Bump docker/login-action from 3.7.0 to 4.0.0

Bumps [docker/login-action](https://github.com/docker/login-action) from 3.7.0 to 4.0.0.
- [Release notes](https://github.com/docker/login-action/releases)
- [Commits](c94ce9fb46...b45d80f862)

---
updated-dependencies:
- dependency-name: docker/login-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/cicd.yml

@@ -77,7 +77,7 @@ jobs:
                   fi
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
               with:
                   registry: docker.io
                   username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -149,7 +149,7 @@ jobs:
                   fi
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
               with:
                   registry: docker.io
                   username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -204,7 +204,7 @@ jobs:
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
             - name: Log in to Docker Hub
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
               with:
                   registry: docker.io
                   username: ${{ secrets.DOCKER_HUB_USERNAME }}
@@ -407,7 +407,7 @@ jobs:
               shell: bash
 
             - name: Login to GitHub Container Registry (for cosign)
-              uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+              uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
               with:
                 registry: ghcr.io
                 username: ${{ github.actor }}

messages/en-US.json

@@ -2343,8 +2343,8 @@
     "logRetentionEndOfFollowingYear": "End of following year",
     "actionLogsDescription": "View a history of actions performed in this organization",
     "accessLogsDescription": "View access auth requests for resources in this organization",
-    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "licenseRequiredToUse": "An <enterpriseLicenseLink>Enterprise Edition</enterpriseLicenseLink> license or <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink> is required to use this feature.",
-    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>. <bookADemoLink>Book a demo or POC trial</bookADemoLink>.",
+    "ossEnterpriseEditionRequired": "The <enterpriseEditionLink>Enterprise Edition</enterpriseEditionLink> is required to use this feature. This feature is also available in <pangolinCloudLink>Pangolin Cloud</pangolinCloudLink>.",
     "certResolver": "Certificate Resolver",
     "certResolverDescription": "Select the certificate resolver to use for this resource.",
     "selectCertResolver": "Select Certificate Resolver",

