From c469c11a289091a7a224612fc1fc6826787d8c79 Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Fri, 9 Jan 2026 09:48:50 +0100
Subject: [PATCH 1/2] Disable APT repository signing/uploads

---
 .github/workflows/release.yml | 50 -----------------------------------
 1 file changed, 50 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index dd0a1d9..2d963b5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -178,20 +178,6 @@ jobs:
           asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
           asset_content_type: application/octet-stream
 
-      - name: Install ruby with deb-s3
-        if: matrix.build == 'linux'
-        run: |
-          sudo apt-get install -y ruby
-          gem install deb-s3
-          echo "$(ruby -r rubygems -e 'puts Gem.user_dir')/bin" >> $GITHUB_PATH
-
-      - name: Upload DEB to apt repository
-        if: matrix.build == 'linux'
-        run: |
-          COMPONENT=$([[ "${{ github.ref_name }}" == *"-"* ]] && echo "pre-release" || echo "release") # if tag contain "-" assume it's pre-release.
-
-          deb-s3 upload -l --bucket=apt.defguard.net --access-key-id=${{ secrets.AWS_ACCESS_KEY_APT }} --secret-access-key=${{ secrets.AWS_SECRET_KEY_APT }} --s3-region=eu-north-1 --no-fail-if-exists --codename=trixie --component="$COMPONENT" defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.deb
-
       - name: Build RPM package
         if: matrix.build == 'linux'
         uses: bpicode/github-action-fpm@master
@@ -209,39 +195,3 @@ jobs:
           asset_path: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
           asset_name: defguard-proxy-${{ env.VERSION }}-${{ matrix.target }}.rpm
           asset_content_type: application/octet-stream
-
-  apt-sign:
-    needs:
-      - build-binaries
-    runs-on:
-      - self-hosted
-      - Linux
-      - X64
-    strategy:
-      fail-fast: false
-    steps:
-      - name: Sign APT repository on trixie
-        run: |
-          export AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_APT }}
-          export AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_KEY_APT }}
-          export AWS_REGION=eu-north-1
-          sudo apt update -y
-          sudo apt install -y awscli curl jq
-
-          for DIST in trixie; do
-            aws s3 cp s3://apt.defguard.net/dists/${DIST}/Release .
-            
-            curl -X POST "${{ secrets.DEFGUARD_SIGNING_URL }}?signature_type=both" \
-              -H "Authorization: Bearer ${{ secrets.DEFGUARD_SIGNING_API_KEY }}" \
-              -F "file=@Release" \
-              -o response.json
-            
-            cat response.json | jq -r '.files["Release.gpg"].content' | base64 --decode > Release.gpg
-            cat response.json | jq -r '.files.Release.content' | base64 --decode > InRelease
-            
-            aws s3 cp Release.gpg s3://apt.defguard.net/dists/${DIST}/ --acl public-read
-            aws s3 cp InRelease s3://apt.defguard.net/dists/${DIST}/ --acl public-read
-            
-          done
-          (aws s3 ls s3://apt.defguard.net/dists/ --recursive; aws s3 ls s3://apt.defguard.net/pool/ --recursive) | awk '{print "<a href=\""$4"\">"$4"</a><br>"}' > index.html
-          aws s3 cp index.html s3://apt.defguard.net/ --acl public-read

From af23f2d9fd4f9501b416818109801206cf41aa71 Mon Sep 17 00:00:00 2001
From: jakub-tldr <78603704+jakub-tldr@users.noreply.github.com>
Date: Fri, 9 Jan 2026 10:47:36 +0100
Subject: [PATCH 2/2] Update package with vulnerability

---
 web/package.json   |  2 +-
 web/pnpm-lock.yaml | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/web/package.json b/web/package.json
index ebc6adc..0fd7c6e 100644
--- a/web/package.json
+++ b/web/package.json
@@ -30,7 +30,7 @@
     "lodash-es": "^4.17.21",
     "motion": "^12.23.25",
     "qrcode.react": "^4.2.0",
-    "qs": "^6.14.0",
+    "qs": "^6.14.1",
     "react": "^19.2.1",
     "react-dom": "^19.2.1",
     "react-markdown": "^10.1.0",
diff --git a/web/pnpm-lock.yaml b/web/pnpm-lock.yaml
index fe3a4be..3cd53a9 100644
--- a/web/pnpm-lock.yaml
+++ b/web/pnpm-lock.yaml
@@ -60,8 +60,8 @@ importers:
         specifier: ^4.2.0
         version: 4.2.0(react@19.2.1)
       qs:
-        specifier: ^6.14.0
-        version: 6.14.0
+        specifier: ^6.14.1
+        version: 6.14.1
       react:
         specifier: ^19.2.1
         version: 19.2.1
@@ -2545,8 +2545,8 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
 
-  qs@6.14.0:
-    resolution: {integrity: sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==}
+  qs@6.14.1:
+    resolution: {integrity: sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==}
     engines: {node: '>=0.6'}
 
   queue-microtask@1.2.3:
@@ -5386,7 +5386,7 @@ snapshots:
     dependencies:
       react: 19.2.1
 
-  qs@6.14.0:
+  qs@6.14.1:
     dependencies:
       side-channel: 1.1.0