deps: full dependency update and security audit — all packages current, 0 vulnerabilities

## Node.js / npm

Node.js v20.20.1 / npm 10.8.2 — all packages audited, 0 critical/high/medium/low CVEs.

### Package updates (major version bumps)

| Package | From | To | Notes |
|---|---|---|---|
| javascript-obfuscator | ^4.1.1 (4.2.2) | ^5.4.1 (5.4.1) | build tool — devDep in root |
| express | ^4.18.2 (4.22.1) | ^5.2.1 (5.2.1) | admin panel |

Express 5 compatibility fix: renamed `/*` catch-all route to `/*path` (Express 5
uses path-to-regexp v8 which requires named wildcards).

TypeScript ^5.4 (5.9.3) — semver range correctly excludes TS 6.0.2 (major bump,
intentional hold pending ecosystem readiness).

relay/* — all deps current: @noble/post-quantum 0.6.0, argon2 0.44.0,
bip39 3.1.0, nats 2.29.3, ws 8.20.0.

## Docker

Both Dockerfiles updated: node:20-alpine3.21 → node:22-alpine3.21
  - Node 22 is current Active LTS (since Oct 2024, EOL Apr 2027)
  - Node 20 EOL April 2026
  - alpine 3.21 retained (current stable)

relay/Dockerfile: OCI version label updated to 2.4.4.

admin/Dockerfile hardened to match relay baseline:
  - Added non-root user (admin:admin)
  - Added HEALTHCHECK
  - Added OCI image labels
  - npm cache clean --force after install

## Copyleft license scan

0 GPL/AGPL/LGPL packages found across all node_modules trees.
All dependencies use MIT, ISC, Apache-2.0, BSD, or BUSL-1.1.

## Shell scripts

Fixed non-portable shebangs in 2 scripts:
  - scripts/post-install.sh: #!/bin/bash → #!/usr/bin/env bash
  - scripts/preflight.sh:   #!/bin/bash → #!/usr/bin/env bash

(shellcheck not available without sudo; shebangs manually verified)

## Secrets / credentials

0 hardcoded secrets found. .env.example files contain only empty
placeholders. .gitignore clarified with comment re: .example intentional tracking.
Added relay-identity.json and data/*.json to .gitignore (runtime-generated files).

## ISO builder (build-paramantOS.sh)

Linux Mint 22.1 → Ubuntu Noble (24.04 LTS) — both current.
Mint 22.1 released January 2025, Noble 24.04 LTS supported until April 2029.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Apolloccrypt

.gitignore

@@ -14,12 +14,16 @@ frontend/dist/
 crypto-wasm/target/
 crypto-wasm/target/**/*.wasm
 
-# Environment & secrets
+# Environment & secrets (.example files are templates — intentionally tracked)
 .env
 .env.local
 .env.*.local
 .env.private
 deploy/.env
+relay-identity.json
+**/relay-identity.json
+data/
+**/data/*.json
 
 # Runtime data (server-side — never commit)
 users.json

admin/Dockerfile

@@ -1,8 +1,24 @@
-FROM node:20-alpine3.21
+FROM node:22-alpine3.21
+
+LABEL org.opencontainers.image.title="paramant-admin" \
+      org.opencontainers.image.version="1.0.0" \
+      org.opencontainers.image.description="PARAMANT admin panel" \
+      org.opencontainers.image.licenses="BUSL-1.1"
+
 WORKDIR /app
 COPY package.json .
-RUN npm install --production --quiet
+RUN npm install --production --quiet && npm cache clean --force
 COPY server.js .
 COPY public/ public/
+
+# Non-root user — admin server never needs root
+RUN addgroup -S admin && adduser -S admin -G admin
+
+USER admin
+
 EXPOSE 4200
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD wget -qO- http://127.0.0.1:${PORT:-4200}/api/auth/check || exit 1
+
 CMD ["node", "server.js"]

admin/package.json

@@ -7,6 +7,6 @@
     "start": "node server.js"
   },
   "dependencies": {
-    "express": "^4.18.2"
+    "express": "^5.2.1"
   }
 }

admin/server.js

@@ -250,6 +250,7 @@ api.post('/reload-all', authMiddleware, async (req, res) => {
 });
 
 app.use(`${BASE_PATH}/api`, api);
-app.get(`${BASE_PATH}/*`, (req, res) => res.sendFile(path.join(__dirname, 'public', 'index.html')));
+// Express 5: named wildcard required (path-to-regexp v8 — bare /* not allowed)
+app.get(`${BASE_PATH}/*path`, (req, res) => res.sendFile(path.join(__dirname, 'public', 'index.html')));
 
 app.listen(PORT, '0.0.0.0', () => console.log(`[PARAMANT-ADMIN] listening on :${PORT}${BASE_PATH || '/'}`));

package.json

@@ -6,7 +6,7 @@
     "build": "bash build.sh"
   },
   "devDependencies": {
-    "javascript-obfuscator": "^4.1.1",
+    "javascript-obfuscator": "^5.4.1",
     "terser": "^5.31.0"
   },
   "dependencies": {

relay/Dockerfile

@@ -1,7 +1,7 @@
 # ── Stage 1: build ──────────────────────────────────────────────────────────
 # Build tools (python3, make, g++) are required only to compile argon2 native
 # bindings. They are NOT present in the final runtime image.
-FROM node:20-alpine3.21 AS build
+FROM node:22-alpine3.21 AS build
 
 RUN apk add --no-cache python3 make g++
 
@@ -11,10 +11,10 @@ RUN npm install --omit=dev && npm cache clean --force
 
 # ── Stage 2: runtime ─────────────────────────────────────────────────────────
 # Lean image: no build tools, no npm, no compilers — only the relay and its deps.
-FROM node:20-alpine3.21
+FROM node:22-alpine3.21
 
 LABEL org.opencontainers.image.title="paramant-relay" \
-      org.opencontainers.image.version="2.4.0" \
+      org.opencontainers.image.version="2.4.4" \
       org.opencontainers.image.description="Post-quantum encrypted file relay — RAM-only, burn-on-read" \
       org.opencontainers.image.source="https://github.com/Apolloccrypt/paramant-relay" \
       org.opencontainers.image.licenses="BUSL-1.1"

scripts/post-install.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 # PARAMANT post-install verification
 # Run after: docker compose up -d
 # Usage: bash scripts/post-install.sh

scripts/preflight.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 RED='\033[0;31m'; GREEN='\033[0;32m'; YELLOW='\033[1;33m'; BLUE='\033[0;34m'; NC='\033[0m'
 [ -f .env ] && export $(grep -v '^#' .env | grep -v '^$' | xargs) 2>/dev/null
 echo ""; echo -e "${BLUE}╔═══════════════════════════════════════╗${NC}"