package.json

@@ -33,7 +33,7 @@
     },
     "dependencies": {
         "@asteasolutions/zod-to-openapi": "8.4.1",
-        "@aws-sdk/client-s3": "3.1004.0",
+        "@aws-sdk/client-s3": "3.989.0",
         "@faker-js/faker": "10.3.0",
         "@headlessui/react": "2.2.9",
         "@hookform/resolvers": "5.2.2",
@@ -80,16 +80,16 @@
         "d3": "7.9.0",
         "drizzle-orm": "0.45.1",
         "express": "5.2.1",
-        "express-rate-limit": "8.3.0",
+        "express-rate-limit": "8.2.2",
         "glob": "13.0.6",
         "helmet": "8.1.0",
         "http-errors": "2.0.1",
         "input-otp": "1.4.2",
-        "ioredis": "5.10.0",
+        "ioredis": "5.9.3",
         "jmespath": "0.16.0",
         "js-yaml": "4.1.1",
         "jsonwebtoken": "9.0.3",
-        "lucide-react": "0.577.0",
+        "lucide-react": "0.563.0",
         "maxmind": "5.0.5",
         "moment": "2.30.1",
         "next": "15.5.12",
@@ -99,21 +99,21 @@
         "node-cache": "5.1.2",
         "nodemailer": "8.0.1",
         "oslo": "1.2.1",
-        "pg": "8.20.0",
+        "pg": "8.19.0",
-        "posthog-node": "5.28.0",
+        "posthog-node": "5.26.0",
         "qrcode.react": "4.2.0",
         "react": "19.2.4",
-        "react-day-picker": "9.14.0",
+        "react-day-picker": "9.13.2",
         "react-dom": "19.2.4",
         "react-easy-sort": "1.8.0",
         "react-hook-form": "7.71.2",
-        "react-icons": "5.6.0",
+        "react-icons": "5.5.0",
         "recharts": "2.15.4",
-        "reodotdev": "1.1.0",
+        "reodotdev": "1.0.0",
         "resend": "6.9.2",
         "semver": "7.7.4",
         "sshpk": "^1.18.0",
-        "stripe": "20.4.1",
+        "stripe": "20.3.1",
         "swagger-ui-express": "5.0.1",
         "tailwind-merge": "3.5.0",
         "topojson-client": "3.1.0",
@@ -131,10 +131,10 @@
         "zod-validation-error": "5.0.0"
     },
     "devDependencies": {
-        "@dotenvx/dotenvx": "1.54.1",
+        "@dotenvx/dotenvx": "1.52.0",
         "@esbuild-plugins/tsconfig-paths": "0.1.2",
         "@react-email/preview-server": "5.2.8",
-        "@tailwindcss/postcss": "4.2.1",
+        "@tailwindcss/postcss": "4.1.18",
         "@tanstack/react-query-devtools": "5.91.3",
         "@types/better-sqlite3": "7.6.13",
         "@types/cookie-parser": "1.4.10",
@@ -146,10 +146,10 @@
         "@types/jmespath": "0.15.2",
         "@types/js-yaml": "4.0.9",
         "@types/jsonwebtoken": "9.0.10",
-        "@types/node": "25.3.5",
+        "@types/node": "25.2.3",
         "@types/nodemailer": "7.0.11",
         "@types/nprogress": "0.2.3",
-        "@types/pg": "8.18.0",
+        "@types/pg": "8.16.0",
         "@types/react": "19.2.14",
         "@types/react-dom": "19.2.3",
         "@types/semver": "7.7.1",
@@ -167,14 +167,10 @@
         "postcss": "8.5.6",
         "prettier": "3.8.1",
         "react-email": "5.2.8",
-        "tailwindcss": "4.2.1",
+        "tailwindcss": "4.1.18",
         "tsc-alias": "1.8.16",
         "tsx": "4.21.0",
         "typescript": "5.9.3",
-        "typescript-eslint": "8.56.1"
+        "typescript-eslint": "8.55.0"
-    },
-    "overrides": {
-        "esbuild": "0.27.3",
-        "dompurify": "3.3.2"
     }
 }

server/db/pg/schema/privateSchema.ts

@@ -328,14 +328,6 @@ export const approvals = pgTable("approvals", {
         .notNull()
 });
 
-export const bannedEmails = pgTable("bannedEmails", {
-    email: varchar("email", { length: 255 }).primaryKey(),
-});
-
-export const bannedIps = pgTable("bannedIps", {
-    ip: varchar("ip", { length: 255 }).primaryKey(),
-});
-
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;

server/db/sqlite/schema/privateSchema.ts

@@ -318,15 +318,6 @@ export const approvals = sqliteTable("approvals", {
         .notNull()
 });
 
-
-export const bannedEmails = sqliteTable("bannedEmails", {
-    email: text("email").primaryKey()
-});
-
-export const bannedIps = sqliteTable("bannedIps", {
-    ip: text("ip").primaryKey()
-});
-
 export type Approval = InferSelectModel<typeof approvals>;
 export type Limit = InferSelectModel<typeof limits>;
 export type Account = InferSelectModel<typeof account>;

