upgraded packages

[arunavo4]

No description provided.

[cloudflare-workers-and-pages]

Deploying gitea-mirror-website with    Cloudflare Pages

Latest commit:	2a08ae0
Status:	✅  Deploy successful!
Preview URL:	https://62f3cd71.gitea-mirror-website.pages.dev
Branch Preview URL:	https://upgrade-packages.gitea-mirror-website.pages.dev

View logs

[github-actions]

🐳 Docker Image Built Successfully

Your PR image is available for testing:

Image Tag: pr-158
Full Image Path: ghcr.io/raylabshq/gitea-mirror:pr-158

Pull and Test

docker pull ghcr.io/raylabshq/gitea-mirror:pr-158
docker run -d   -p 4321:4321   -e BETTER_AUTH_SECRET=your-secret-here   -e BETTER_AUTH_URL=http://localhost:4321   --name gitea-mirror-test ghcr.io/raylabshq/gitea-mirror:pr-158

Docker Compose Testing

services:
  gitea-mirror:
    image: ghcr.io/raylabshq/gitea-mirror:pr-158
    ports:
      - "4321:4321"
    environment:
      - BETTER_AUTH_SECRET=your-secret-here
      - BETTER_AUTH_URL=http://localhost:4321
      - BETTER_AUTH_TRUSTED_ORIGINS=http://localhost:4321

💡 Note: PR images are tagged as pr-<number> and built for both linux/amd64 and linux/arm64.
Production images (latest, version tags) use the same multi-platform set.

---

📦 View in GitHub Packages

[github-actions]

🔍 Vulnerabilities of gitea-mirror:scan

📦 Image Reference gitea-mirror:scan

digest	sha256:16c75b680f16edbdc6e4190b3c78a689335f55b0995bd07ebab2954848cf5511
vulnerabilities
platform	linux/amd64
size	381 MB
packages	981

📦 Base Image debian:bookworm

also known as	bookworm-20251117
digest	sha256:9d8be01b7374ef07c68468882782c1226c532f39145f46ad969b6fbd414ab730
vulnerabilities

stdlib 1.23.12 (golang) pkg:golang/[email protected] Affected range <1.24.11 Fixed version 1.24.11 EPSS Score 0.012% EPSS Percentile 1st percentile Description Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.026% EPSS Percentile 6th percentile Description The ParseAddress function constructeds domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.026% EPSS Percentile 6th percentile Description The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input. This affects programs which parse untrusted PEM inputs. Affected range <1.24.8 Fixed version 1.24.8 EPSS Score 0.014% EPSS Percentile 2nd percentile Description Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains. Affected range <1.24.9 Fixed version 1.24.9 EPSS Score 0.014% EPSS Percentile 2nd percentile Description Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.

node-forge 1.3.1 (npm) pkg:npm/[email protected] Uncontrolled Recursion Affected range <1.3.2 Fixed version 1.3.2 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N EPSS Score 0.115% EPSS Percentile 31st percentile Description Summary An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft deep ASN.1 structures that trigger unbounded recursive parsing. This leads to a Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER inputs. Details An ASN.1 Denial of Service (Dos) vulnerability exists in the node-forge asn1.fromDer function within forge/lib/asn1.js. The ASN.1 DER parser implementation (_fromDer) recurses for every constructed ASN.1 value (SEQUENCE, SET, etc.) and lacks a guard limiting recursion depth. An attacker can craft a small DER blob containing a very large nesting depth of constructed TLVs which causes the Node.js V8 engine to exhaust its call stack and throw RangeError: Maximum call stack size exceeded, crashing or incapacitating the process handling the parse. This is a remote, low-cost Denial-of-Service against applications that parse untrusted ASN.1 objects. Impact This vulnerability enables an unauthenticated attacker to reliably crash a server or client using node-forge for TLS connections or certificate parsing. This vulnerability impacts the ans1.fromDer function in node-forge before patched version 1.3.2. Any downstream application using this component is impacted. These components may be leveraged by downstream applications in ways that enable full compromise of availability. Interpretation Conflict Affected range <1.3.2 Fixed version 1.3.2 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N EPSS Score 0.072% EPSS Percentile 22nd percentile Description Summary CVE-2025-12816 has been reserved by CERT/CC Description An Interpretation Conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and below enables remote, unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions. Details A critical ASN.1 validation bypass vulnerability exists in the node-forge asn1.validate function within forge/lib/asn1.js. ASN.1 is a schema language that defines data structures, like the typed record schemas used in X.509, PKCS#7, PKCS#12, etc. DER (Distinguished Encoding Rules), a strict binary encoding of ASN.1, is what cryptographic code expects when verifying signatures, and the exact bytes and structure must match the schema used to compute and verify the signature. After deserializing DER, Forge uses static ASN.1 validation schemas to locate the signed data or public key, compute digests over the exact bytes required, and feed digest and signature fields into cryptographic primitives. This vulnerability allows a specially crafted ASN.1 object to desynchronize the validator on optional boundaries, causing a malformed optional field to be semantically reinterpreted as the subsequent mandatory structure. This manifests as logic bypasses in cryptographic algorithms and protocols with optional security features (such as PKCS#12, where MACs are treated as absent) and semantic interpretation conflicts in strict protocols (such as X.509, where fields are read as the wrong type). Impact This flaw allows an attacker to desynchronize the validator, allowing critical components like digital signatures or integrity checks to be skipped or validated against attacker-controlled data. This vulnerability impacts the ans1.validate function in node-forge before patched version 1.3.2. https://github.com/digitalbazaar/forge/blob/main/lib/asn1.js. The following components in node-forge are impacted. lib/asn1.js lib/x509.js lib/pkcs12.js lib/pkcs7.js lib/rsa.js lib/pbe.js lib/ed25519.js Any downstream application using these components is impacted. These components may be leveraged by downstream applications in ways that enable full compromise of integrity, leading to potential availability and confidentiality compromises.

