chore(deps): bump execa from 5.1.1 to 9.6.1

[dependabot]

Bumps execa from 5.1.1 to 9.6.1.

Release notes

Sourced from execa's releases.

v9.6.1

• Fix VerboseOption type not being properly exported (#1215) 7891c39

---

sindresorhus/execa@v9.6.0...v9.6.1

v9.6.0

• Update dependencies d49104a

---

sindresorhus/execa@v9.5.3...v9.6.0

v9.5.3

• Fix Node 24-specific deprecation warning (#1199) 1ac5b91

---

sindresorhus/execa@v9.5.2...v9.5.3

v9.5.2

Bug fixes

• Fix escaping newlines inside template strings. Thanks @​aarondandy! (#1176)

v9.5.1

Bug fixes

• Fix odd characters being printed in verbose mode on Windows (thanks @​IIIMADDINIII). (#1167)

v9.5.0

Features

• When redirecting stdout or stderr to a file, allow appending instead of overwriting. (#1166)

await execa({stdout: {file: 'output.txt', append: true}})`npm run build`;

v9.4.1

Bug fixes

• Fix using process.execPath with Deno. Thanks @​w3cj! (#1160)

v9.4.0

Features

• We've created a separate package called nano-spawn. It is similar to Execa but with fewer features, for a much smaller package size. More info.

... (truncated)

Commits

• 84e1f36 9.6.1
• 7891c39 Fix VerboseOption type not being properly exported (#1215)
• 103095f Meta tweaks
• 23ec6f0 Fix CI tests related to .kill(0) (#1212)
• 9a2cb79 Meta tweaks
• e7cafeb [docs] TTY control is lost only on the FD that uses mixed inherit. (#1209)
• 5587ae1 Fix CI tests (#1207)
• 3e8fa32 [docs] A process is not a TTY usually, just connected to one. (#1208)
• c468672 [docs] Transforms: Summary: Fix example command and output. (#1206)
• a31fe55 9.6.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 DEVELOPING STORY: Smoke Copilot reports failed. Our correspondents are investigating the incident...

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• chore(deps): bump the github-actions group with 8 updates #284: chore(deps): bump the github-actions group with 8 updates
• chore(deps): bump astral-sh/setup-uv from e58605a9b6da7c637471fab8847a5e5a6b8df081 to d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 #287: chore(deps): bump astral-sh/setup-uv

Test Results:

• ✅ GitHub MCP: Retrieved PR list
• ✅ Playwright: Page title contains "GitHub"
• ✅ File Write: Created test file successfully
• ✅ Bash: Verified file content

Status: PASS

AI generated by Smoke Claude

[github-actions]

🚨 Security Review: Breaking Changes Not Addressed

This PR updates execa from v5.1.1 to v9.6.1, which introduces multiple breaking changes that are not addressed in the code. This will cause critical security failures in the firewall's iptables setup.

Critical Issues Found

1. reject: false option no longer exists (Breaking in v6)

Files affected:

• src/host-iptables.ts (lines 106, 113, 127, 130, 131, 200, 207, 225, 229, 230, 531, 550, 555, 556, 566, 583, 588, 589, 609)
• src/docker-manager.ts (lines 605, 687)
• src/logs/log-streamer.ts (lines 69, 161)
• All test files using execa

Example from src/host-iptables.ts:106:

const { exitCode } = await execa('ip6tables', ['-t', 'filter', '-L', CHAIN_NAME_V6, '-n'], { reject: false });

Issue: In execa v6+, the reject option was removed. Commands now throw by default on non-zero exit codes. The code expects exitCode to be returned even on failures, but v9 will throw an error instead.

Security Impact: iptables rules setup will fail with unhandled exceptions, potentially leaving containers without proper network filtering.

---

2. exitCode property changed in v8

Files affected:

• src/host-iptables.ts (lines 106, 200)
• src/docker-manager.ts (line 691-696)

Example from src/docker-manager.ts:691-696:

const { stdout: exitCodeStr } = await execa('docker', ['wait', 'awf-agent']);
const exitCode = parseInt(exitCodeStr.trim(), 10);

Issue: The return structure changed in v8. The exitCode property may not be available in the same way, especially when using { reject: false } pattern.

