Merge branch 'staging' into branch 'rc'

.github/workflows/container-build.yml

@@ -95,7 +95,7 @@ jobs:
       # Build cached image
       - name: Build image
         if: inputs.CACHE == true
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: .
           file: ${{ inputs.DOCKERFILE }}
@@ -108,7 +108,7 @@ jobs:
       # Build non-cached image
       - name: Build image
         if: inputs.CACHE != true
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: .
           file: ${{ inputs.DOCKERFILE }}

.github/workflows/doc-to-pdf.yml

@@ -32,7 +32,7 @@ jobs:
         run: mkdocs serve & sleep 10
       - name: Run pdf script
         run: node docs/misc/pdf.js http://localhost:8000/print_page/ BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf 'BunkerWeb documentation v${{ inputs.VERSION }}'
-      - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf
           path: BunkerWeb_documentation_v${{ inputs.VERSION }}.pdf

.github/workflows/linux-build.yml

@@ -97,7 +97,7 @@ jobs:
       # Build testing package image
       - name: Build package image
         if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui' || inputs.RELEASE == '1.5'
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: .
           load: true
@@ -109,7 +109,7 @@ jobs:
       # Build non-testing package image
       - name: Build package image
         if: inputs.RELEASE != 'testing' && inputs.RELEASE != 'dev' && inputs.RELEASE != 'ui' && inputs.RELEASE != '1.5'
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: .
           load: true
@@ -132,7 +132,7 @@ jobs:
           scp -r root@arm:/root/package-${{ inputs.LINUX }} ./package-${{ inputs.LINUX }}
         env:
           LARCH: ${{ env.LARCH }}
-      - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: package-${{ inputs.LINUX }}-${{ env.LARCH }}
           path: package-${{ inputs.LINUX }}/*.${{ inputs.PACKAGE }}
@@ -145,7 +145,7 @@ jobs:
           images: ghcr.io/bunkerity/${{ inputs.LINUX }}-tests:${{ inputs.RELEASE }}
       - name: Build test image
         if: inputs.TEST == true
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: .
           file: tests/linux/Dockerfile-${{ inputs.LINUX }}

.github/workflows/push-doc.yml

@@ -38,10 +38,14 @@ jobs:
           python-version: "3.10"
       - name: Install doc dependencies
         run: pip install --no-cache-dir --require-hashes -r docs/requirements.txt && sudo apt install -y libcairo2-dev libfreetype6-dev libffi-dev libjpeg-dev libpng-dev libz-dev
-      - name: Hide doc
+      - name: Deploy documentation (hidden)
         if: inputs.HIDDEN == true
-        run: mike props ${{ inputs.VERSION }} --set hidden=true
-      - name: Push doc
+        run: |
+          mike deploy --update-aliases --alias-type=copy ${{ inputs.VERSION }} ${{ inputs.ALIAS }}
+          mike set-hidden ${{ inputs.VERSION }} true
+          mike push
+      - name: Deploy documentation
+        if: inputs.HIDDEN == false
         run: mike deploy --update-aliases --push --alias-type=copy ${{ inputs.VERSION }} ${{ inputs.ALIAS }}
       - name: Set default doc
         if: inputs.ALIAS == 'latest'

.github/workflows/push-docker.yml

@@ -70,7 +70,7 @@ jobs:
           images: bunkerity/${{ inputs.IMAGE }}
       # Build and push
       - name: Build and push
-        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        uses: docker/build-push-action@b32b51a8eda65d6793cd0494a773d4f6bcef32dc # v6.11.0
         with:
           context: .
           file: ${{ inputs.DOCKERFILE }}

.github/workflows/staging-create-infra.yml

@@ -52,7 +52,7 @@ jobs:
         if: always()
         env:
           SECRET_KEY: ${{ secrets.SECRET_KEY }}
-      - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+      - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         if: always()
         with:
           name: tf-${{ inputs.TYPE }}

.trivyignore

@@ -1 +0,0 @@
-CVE-2023-6129

docs/concepts.md

@@ -101,11 +101,6 @@ By leveraging custom configurations, you unlock a world of possibilities to tail
 