server/lib/deleteOrg.ts

@@ -85,7 +85,9 @@ export async function deleteOrgById(
                         deletedNewtIds.push(deletedNewt.newtId);
                         await trx
                             .delete(newtSessions)
-                            .where(eq(newtSessions.newtId, deletedNewt.newtId));
+                            .where(
+                                eq(newtSessions.newtId, deletedNewt.newtId)
+                            );
                     }
                 }
             }
@@ -119,38 +121,33 @@ export async function deleteOrgById(
                     eq(clientSitesAssociationsCache.clientId, client.clientId)
                 );
         }
-
-        await trx.delete(resources).where(eq(resources.orgId, orgId));
-
         const allOrgDomains = await trx
             .select()
             .from(orgDomains)
-            .innerJoin(domains, eq(orgDomains.domainId, domains.domainId))
+            .innerJoin(domains, eq(domains.domainId, orgDomains.domainId))
             .where(
                 and(
                     eq(orgDomains.orgId, orgId),
                     eq(domains.configManaged, false)
                 )
             );
-        logger.info(`Found ${allOrgDomains.length} domains to delete`);
         const domainIdsToDelete: string[] = [];
         for (const orgDomain of allOrgDomains) {
             const domainId = orgDomain.domains.domainId;
-            const [orgCount] = await trx
+            const orgCount = await trx
-                .select({ count: count() })
+                .select({ count: sql<number>`count(*)` })
                 .from(orgDomains)
                 .where(eq(orgDomains.domainId, domainId));
-            logger.info(`Found ${orgCount.count} orgs using domain ${domainId}`);
+            if (orgCount[0].count === 1) {
-            if (orgCount.count === 1) {
                 domainIdsToDelete.push(domainId);
             }
         }
-        logger.info(`Found ${domainIdsToDelete.length} domains to delete`);
         if (domainIdsToDelete.length > 0) {
             await trx
                 .delete(domains)
                 .where(inArray(domains.domainId, domainIdsToDelete));
         }
+        await trx.delete(resources).where(eq(resources.orgId, orgId));
 
         await usageService.add(orgId, FeatureId.ORGINIZATIONS, -1, trx); // here we are decreasing the org count BEFORE deleting the org because we need to still be able to get the org to get the billing org inside of here
 
@@ -234,13 +231,15 @@ export function sendTerminationMessages(result: DeleteOrgByIdResult): void {
         );
     }
     for (const olmId of result.olmsToTerminate) {
-        sendTerminateClient(0, OlmErrorCodes.TERMINATED_REKEYED, olmId).catch(
+        sendTerminateClient(
-            (error) => {
+            0,
-                logger.error(
+            OlmErrorCodes.TERMINATED_REKEYED,
-                    "Failed to send termination message to olm:",
+            olmId
-                    error
+        ).catch((error) => {
-                );
+            logger.error(
-            }
+                "Failed to send termination message to olm:",
-        );
+                error
+            );
+        });
     }
 }

server/lib/rebuildClientAssociations.ts

@@ -571,7 +571,7 @@ export async function updateClientSiteDestinations(
                 destinations: [
                     {
                         destinationIP: site.sites.subnet.split("/")[0],
-                        destinationPort: site.sites.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
+                        destinationPort: site.sites.listenPort || 0
                     }
                 ]
             };
@@ -579,7 +579,7 @@ export async function updateClientSiteDestinations(
             // add to the existing destinations
             destinations.destinations.push({
                 destinationIP: site.sites.subnet.split("/")[0],
-                destinationPort: site.sites.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
+                destinationPort: site.sites.listenPort || 0
             });
         }
 

server/lib/traefik/TraefikConfigManager.ts

@@ -218,11 +218,10 @@ export class TraefikConfigManager {
             return true;
         }
 
+        // Fetch if it's been more than 24 hours (for renewals)
         const dayInMs = 24 * 60 * 60 * 1000;
         const timeSinceLastFetch =
             Date.now() - this.lastCertificateFetch.getTime();
-
-        // Fetch if it's been more than 24 hours (daily routine check)
         if (timeSinceLastFetch > dayInMs) {
             logger.info("Fetching certificates due to 24-hour renewal check");
             return true;
@@ -266,7 +265,7 @@ export class TraefikConfigManager {
             return true;
         }
 
-        // Check if any local certificates are missing (needs immediate fetch)
+        // Check if any local certificates are missing or appear to be outdated
         for (const domain of domainsNeedingCerts) {
             const localState = this.lastLocalCertificateState.get(domain);
             if (!localState || !localState.exists) {
@@ -275,55 +274,17 @@ export class TraefikConfigManager {
                 );
                 return true;
             }
-        }
 
