Renovate project: Ruby 3.3, React 18, security hardening #33
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Upgrade Ruby from 2.7.2 to 3.3.6 - Update Sinatra from 2.1 to 3.2 (kept 3.x for Rack 2.x compatibility with thin/sinatra-websocket) - Update all gems to latest compatible versions - Modernize Dockerfile with Ruby 3.3.6-slim and improved layering - Update docker-compose files to modern compose spec format - Fix outdated test expectation in registry_spec.rb 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Only show the remove icon for shares that exist in the local shares object, meaning the current client uploaded them. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Replace AngularJS with React 18 loaded from CDN (no build step) - Use Babel standalone for JSX transpilation in browser - Split code into components.js, app.js, and utils.js - Modernize UI with Inter font and Tailwind-inspired design - Add CSS variables for consistent theming - Fix QR code modal with qrcode-generator library from CDN - Improve QR modal with larger code, close button, and animations - Fix visited link and button colors - Remove AngularJS files and old QR code libraries 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Backend (app.rb, client.rb, share.rb, streamer.rb): - Add security headers (X-Content-Type-Options, X-Frame-Options, etc.) - Add rate limiting (configurable via DLCENTER_MAX_CONNECTIONS_PER_IP) - Add HTTPS enforcement (enable via DLCENTER_FORCE_HTTPS) - Add CSRF protection on POST endpoints - Sanitize filenames in Content-Disposition headers - Validate content-type format - Validate UUID format on all endpoints - Add input validation for WebSocket messages (name, size, content_type, uuid) - Add memory limits: 10MB buffer, 2MB max chunk, 100 shares/client - Sanitize zip filenames to prevent path traversal Frontend (app.js): - Use synchronous ref for local shares to fix streaming race condition 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
- Builds on push to master and tags - Pushes to GitHub Container Registry (ghcr.io) - Uses Docker Buildx with layer caching - Generates semantic version tags from git tags 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Security improvements
DLCENTER_MAX_CONNECTIONS_PER_IP, default 50)DLCENTER_FORCE_HTTPSenv var)Test plan
bundle exec rackupbundle exec rspec(24 examples, 0 failures)🤖 Generated with Claude Code