 ## Database
 
-!!! warning "PostgreSQL 17"
-    As of now, **PostgreSQL 17** is not supported in the **Docker integration**. If you want to use PostgreSQL 17, you will have to use the Linux integration.
-
-    This is due to the fact that the `postgresql-client` package only has the 14, 15 and 16 versions available in the alpine repositories.
-
 BunkerWeb securely stores its current configuration in a backend database, which contains essential data for smooth operation. The following information is stored in the database:
 
 - **Settings for all services**: The database holds the defined settings for all the services provided by BunkerWeb. This ensures that your configurations and preferences are preserved and readily accessible.

docs/requirements.txt

@@ -655,9 +655,9 @@ requests==2.32.3 \
     #   importlib-resources
 
 # The following packages are considered to be unsafe in a requirements file:
-setuptools==75.7.0 \
-    --hash=sha256:84fb203f278ebcf5cd08f97d3fb96d3fbed4b629d500b29ad60d11e00769b183 \
-    --hash=sha256:886ff7b16cd342f1d1defc16fc98c9ce3fde69e087a4e1983d7ab634e5f41f4f
+setuptools==75.8.0 \
+    --hash=sha256:c5afc8f407c626b8313a86e10311dd3f661c6cd9c09d4bf8c15c0e11f9f2b0e6 \
+    --hash=sha256:e3982f444617239225d675215d51f6ba05f845d4eec313da4418fdbb56fb27e3
     # via mkdocs-material
 six==1.17.0 \
     --hash=sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274 \

examples/authentik/docker-compose.yml

@@ -98,7 +98,7 @@ services:
 
   # AUTHENTIK SERVICES
   postgresql:
-    image: docker.io/library/postgres:16-alpine
+    image: docker.io/library/postgres:17-alpine
     restart: unless-stopped
     healthcheck:
       test: [ "CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ]

examples/redmine/autoconf.yml

@@ -20,7 +20,7 @@ services:
       - bunkerweb.REVERSE_PROXY_HOST=http://myredmine:3000
 
   mydb:
-    image: postgres:16-alpine
+    image: postgres:17-alpine
     volumes:
       - db-data:/var/lib/postgresql/data
     environment:

examples/redmine/docker-compose.yml

@@ -51,7 +51,7 @@ services:
       - bw-services
 
   mydb:
-    image: postgres:16-alpine
+    image: postgres:17-alpine
     volumes:
       - db-data:/var/lib/postgresql/data
     environment:

examples/redmine/swarm.yml

@@ -22,7 +22,7 @@ services:
         - bunkerweb.REVERSE_PROXY_HOST=http://myredmine:3000
 
   mydb:
-    image: postgres:16-alpine
+    image: postgres:17-alpine
     volumes:
       - db-data:/var/lib/postgresql/data
     environment:

misc/integrations/autoconf.mysql.ui.yml

@@ -66,7 +66,7 @@ services:
       - "bunkerweb.ALLOWED_METHODS=GET|POST|PUT|DELETE"
 
   bw-db:
-    image: mysql:8
+    image: mysql:9
     environment:
       MYSQL_RANDOM_ROOT_PASSWORD: "yes"
       MYSQL_DATABASE: "db"

misc/integrations/autoconf.mysql.yml

@@ -47,7 +47,7 @@ services:
       - bw-db
 
   bw-db:
-    image: mysql:8
+    image: mysql:9
     environment:
       MYSQL_RANDOM_ROOT_PASSWORD: "yes"
       MYSQL_DATABASE: "db"

misc/integrations/autoconf.postgres.ui.yml

@@ -66,7 +66,7 @@ services:
       - "bunkerweb.ALLOWED_METHODS=GET|POST|PUT|DELETE"
 
   bw-db:
-    image: postgres:16-alpine
+    image: postgres:17-alpine
     environment:
       POSTGRES_USER: "bunkerweb"
       POSTGRES_PASSWORD: "changeme" # Remember to set a stronger password for the database

misc/integrations/autoconf.postgres.yml

@@ -47,7 +47,7 @@ services:
       - bw-db
 
   bw-db:
-    image: postgres:16-alpine
+    image: postgres:17-alpine
     environment:
       POSTGRES_USER: "bunkerweb"
       POSTGRES_PASSWORD: "changeme" # Remember to set a stronger password for the database