-        // For expiry checks, throttle to every 6 hours to avoid querying the
+            // Check if certificate is expiring soon (within 30 days)
-        // API/DB on every monitor loop. The certificate-service renews certs
+            if (localState.expiresAt) {
-        // 45 days before expiry, so checking every 6 hours is plenty frequent
+                const nowInSeconds = Math.floor(Date.now() / 1000);
-        // to pick up renewed certs promptly.
+                const secondsUntilExpiry = localState.expiresAt - nowInSeconds;
-        const renewalCheckIntervalMs = 6 * 60 * 60 * 1000; // 6 hours
+                const daysUntilExpiry = secondsUntilExpiry / (60 * 60 * 24);
-        if (timeSinceLastFetch > renewalCheckIntervalMs) {
+                if (daysUntilExpiry < 30) {
-            // Check non-wildcard certs for expiry (within 45 days to match
+                    logger.info(
-            // the server-side renewal window in certificate-service)
+                        `Fetching certificates due to upcoming expiry for ${domain} (${Math.round(daysUntilExpiry)} days remaining)`
-            for (const domain of domainsNeedingCerts) {
+                    );
-                const localState =
+                    return true;
-                    this.lastLocalCertificateState.get(domain);
-                if (localState?.expiresAt) {
-                    const nowInSeconds = Math.floor(Date.now() / 1000);
-                    const secondsUntilExpiry =
-                        localState.expiresAt - nowInSeconds;
-                    const daysUntilExpiry =
-                        secondsUntilExpiry / (60 * 60 * 24);
-                    if (daysUntilExpiry < 45) {
-                        logger.info(
-                            `Fetching certificates due to upcoming expiry for ${domain} (${Math.round(daysUntilExpiry)} days remaining)`
-                        );
-                        return true;
-                    }
-                }
-            }
-
-            // Also check wildcard certificates for expiry. These are not
-            // included in domainsNeedingCerts since their subdomains are
-            // filtered out, so we must check them separately.
-            for (const [certDomain, state] of this
-                .lastLocalCertificateState) {
-                if (
-                    state.exists &&
-                    state.wildcard &&
-                    state.expiresAt
-                ) {
-                    const nowInSeconds = Math.floor(Date.now() / 1000);
-                    const secondsUntilExpiry =
-                        state.expiresAt - nowInSeconds;
-                    const daysUntilExpiry =
-                        secondsUntilExpiry / (60 * 60 * 24);
-                    if (daysUntilExpiry < 45) {
-                        logger.info(
-                            `Fetching certificates due to upcoming expiry for wildcard cert ${certDomain} (${Math.round(daysUntilExpiry)} days remaining)`
-                        );
-                        return true;
-                    }
                 }
             }
         }
@@ -400,32 +361,6 @@ export class TraefikConfigManager {
                         }
                     }
 
-                    // Also include wildcard cert base domains that are
-                    // expiring or expired so they get re-fetched even though
-                    // their subdomains were filtered out above.
-                    for (const [certDomain, state] of this
-                        .lastLocalCertificateState) {
-                        if (
-                            state.exists &&
-                            state.wildcard &&
-                            state.expiresAt
-                        ) {
-                            const nowInSeconds = Math.floor(
-                                Date.now() / 1000
-                            );
-                            const secondsUntilExpiry =
-                                state.expiresAt - nowInSeconds;
-                            const daysUntilExpiry =
-                                secondsUntilExpiry / (60 * 60 * 24);
-                            if (daysUntilExpiry < 45) {
-                                domainsToFetch.add(certDomain);
-                                logger.info(
-                                    `Including expiring wildcard cert domain ${certDomain} in fetch (${Math.round(daysUntilExpiry)} days remaining)`
-                                );
-                            }
-                        }
-                    }
-
                     if (domainsToFetch.size > 0) {
                         // Get valid certificates for domains not covered by wildcards
                         validCertificates =

server/routers/auth/signup.ts

@@ -1,5 +1,5 @@
 import { NextFunction, Request, Response } from "express";
-import { bannedEmails, bannedIps, db, users } from "@server/db";
+import { db, users } from "@server/db";
 import HttpCode from "@server/types/HttpCode";
 import { email, z } from "zod";
 import { fromError } from "zod-validation-error";
@@ -66,30 +66,6 @@ export async function signup(
         skipVerificationEmail
     } = parsedBody.data;
 