[github-actions]

Recommended fixes for local gitea-mirror:scan

Base image is debian:bookworm

Name	bookworm-20251117
Digest	sha256:9d8be01b7374ef07c68468882782c1226c532f39145f46ad969b6fbd414ab730
Vulnerabilities
Pushed	2 weeks ago
Size	48 MB
Packages	126
Flavor	debian
OS	12

The base image is also available under the supported tag(s): bookworm-20251117

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
stable-slim Tag is preferred tag Also known as: stable-20251117-slim	Benefits: Same OS detected Image is smaller by 18 MB Image contains 15 fewer packages Tag is preferred tag Image introduces no new vulnerability but removes 4 Tag is using slim variant stable-slim is the fourth most popular tag with 46K pulls per month Image details: Size: 30 MB Flavor: debian OS: 12 Slim: ✅	2 weeks ago
bookworm-slim Image has same number of vulnerabilities Also known as: 12.12-slim 12-slim bookworm-20251117-slim	Benefits: Same OS detected Image is smaller by 19 MB Image has same number of vulnerabilities Image contains equal number of packages Tag is using slim variant bookworm-slim was pulled 13K times last month Image details: Size: 28 MB Flavor: debian OS: 12 Slim: ✅	2 weeks ago
stable Image introduces no new vulnerability but removes 4 Also known as: stable-20251117	Benefits: Same OS detected Image contains 15 fewer packages Image has similar size Image introduces no new vulnerability but removes 4 stable is the 7th most popular tag with 32K pulls per month Image details: Size: 49 MB Flavor: debian OS: 12	2 weeks ago
testing-slim Major OS version update Also known as: testing-20251117-slim	Benefits: Same OS detected Image is smaller by 19 MB Image contains 18 fewer packages Major OS version update Tag is using slim variant testing-slim is the sixth most popular tag with 33K pulls per month Image details: Size: 29 MB Flavor: debian OS: 13 Slim: ✅	2 weeks ago
sid-slim Major OS version update Also known as: sid-20251117-slim	Benefits: Same OS detected Image is smaller by 19 MB Image contains 18 fewer packages Major OS version update Tag is using slim variant sid-slim is the 9th most popular tag with 15K pulls per month Image details: Size: 29 MB Flavor: debian OS: 13 Slim: ✅	2 weeks ago

[github-actions]

Overview

Image reference	ghcr.io/raylabshq/gitea-mirror:latest	gitea-mirror:scan
- digest	34f02f189454	16c75b680f16
- tag	latest	scan
- provenance	2a08ae0	oven-sh/bun@abb1b0c
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	330 MB	381 MB (+51 MB)
- packages	981	981
Base Image	debian:bookworm also known as: • bookworm-20251117	debian:bookworm also known as: • bookworm-20251117
- vulnerabilities

Labels (8 changes)

• ± 8 changed

-org.opencontainers.image.created=2025-12-04T13:15:19.095Z
+org.opencontainers.image.created=2025-11-21T19:33:53.930Z
-org.opencontainers.image.description=Gitea Mirror auto-syncs GitHub repos to your self-hosted Gitea/Forgejo, with a sleek Web UI and easy Docker deployment.
+org.opencontainers.image.description=Incredibly fast JavaScript runtime, bundler, test runner, and package manager – all in one
-org.opencontainers.image.licenses=AGPL-3.0
+org.opencontainers.image.licenses=NOASSERTION
-org.opencontainers.image.revision=2a08ae0b215c843b01d8ce82ba727585801341b8
+org.opencontainers.image.revision=abb1b0c4d75acabf1742b951a1f739068c94a7bd
-org.opencontainers.image.source=https://github.com/RayLabsHQ/gitea-mirror
+org.opencontainers.image.source=https://github.com/oven-sh/bun
-org.opencontainers.image.title=gitea-mirror
+org.opencontainers.image.title=bun
-org.opencontainers.image.url=https://github.com/RayLabsHQ/gitea-mirror
+org.opencontainers.image.url=https://github.com/oven-sh/bun
-org.opencontainers.image.version=pr-158
+org.opencontainers.image.version=1.3.3-debian

[github-actions]

🐳 Docker Image Built Successfully

Your PR image is available for testing:

Image Tag: pr-158
Full Image Path: ghcr.io/raylabshq/gitea-mirror:pr-158

Pull and Test

docker pull ghcr.io/raylabshq/gitea-mirror:pr-158
docker run -d   -p 4321:4321   -e BETTER_AUTH_SECRET=your-secret-here   -e BETTER_AUTH_URL=http://localhost:4321   --name gitea-mirror-test ghcr.io/raylabshq/gitea-mirror:pr-158

Docker Compose Testing

services:
  gitea-mirror:
    image: ghcr.io/raylabshq/gitea-mirror:pr-158
    ports:
      - "4321:4321"
    environment:
      - BETTER_AUTH_SECRET=your-secret-here
      - BETTER_AUTH_URL=http://localhost:4321
      - BETTER_AUTH_TRUSTED_ORIGINS=http://localhost:4321

💡 Note: PR images are tagged as pr-<number> and built for both linux/amd64 and linux/arm64.
Production images (latest, version tags) use the same multi-platform set.

---

📦 View in GitHub Packages