chore(deps): Pin dependencies

fix(downloads): Use mediaSource.Id instead of item.Id in direct download URL (#1666 )
Co-authored-by: lance chant <13349722+lancechant@users.noreply.github.com> Co-authored-by: Gauvain <contact@uruk.dev>
2026-06-08 15:08:40 +01:00 · 2026-06-08 13:09:47 +00:00 · 2026-06-08 14:59:29 +02:00 · 2026-06-08 14:05:23 +02:00
4 changed files with 67 additions and 5 deletions
--- a/.github/workflows/trivy-scan.yml
+++ b/.github/workflows/trivy-scan.yml
@@ -0,0 +1,60 @@
+name: 🛡️ Trivy Security Scan
+
+# Filesystem scan (Streamyfin ships no container image): finds vulnerable dependencies,
+# leaked secrets and misconfigurations, and reports them to GitHub code scanning.
+# Runs post-merge + weekly (not on PRs — dependency-review already gates PRs, and SARIF
+# upload needs a write token that fork PRs don't get).
+on:
+  push:
+    branches: [develop, master]
+  schedule:
+    - cron: "50 7 * * 5" # Weekly, Friday 07:50 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: trivy-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  trivy:
+    name: 🔎 Filesystem scan
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write # upload SARIF to code scanning
+    steps:
+      - name: 📥 Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      # Rotate the DB cache weekly (matches the scheduled scan): cache hits within the week
+      # instead of a fresh immutable entry per run, still refreshing the DB every week.
+      - name: 🗓️ Compute weekly Trivy cache key
+        id: trivy-cache-key
+        run: echo "value=trivy-db-${{ runner.os }}-$(date -u +%G-%V)" >> "$GITHUB_OUTPUT"
+
+      - name: 💾 Cache Trivy vulnerability DB
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        with:
+          path: ~/.cache/trivy
+          key: ${{ steps.trivy-cache-key.outputs.value }}
+          restore-keys: trivy-db-${{ runner.os }}-
+
+      - name: 🔎 Run Trivy filesystem scan
+        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          scanners: vuln,secret,misconfig
+          ignore-unfixed: true
+          severity: CRITICAL,HIGH
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: 📤 Upload results to code scanning
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        with:
+          sarif_file: trivy-results.sarif
+          category: trivy-fs
--- a/bun.lock
+++ b/bun.lock
@@ -105,7 +105,7 @@
        "@react-native-tvos/config-tv": "0.1.6",
        "@types/jest": "29.5.14",
        "@types/lodash": "4.17.24",
-        "@types/react": "~19.2.10",
+        "@types/react": "19.2.17",
        "@types/react-test-renderer": "19.1.0",
        "cross-env": "10.1.0",
        "expo-doctor": "1.19.7",
@@ -605,7 +605,7 @@

    "@types/node": ["@types/node@18.19.130", "", { "dependencies": { "undici-types": "~5.26.4" } }, "sha512-GRaXQx6jGfL8sKfaIDD6OupbIHBr9jv7Jnaml9tB7l4v068PAOXqfcujMMo5PhbIs6ggR1XODELqahT2R8v0fg=="],

-    "@types/react": ["@types/react@19.2.15", "", { "dependencies": { "csstype": "^3.2.2" } }, "sha512-eRwcGNHve+E8qtEQSSRl6urh+rFop4v8gm6O8rGv25CodbvFdLjA1vVQ1KkiFE0w0UPOnb8tDiFKL5lp0rtY5Q=="],
+    "@types/react": ["@types/react@19.2.17", "", { "dependencies": { "csstype": "^3.2.2" } }, "sha512-MXfmqaVPEVgkBT/aY0aGCkRWWtByiYQXo3xdQ8r5RzuFrPiRn8Gar2tQdXSUQ2GKV3bkXckek89V8wQBY2Q/Aw=="],

    "@types/react-test-renderer": ["@types/react-test-renderer@19.1.0", "", { "dependencies": { "@types/react": "*" } }, "sha512-XD0WZrHqjNrxA/MaR9O22w/RNidWR9YZmBdRGI7wcnWGrv/3dA8wKCJ8m63Sn+tLJhcjmuhOi629N66W6kgWzQ=="],

@@ -1599,7 +1599,7 @@

    "react-native-text-ticker": ["react-native-text-ticker@1.15.0", "", {}, "sha512-d/uK+PIOhsYMy1r8h825iq/nADiHsabz3WMbRJSnkpQYn+K9aykUAXRRhu8ZbTAzk4CgnUWajJEFxS5ZDygsdg=="],

-    "react-native-track-player": ["react-native-track-player@github:lovegaoshi/react-native-track-player#33a3ecd", { "peerDependencies": { "react": "*", "react-native": "*", "react-native-windows": "*", "shaka-player": "^4.7.9" }, "optionalPeers": ["react-native-windows", "shaka-player"] }, "lovegaoshi-react-native-track-player-33a3ecd"],
+    "react-native-track-player": ["react-native-track-player@github:lovegaoshi/react-native-track-player#33a3ecd", { "peerDependencies": { "react": "*", "react-native": "*", "react-native-windows": "*", "shaka-player": "^4.7.9" }, "optionalPeers": ["react-native-windows", "shaka-player"] }, "lovegaoshi-react-native-track-player-33a3ecd", "sha512-vfkld2jUj7EPkAjIc/Vbx4Q4MtOOLmYtCYCE2dWJsyLnPqgj1f0xVzBxbeVP7dfT+eSh4KIXfdxESXaHgrXIlw=="],