misc/integrations/docker.mysql.ui.yml

@@ -54,7 +54,7 @@ services:
       - bw-db
 
   bw-db:
-    image: mysql:8
+    image: mysql:9
     environment:
       MYSQL_RANDOM_ROOT_PASSWORD: "yes"
       MYSQL_DATABASE: "db"

misc/integrations/docker.mysql.yml

@@ -31,7 +31,7 @@ services:
       - bw-db
 
   bw-db:
-    image: mysql:8
+    image: mysql:9
     environment:
       MYSQL_RANDOM_ROOT_PASSWORD: "yes"
       MYSQL_DATABASE: "db"

misc/integrations/docker.postgres.ui.yml

@@ -53,7 +53,7 @@ services:
       - bw-db
 
   bw-db:
-    image: postgres:16-alpine
+    image: postgres:17-alpine
     environment:
       POSTGRES_USER: "bunkerweb"
       POSTGRES_PASSWORD: "changeme" # Remember to set a stronger password for the database

misc/integrations/docker.postgres.yml

@@ -31,7 +31,7 @@ services:
       - bw-db
 
   bw-db:
-    image: postgres:16-alpine
+    image: postgres:17-alpine
     environment:
       POSTGRES_USER: "bunkerweb"
       POSTGRES_PASSWORD: "changeme" # Remember to set a stronger password for the database

misc/integrations/k8s.mysql.ui.yml

@@ -200,7 +200,7 @@ spec:
     spec:
       containers:
         - name: bunkerweb-db
-          image: mysql:8
+          image: mysql:9
           imagePullPolicy: Always
           env:
             - name: MYSQL_RANDOM_ROOT_PASSWORD

misc/integrations/k8s.mysql.yml

@@ -211,7 +211,7 @@ spec:
     spec:
       containers:
         - name: bunkerweb-db
-          image: mysql:8
+          image: mysql:9
           imagePullPolicy: Always
           env:
             - name: MYSQL_RANDOM_ROOT_PASSWORD

misc/integrations/k8s.postgres.ui.yml

@@ -200,7 +200,7 @@ spec:
     spec:
       containers:
         - name: bunkerweb-db
-          image: postgres:16-alpine
+          image: postgres:17-alpine
           imagePullPolicy: Always
           env:
             - name: POSTGRES_DB

misc/integrations/k8s.postgres.yml

@@ -211,7 +211,7 @@ spec:
     spec:
       containers:
         - name: bunkerweb-db
-          image: postgres:16-alpine
+          image: postgres:17-alpine
           imagePullPolicy: Always
           env:
             - name: POSTGRES_DB

misc/integrations/swarm.mysql.ui.yml

@@ -81,7 +81,7 @@ services:
         - "bunkerweb.ALLOWED_METHODS=GET|POST|PUT|DELETE"
 
   bw-db:
-    image: mysql:8
+    image: mysql:9
     environment:
       MYSQL_RANDOM_ROOT_PASSWORD: "yes"
       MYSQL_DATABASE: "db"

misc/integrations/swarm.mysql.yml

@@ -61,7 +61,7 @@ services:
           - "node.role == worker"
 
   bw-db:
-    image: mysql:8
+    image: mysql:9
     environment:
       MYSQL_RANDOM_ROOT_PASSWORD: "yes"
       MYSQL_DATABASE: "db"

misc/integrations/swarm.postgres.ui.yml

@@ -81,7 +81,7 @@ services:
         - "bunkerweb.ALLOWED_METHODS=GET|POST|PUT|DELETE"
 
   bw-db:
-    image: postgres:16-alpine
+    image: postgres:17-alpine
     environment:
       POSTGRES_USER: "bunkerweb"
       POSTGRES_PASSWORD: "changeme" # Remember to set a stronger password for the database

misc/integrations/swarm.postgres.yml

@@ -61,7 +61,7 @@ services:
           - "node.role == worker"
 
   bw-db:
-    image: postgres:16-alpine
+    image: postgres:17-alpine
     environment:
       POSTGRES_USER: "bunkerweb"
       POSTGRES_PASSWORD: "changeme" # Remember to set a stronger password for the database

misc/migration/mysql.yml

@@ -1,6 +1,6 @@
 services:
   bw-db:
-    image: mysql:8
+    image: mysql:9
     environment:
       MYSQL_RANDOM_ROOT_PASSWORD: "yes"
       MYSQL_DATABASE: "db"

