Skip to content

Sync main into dev#328

Closed
github-actions[bot] wants to merge 14 commits intodevfrom
main
Closed

Sync main into dev#328
github-actions[bot] wants to merge 14 commits intodevfrom
main

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Mar 21, 2026

Automated Sync

This sync includes workflow file changes which require manual merge:

$WORKFLOW_CHANGES

GITHUB_TOKEN cannot modify workflow files due to security restrictions.
Please merge this PR manually to keep dev up to date with main.

dependabot bot and others added 14 commits March 5, 2026 10:33
@dependabot
chore(deps-dev): bump svgo from 4.0.0 to 4.0.1 in /components/frontend (
292daa8 
#309)

Bumps [svgo](https://github.com/svg/svgo) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/svg/svgo/releases)
- [Commits](svg/svgo@v4.0.0...v4.0.1)

---
updated-dependencies:
- dependency-name: svgo
  dependency-version: 4.0.1
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
chore(deps): bump immutable from 5.1.4 to 5.1.5 in /components/fronte…
9893198 
…nd (#308)

Bumps [immutable](https://github.com/immutable-js/immutable-js) from 5.1.4 to 5.1.5.
- [Release notes](https://github.com/immutable-js/immutable-js/releases)
- [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md)
- [Commits](immutable-js/immutable-js@v5.1.4...v5.1.5)

---
updated-dependencies:
- dependency-name: immutable
  dependency-version: 5.1.5
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@shubham3121
Refactor/endpoint health api (#311)
f9673d3 
* feat(backend): add POST /endpoints/health for per-endpoint health reporting

Add a new API endpoint that accepts granular per-endpoint health status
from clients, replacing the domain-level heartbeat as the primary health
signal. The health monitor is simplified to a 2-tier approach: per-endpoint
health (priority 1) with heartbeat as a deprecated fallback (priority 2).

- Add health_status, health_checked_at, health_ttl_seconds to EndpointModel
- Add POST /endpoints/health route with bulk slug matching and TTL capping
- Add EndpointHealthRequest/Response schemas and repository methods
- Simplify health monitor: remove HTTP fallback, extract modular tier methods
- Add deprecation notes to heartbeat endpoints, services, schemas, and models
- Add alembic migration for new nullable endpoint health columns

* remove alembic migrations

* chore: add migrations

* test(backend): update health monitor tests and add endpoint health tests
@itstauq
ci: add workflow to trigger cross-service E2E tests on push to main
7e70056
@itstauq
Merge pull request #316 from OpenMined/feat/e2e-tests
d061dbd 
ci: add workflow to trigger cross-service E2E tests on push to main
@itstauq
chore: trigger e2e workflow
db75158
@itstauq
Merge pull request #317 from OpenMined/itstauq/trigger-e2e-test
11ee339 
chore: trigger e2e workflow
@dependabot
chore(deps): bump pyjwt from 2.10.1 to 2.12.0 in /components/aggregator
e08bfb4 
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.10.1 to 2.12.0.
- [Release notes](https://github.com/jpadilla/pyjwt/releases)
- [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst)
- [Commits](jpadilla/pyjwt@2.10.1...2.12.0)

---
updated-dependencies:
- dependency-name: pyjwt
  dependency-version: 2.12.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
chore(deps): bump pyjwt from 2.10.1 to 2.12.0 in /components/backend
2adbdc2 
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.10.1 to 2.12.0.
- [Release notes](https://github.com/jpadilla/pyjwt/releases)
- [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst)
- [Commits](jpadilla/pyjwt@2.10.1...2.12.0)

---
updated-dependencies:
- dependency-name: pyjwt
  dependency-version: 2.12.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@IonesioJunior
Merge pull request #319 from OpenMined/dependabot/uv/components/backe…
3a0635f 
…nd/pyjwt-2.12.0

chore(deps): bump pyjwt from 2.10.1 to 2.12.0 in /components/backend
@IonesioJunior
Merge pull request #318 from OpenMined/dependabot/uv/components/aggre…
9ef93e6 
…gator/pyjwt-2.12.0

chore(deps): bump pyjwt from 2.10.1 to 2.12.0 in /components/aggregator
@itstauq
feat: add feedback endpoint for Linear issue creation (#322)
91c511c 
* feat: add feedback endpoint that creates Linear issues

Add authenticated POST /api/v1/feedback endpoint that accepts user
feedback/bug reports and creates Linear issues via GraphQL API.
Supports screenshot upload as file attachments.

Ref: OME-76

* chore: fix lint errors

* ci: wire LINEAR_API_KEY and LINEAR_TEAM_ID through deployment pipeline
@IonesioJunior
fix(deps): patch 6 open Dependabot security vulnerabilities (#324)
6d10a51 
Upgrade authlib, PyJWT, and pyasn1 to fix 6 open security alerts:

MCP component:
- authlib 1.6.6 → 1.6.9: fixes CVE-2026-27962 (CRITICAL: JWS header
  injection signature bypass), CVE-2026-28490 (Bleichenbacher padding
  oracle), CVE-2026-28498 (fail-open OIDC hash binding),
  CVE-2026-28802 (alg:none signature bypass)
- PyJWT 2.10.1 → 2.12.1: fixes CVE-2026-32597 (accepts unknown crit
  header extensions)
- Add pydantic override to resolve pre-existing syft-accounting-sdk
  version conflict during lock regeneration

Backend component:
- pyasn1 0.6.2 → 0.6.3: fixes CVE-2026-30922 (DoS via unbounded
  recursion). Added as uv override-dependency since it is transitive
  via google-auth.

Aggregator component:
- Document nltk 3.9.3 (CVE-2026-33230, unbounded recursion DoS) as
  unfixable — no upstream patch available, mitigated by context
  (backend service, no HTML rendering, no JSONTaggedDecoder usage)

Closes #80, #79, #78, #77, #76, #75, #72, #66
@dependabot
chore(deps-dev): bump flatted from 3.3.3 to 3.4.2 in /sdk/typescript (#…
84452ea 
…327)

Bumps [flatted](https://github.com/WebReflection/flatted) from 3.3.3 to 3.4.2.
- [Commits](WebReflection/flatted@v3.3.3...v3.4.2)

---
updated-dependencies:
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
IonesioJunior added a commit that referenced this pull request Mar 23, 2026
@IonesioJunior
Sync main into dev (#328)
c57187d 
Merge main into dev, resolving conflicts:
- .github/workflows/ci.yml: keep RESEND_API_KEY wiring from dev alongside
  LINEAR_API_KEY/LINEAR_TEAM_ID additions from main
- components/backend/src/syfthub/schemas/endpoint.py: accept is_slug_available
  stub function from main

Includes from main: feedback endpoint for Linear, endpoint health API refactor,
PyJWT 2.12.0 upgrade, security dep patches, e2e workflow trigger, frontend dep bumps.
@IonesioJunior
Copy link
Member

IonesioJunior commented Mar 23, 2026

Merged manually — resolved conflicts in ci.yml (RESEND_API_KEY wiring) and endpoint.py (is_slug_available stub). dev is now up to date with main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@IonesioJunior @shubham3121 @itstauq