    "react-native-udp": ["react-native-udp@4.1.7", "", { "dependencies": { "buffer": "^5.6.0", "events": "^3.1.0" } }, "sha512-NUE3zewu61NCdSsLlj+l0ad6qojcVEZPT4hVG/x6DU9U4iCzwtfZSASh9vm7teAcVzLkdD+cO3411LHshAi/wA=="],

@@ -2019,6 +2019,8 @@

    "@testing-library/dom/pretty-format": ["pretty-format@27.5.1", "", { "dependencies": { "ansi-regex": "^5.0.1", "ansi-styles": "^5.0.0", "react-is": "^17.0.1" } }, "sha512-Qb1gy5OrP5+zDf2Bvnzdl3jsTf1qXVMazbvCoKhtKqVs4/YK4ozX4gKQJJVyNe+cajNPn0KoC0MC3FUmaHWEmQ=="],

+    "@types/react-test-renderer/@types/react": ["@types/react@19.2.15", "", { "dependencies": { "csstype": "^3.2.2" } }, "sha512-eRwcGNHve+E8qtEQSSRl6urh+rFop4v8gm6O8rGv25CodbvFdLjA1vVQ1KkiFE0w0UPOnb8tDiFKL5lp0rtY5Q=="],
+
    "accepts/negotiator": ["negotiator@0.6.3", "", {}, "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg=="],

    "ansi-fragments/slice-ansi": ["slice-ansi@2.1.0", "", { "dependencies": { "ansi-styles": "^3.2.0", "astral-regex": "^1.0.0", "is-fullwidth-code-point": "^2.0.0" } }, "sha512-Qu+VC3EwYLldKa1fCxuuvULvSJOKEgk9pi8dZeCVK7TqBfUNTH4sFkk4joj8afVSfAYgJoSOetjx9QWOJ5mYoQ=="],
--- a/package.json
+++ b/package.json
@@ -126,7 +126,7 @@
    "@react-native-tvos/config-tv": "0.1.6",
    "@types/jest": "29.5.14",
    "@types/lodash": "4.17.24",
-    "@types/react": "~19.2.10",
+    "@types/react": "19.2.17",
    "@types/react-test-renderer": "19.1.0",
    "cross-env": "10.1.0",
    "expo-doctor": "1.19.7",
--- a/utils/jellyfin/media/getDownloadUrl.ts
+++ b/utils/jellyfin/media/getDownloadUrl.ts
@@ -50,7 +50,7 @@ export const getDownloadUrl = async ({
  if (maxBitrate.key === "Max" && !streamDetails?.mediaSource?.TranscodingUrl) {
    console.log("Downloading item directly");
    return {
-      url: `${api.basePath}/Items/${item.Id}/Download?api_key=${api.accessToken}`,
+      url: `${api.basePath}/Items/${mediaSource.Id}/Download?api_key=${api.accessToken}`,
      mediaSource: streamDetails?.mediaSource ?? null,
    };
  }
Author	SHA1	Message	Date
renovate[bot]	34cee0293a	chore(deps): Pin dependencies	2026-06-08 13:09:47 +00:00
boolemancer	1685571406	fix(downloads): Use mediaSource.Id instead of item.Id in direct download URL (#1666 ) Some checks are pending 🏗️ Build Apps / 🤖 Build Android APK (Phone) (push) Waiting to run Details 🏗️ Build Apps / 🤖 Build Android APK (TV) (push) Waiting to run Details 🏗️ Build Apps / 🍎 Build iOS IPA (Phone) (push) Waiting to run Details 🏗️ Build Apps / 🍎 Build iOS IPA (Phone - Unsigned) (push) Waiting to run Details 🏗️ Build Apps / 🍎 Build tvOS IPA (push) Waiting to run Details 🏗️ Build Apps / 🍎 Build tvOS IPA (Unsigned) (push) Waiting to run Details 🔒 Lockfile Consistency Check / 🔍 Check bun.lock and package.json consistency (push) Waiting to run Details 🛡️ CodeQL Analysis / 🔎 Analyze with CodeQL (actions) (push) Waiting to run Details 🛡️ CodeQL Analysis / 🔎 Analyze with CodeQL (javascript-typescript) (push) Waiting to run Details 🏷️🔀Merge Conflict Labeler / 🏷️ Labeling Merge Conflicts (push) Waiting to run Details 🌐 Translation Sync / sync-translations (push) Waiting to run Details 🚦 Security & Quality Gate / 📝 Validate PR Title (push) Waiting to run Details 🚦 Security & Quality Gate / 🔍 Vulnerable Dependencies (push) Waiting to run Details 🚦 Security & Quality Gate / 🚑 Expo Doctor Check (push) Waiting to run Details 🚦 Security & Quality Gate / 🔍 Lint & Test (check) (push) Waiting to run Details 🚦 Security & Quality Gate / 🔍 Lint & Test (format) (push) Waiting to run Details 🚦 Security & Quality Gate / 🔍 Lint & Test (lint) (push) Waiting to run Details 🚦 Security & Quality Gate / 🔍 Lint & Test (typecheck) (push) Waiting to run Details 🛡️ Trivy Security Scan / 🔎 Filesystem scan (push) Waiting to run Details Co-authored-by: lance chant <13349722+lancechant@users.noreply.github.com> Co-authored-by: Gauvain <contact@uruk.dev>	2026-06-08 14:59:29 +02:00
Gauvain	36ed7539a2	ci(security): add Trivy filesystem scan to code scanning (#1644 )	2026-06-08 14:05:23 +02:00