misc/migration/postgresql.yml

@@ -1,6 +1,6 @@
 services:
   bw-db:
-    image: postgres:16-alpine
+    image: postgres:17-alpine
     environment:
       POSTGRES_USER: "bunkerweb"
       POSTGRES_PASSWORD: "secret"

src/autoconf/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.13-alpine@sha256:657dbdb20479a6523b46c06114c8fec7db448232f956a429d3cc0606d30c1b59 AS builder
+FROM python:3.13-alpine@sha256:b6f01a01e34091438a29b6dda4664199e34731fb2581ebb6fe255a2ebf441099 AS builder
 
 # Export var for specific actions on linux/arm/v7
 ARG TARGETPLATFORM
@@ -33,7 +33,7 @@ COPY src/common/utils utils
 COPY src/autoconf autoconf
 COPY src/VERSION VERSION
 
-FROM python:3.13-alpine@sha256:657dbdb20479a6523b46c06114c8fec7db448232f956a429d3cc0606d30c1b59
+FROM python:3.13-alpine@sha256:b6f01a01e34091438a29b6dda4664199e34731fb2581ebb6fe255a2ebf441099
 
 # Set default umask to prevent huge recursive chmod increasing the final image size
 RUN umask 027
@@ -44,7 +44,7 @@ RUN apk add --no-cache bash tzdata && \
   adduser -h /var/cache/autoconf -g autoconf -s /bin/sh -G autoconf -D -H -u 101 autoconf
 
 # Fix CVEs
-RUN apk add --no-cache "libcrypto3>=3.3.2-r1" "libssl3>=3.3.2-r1" # CVE-2024-9143
+# There are no CVEs for the following packages
 
 # Copy dependencies
 COPY --from=builder --chown=0:101 /usr/share/bunkerweb /usr/share/bunkerweb

src/bw/Dockerfile

@@ -1,4 +1,4 @@
-FROM nginx:1.26.2-alpine-slim@sha256:6a3378d408c49073bdbb0243219db1072f338b979b58660577a744044515f9f7 AS builder
+FROM nginx:1.26.2-alpine-slim@sha256:1d541dc68a99c4da7923e88b8e184f85034804a1ff59ee838a81d83c319267d8 AS builder
 
 # Install temporary requirements for the dependencies
 RUN apk add --no-cache bash autoconf libtool automake geoip-dev g++ gcc curl-dev libxml2-dev pcre-dev make linux-headers musl-dev gd-dev gnupg brotli-dev openssl-dev patch readline-dev yajl yajl-dev yajl-tools py3-pip
@@ -42,7 +42,7 @@ COPY src/common/utils utils
 COPY src/VERSION VERSION
 COPY misc/*.ascii misc/
 
-FROM nginx:1.26.2-alpine-slim@sha256:6a3378d408c49073bdbb0243219db1072f338b979b58660577a744044515f9f7
+FROM nginx:1.26.2-alpine-slim@sha256:1d541dc68a99c4da7923e88b8e184f85034804a1ff59ee838a81d83c319267d8
 
 # Set default umask to prevent huge recursive chmod increasing the final image size
 RUN umask 027
@@ -51,7 +51,7 @@ RUN umask 027
 RUN apk add --no-cache openssl pcre bash python3 yajl geoip libxml2 libgd curl tzdata
 
 # Fix CVEs
-RUN apk add --no-cache "curl>=8.11.0-r0" "libcurl>=8.11.0-r0" # CVE-2024-9681
+# There are no CVEs for the following packages
 
 # Copy dependencies
 COPY --from=builder --chown=0:101 /usr/share/bunkerweb /usr/share/bunkerweb

src/common/core/pro/jobs/download-pro-plugins.py

@@ -157,6 +157,8 @@ def install_plugin(plugin_path: Path, db, preview: bool = True) -> bool:
             if metadata["is_pro"] and metadata["pro_services"] < int(data["service_number"]):
                 metadata["pro_overlapped"] = True
 
+    db_metadata = db.get_metadata()
+
     # ? If we already checked today, skip the check and if the metadata is the same, skip the check
     if (
         pro_license_key == db_metadata.get("pro_license", "")