz",
+ "integrity": "sha512-PxZwGNvH7Ak8WX5iXzoK1KPZttBXNPuaOvI2ZYU7NrlM+d9Ov+TUvlLOBNGzVXAntMSMMlJPd+jY6ovrVjSmUw==",
"dev": true,
"funding": [
{
@@ -4037,15 +4037,16 @@
}
},
"node_modules/cssstyle": {
- "version": "5.3.5",
- "resolved": "https://registry.npmjs.org/cssstyle/-/cssstyle-5.3.5.tgz",
- "integrity": "sha512-GlsEptulso7Jg0VaOZ8BXQi3AkYM5BOJKEO/rjMidSCq70FkIC5y0eawrCXeYzxgt3OCf4Ls+eoxN+/05vN0Ag==",
+ "version": "5.3.6",
+ "resolved": "https://registry.npmjs.org/cssstyle/-/cssstyle-5.3.6.tgz",
+ "integrity": "sha512-legscpSpgSAeGEe0TNcai97DKt9Vd9AsAdOL7Uoetb52Ar/8eJm3LIa39qpv8wWzLFlNG4vVvppQM+teaMPj3A==",
"dev": true,
"license": "MIT",
"dependencies": {
"@asamuzakjp/css-color": "^4.1.1",
"@csstools/css-syntax-patches-for-csstree": "^1.0.21",
- "css-tree": "^3.1.0"
+ "css-tree": "^3.1.0",
+ "lru-cache": "^11.2.4"
},
"engines": {
"node": ">=20"
@@ -4958,6 +4959,19 @@
}
}
},
+ "node_modules/eslint-plugin-svelte/node_modules/globals": {
+ "version": "16.5.0",
+ "resolved": "https://registry.npmjs.org/globals/-/globals-16.5.0.tgz",
+ "integrity": "sha512-c/c15i26VrJ4IRt5Z89DnIzCGDn9EcebibhAOjw5ibqEHsE1wLUgkPn9RDmNcUKyU87GeaL633nyJ+pplFR2ZQ==",
+ "dev": true,
+ "license": "MIT",
+ "engines": {
+ "node": ">=18"
+ },
+ "funding": {
+ "url": "https://github.com/sponsors/sindresorhus"
+ }
+ },
"node_modules/eslint-scope": {
"version": "8.4.0",
"resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-8.4.0.tgz",
@@ -5053,9 +5067,9 @@
}
},
"node_modules/esquery": {
- "version": "1.6.0",
- "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.6.0.tgz",
- "integrity": "sha512-ca9pw9fomFcKPvFLXhBKUK90ZvGibiGOvRJNbjljY7s7uq/5YO4BOzcYtJqExdx99rF6aAcnRxHmcUHcz6sQsg==",
+ "version": "1.7.0",
+ "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.7.0.tgz",
+ "integrity": "sha512-Ap6G0WQwcU/LHsvLwON1fAQX9Zp0A2Y6Y/cJBl9r/JbW90Zyg4/zbG6zzKa2OTALELarYHmKu0GhpM5EO+7T0g==",
"dev": true,
"license": "BSD-3-Clause",
"dependencies": {
@@ -5832,9 +5846,9 @@
}
},
"node_modules/globals": {
- "version": "16.5.0",
- "resolved": "https://registry.npmjs.org/globals/-/globals-16.5.0.tgz",
- "integrity": "sha512-c/c15i26VrJ4IRt5Z89DnIzCGDn9EcebibhAOjw5ibqEHsE1wLUgkPn9RDmNcUKyU87GeaL633nyJ+pplFR2ZQ==",
+ "version": "17.0.0",
+ "resolved": "https://registry.npmjs.org/globals/-/globals-17.0.0.tgz",
+ "integrity": "sha512-gv5BeD2EssA793rlFWVPMMCqefTlpusw6/2TbAVMy0FzcG8wKJn4O+NqJ4+XWmmwrayJgw5TzrmWjFgmz1XPqw==",
"dev": true,
"license": "MIT",
"engines": {
@@ -6008,13 +6022,13 @@
}
},
"node_modules/hashery": {
- "version": "1.3.0",
- "resolved": "https://registry.npmjs.org/hashery/-/hashery-1.3.0.tgz",
- "integrity": "sha512-fWltioiy5zsSAs9ouEnvhsVJeAXRybGCNNv0lvzpzNOSDbULXRy7ivFWwCCv4I5Am6kSo75hmbsCduOoc2/K4w==",
+ "version": "1.4.0",
+ "resolved": "https://registry.npmjs.org/hashery/-/hashery-1.4.0.tgz",
+ "integrity": "sha512-Wn2i1In6XFxl8Az55kkgnFRiAlIAushzh26PTjL2AKtQcEfXrcLa7Hn5QOWGZEf3LU057P9TwwZjFyxfS1VuvQ==",
"dev": true,
"license": "MIT",
"dependencies": {
- "hookified": "^1.13.0"
+ "hookified": "^1.14.0"
},
"engines": {
"node": ">=20"
@@ -10057,9 +10071,9 @@
"license": "MIT"
},
"node_modules/posthog-js": {
- "version": "1.310.1",
- "resolved": "https://registry.npmjs.org/posthog-js/-/posthog-js-1.310.1.tgz",
- "integrity": "sha512-UkR6zzlWNtqHDXHJl2Yk062DOmZyVKTPL5mX4j4V+u3RiYbMHJe47+PpMMUsvK1R2e1r/m9uSlHaJMJRzyUjGg==",