---

Required Changes

To safely upgrade to execa v9, the codebase needs these changes:

1. Replace { reject: false } with try/catch blocks:

// Before (v5)
const { exitCode } = await execa('ip6tables', [...], { reject: false });
if (exitCode === 0) { ... }

// After (v9)
try {
  await execa('ip6tables', [...]);
  // Success (exit code 0)
} catch (error) {
  // Non-zero exit code
  if (error.exitCode === 1) { ... }
}

2. Update all 40+ instances across the codebase
3. Run integration tests to verify iptables setup works correctly
4. Check Node.js version compatibility - execa v9 requires Node.js 18.19+ or 20.5+

---

Recommendation

❌ DO NOT MERGE this PR until:

1. Code is updated to handle execa v9 breaking changes
2. All tests pass (especially host-iptables.test.ts)
3. Integration tests verify iptables rules are set up correctly
4. Node.js version requirements are documented (v9 requires Node 18.19+)

This is a security-critical firewall component. Breaking the iptables setup could allow network traffic to bypass domain restrictions entirely.

---

Alternative approach: Keep execa at v5.x until the breaking changes can be properly addressed in a separate PR with comprehensive testing.

Ahoy! This treasure was crafted by 🏴‍☠️ Security Guard fer issue #283 🗺️

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• feat: port plan workflow from gh-aw repository #230: feat: port plan workflow from gh-aw repository
• ci: pin GitHub Actions to commit SHAs for supply chain security #266: ci: pin GitHub Actions to commit SHAs for supply chain security

Test Results:

• ✅ GitHub MCP: Successfully retrieved PR data
• ✅ Playwright: Page title contains "GitHub"
• ✅ File Writing: Created test file successfully
• ✅ Bash Tool: Verified file contents

Status: PASS 🎉

Author: @dependabot[bot] | PR #283

AI generated by Smoke Copilot

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• ci: add agentic documentation preview workflow with Playwright #246: ci: add agentic documentation preview workflow with Playwright
• feat: port plan workflow from gh-aw repository #230: feat: port plan workflow from gh-aw repository

Test Results:

• ✅ GitHub MCP: Retrieved recent PRs
• ✅ Playwright: Page title contains "GitHub"
• ✅ File Writing: Created test file
• ✅ Bash Tool: Verified file contents

Status: PASS

AI generated by Smoke Claude

[github-actions]

Security Review - Breaking API Change Detected

Issue: Incomplete Dependency Migration

File: src/docker-manager.ts
Lines: 817, 834

This PR upgrades execa from v5.1.1 to v9.6.1 (major version), but the source code still uses the removed API execa.sync().

Breaking Change Details

Starting in execa v6, the synchronous API was renamed:

• ❌ Removed: execa.sync()
• ✅ New API: execaSync()

Current code (lines 817, 834):

execa.sync('chmod', ['-R', 'a+rX', proxyLogsDir]);

Required change:

import { execaSync } from 'execa';
// ...
execaSync('chmod', ['-R', 'a+rX', proxyLogsDir]);

Security Impact Assessment

Direct Security Risk: ⚠️ Low (not a vulnerability, but code will fail)

The affected code is in the cleanup function that:

• Runs AFTER firewall execution completes
• Only adjusts log file permissions (chmod a+rX)
• Is wrapped in try-catch blocks that handle failures gracefully

Operational Risk: 🔴 High

1. Runtime errors - The code will throw when cleanup runs
2. Type safety - TypeScript may not catch this at compile time with default imports
3. Incomplete testing - Indicates the PR hasn't been properly validated

Recommendation

Action Required: Update source code before merging

- import execa from 'execa';
+ import execa, { execaSync } from 'execa';

  // Line 817
- execa.sync('chmod', ['-R', 'a+rX', proxyLogsDir]);
+ execaSync('chmod', ['-R', 'a+rX', proxyLogsDir]);

  // Line 834
- execa.sync('chmod', ['-R', 'a+rX', squidLogsDestination]);
+ execaSync('chmod', ['-R', 'a+rX', squidLogsDestination]);

Verification Steps:

1. Run npm run build to verify TypeScript compilation
2. Run npm test to verify existing tests pass
3. Test log preservation functionality in CI

This is not a security vulnerability but represents incomplete dependency migration that will cause runtime failures.

Ahoy! This treasure was crafted by 🏴‍☠️ Security Guard fer issue #283 🗺️

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.