+ "version": "1.313.0",
+ "resolved": "https://registry.npmjs.org/posthog-js/-/posthog-js-1.313.0.tgz",
+ "integrity": "sha512-CL8RkC7m9BTZrix86w0fdnSCVqC/gxrfs6c4Wfkz/CldFD7f2912S2KqnWFmwRVDGIwm9IR82YhublQ88gdDKw==",
"license": "SEE LICENSE IN LICENSE",
"dependencies": {
"@posthog/core": "1.9.0",
@@ -10276,9 +10290,9 @@
}
},
"node_modules/qs": {
- "version": "6.14.0",
- "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.0.tgz",
- "integrity": "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==",
+ "version": "6.14.1",
+ "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz",
+ "integrity": "sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==",
"dev": true,
"license": "BSD-3-Clause",
"dependencies": {
@@ -11630,20 +11644,20 @@
}
},
"node_modules/stylelint-order": {
- "version": "7.0.0",
- "resolved": "https://registry.npmjs.org/stylelint-order/-/stylelint-order-7.0.0.tgz",
- "integrity": "sha512-rSWxx0KscYfxU02wEskKXES9lkRzuuONMMNkZ7SUc6uiF3tDKm7e+sE0Ax/SBlG4TUf1sp1R6f3/SlsPGmzthg==",
+ "version": "7.0.1",
+ "resolved": "https://registry.npmjs.org/stylelint-order/-/stylelint-order-7.0.1.tgz",
+ "integrity": "sha512-GWPei1zBVDDjxM+/BmcSCiOcHNd8rSqW6FUZtqQGlTRpD0Z5nSzspzWD8rtKif5KPdzUG68DApKEV/y/I9VbTw==",
"dev": true,
"license": "MIT",
"dependencies": {
- "postcss": "^8.5.3",
+ "postcss": "^8.5.6",
"postcss-sorting": "^9.1.0"
},
"engines": {
"node": ">=20.19.0"
},
"peerDependencies": {
- "stylelint": "^16.18.0"
+ "stylelint": "^16.18.0 || ^17.0.0"
}
},
"node_modules/stylelint/node_modules/balanced-match": {
diff --git a/package.json b/package.json
index 49e7ee9..56cd8f0 100644
--- a/package.json
+++ b/package.json
@@ -1,12 +1,13 @@
{
"name": "@networkpro/web",
"private": false,
- "version": "1.25.21",
+ "version": "1.25.22",
"description": "Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies",
"keywords": [
"consulting",
"cybersecurity",
"networking",
+ "policy",
"privacy",
"pwa",
"security",
@@ -85,7 +86,7 @@
},
"dependencies": {
"dompurify": "^3.3.1",
- "posthog-js": "^1.310.1",
+ "posthog-js": "^1.313.0",
"semver": "^7.7.3",
"svelte": "5.46.1"
},
@@ -107,7 +108,7 @@
"eslint-config-prettier": "^10.1.8",
"eslint-plugin-jsdoc": "^61.5.0",
"eslint-plugin-svelte": "^3.13.1",
- "globals": "^16.5.0",
+ "globals": "^17.0.0",
"globby": "^16.1.0",
"jsdom": "27.4.0",
"lightningcss": "^1.30.2",
@@ -122,7 +123,7 @@
"stylelint": "^16.26.1",
"stylelint-config-html": "^1.1.0",
"stylelint-config-recommended": "^17.0.0",
- "stylelint-order": "^7.0.0",
+ "stylelint-order": "^7.0.1",
"svelte-check": "^4.3.5",
"svelte-eslint-parser": "^1.4.1",
"svelte-preprocess": "^6.0.3",
@@ -137,7 +138,8 @@
"cookie": "^1.0.0",
"glob": "^11.1.0",
"js-yaml": "^4.1.1",
- "tar": ">=7.5.2",
- "tmp": ">=0.2.4"
+ "qs": "^6.14.1",
+ "tar": "^7.5.2",
+ "tmp": "^0.2.4"
}
}
diff --git a/src/routes/posts/+page.svelte b/src/routes/posts/+page.svelte
index 6c97ea0..fb5ab78 100644
--- a/src/routes/posts/+page.svelte
+++ b/src/routes/posts/+page.svelte
@@ -45,13 +45,6 @@ This file is part of Network Pro.
});
-
-
-
-
{#if show && target}
{:else}
diff --git a/static/sitemap.xml b/static/sitemap.xml
index 8542742..b472bed 100644
--- a/static/sitemap.xml
+++ b/static/sitemap.xml
@@ -1,5 +1,5 @@
-
+
@@ -7,7 +7,7 @@
https://netwk.pro
- 2025-12-25
+ 2026-01-01
weekly