-    const [bannedEmail] = await db
-        .select()
-        .from(bannedEmails)
-        .where(eq(bannedEmails.email, email))
-        .limit(1);
-    if (bannedEmail) {
-        return next(
-            createHttpError(HttpCode.FORBIDDEN, "Signup blocked. Do not attempt to continue to use this service.")
-        );
-    }
-
-    if (req.ip) {
-        const [bannedIp] = await db
-            .select()
-            .from(bannedIps)
-            .where(eq(bannedIps.ip, req.ip))
-            .limit(1);
-        if (bannedIp) {
-            return next(
-                createHttpError(HttpCode.FORBIDDEN, "Signup blocked. Do not attempt to continue to use this service.")
-            );
-        }
-    }
-
     const passwordHash = await hashPassword(password);
     const userId = generateId(15);
 

server/routers/gerbil/getAllRelays.ts

@@ -125,7 +125,7 @@ export async function generateRelayMappings(exitNode: ExitNode) {
             // Add site as a destination for this client
             const destination: PeerDestination = {
                 destinationIP: site.subnet.split("/")[0],
-                destinationPort: site.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
+                destinationPort: site.listenPort
             };
 
             // Check if this destination is already in the array to avoid duplicates
@@ -165,7 +165,7 @@ export async function generateRelayMappings(exitNode: ExitNode) {
 
                 const destination: PeerDestination = {
                     destinationIP: peer.subnet.split("/")[0],
-                    destinationPort: peer.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
+                    destinationPort: peer.listenPort
                 };
 
                 // Check for duplicates

server/routers/gerbil/updateHolePunch.ts

@@ -262,7 +262,7 @@ export async function updateAndGenerateEndpointDestinations(
             if (site.subnet && site.listenPort) {
                 destinations.push({
                     destinationIP: site.subnet.split("/")[0],
-                    destinationPort: site.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
+                    destinationPort: site.listenPort
                 });
             }
         }

server/routers/newt/handleGetConfigMessage.ts

@@ -104,11 +104,11 @@ export const handleGetConfigMessage: MessageHandler = async (context) => {
             const payload = {
                 oldDestination: {
                     destinationIP: existingSite.subnet?.split("/")[0],
-                    destinationPort: existingSite.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
+                    destinationPort: existingSite.listenPort
                 },
                 newDestination: {
                     destinationIP: site.subnet?.split("/")[0],
-                    destinationPort: site.listenPort || 1 // this satisfies gerbil for now but should be reevaluated
+                    destinationPort: site.listenPort
                 }
             };
 

src/components/Credenza.tsx

@@ -84,7 +84,7 @@ const CredenzaContent = ({ className, children, ...props }: CredenzaProps) => {
     return (
         <CredenzaContent
             className={cn(
-                "overflow-y-auto max-h-[100dvh] md:max-h-[calc(100vh-clamp(3rem,24vh,400px))] md:top-[clamp(1.5rem,12vh,200px)] md:translate-y-0",
+                "overflow-y-auto max-h-[100dvh] md:max-h-screen md:top-[clamp(1.5rem,12vh,200px)] md:translate-y-0",
                 className
             )}
             {...props}

src/components/PaidFeaturesAlert.tsx

@@ -51,7 +51,6 @@ const docsLinkClassName =
 const PANGOLIN_CLOUD_SIGNUP_URL = "https://app.pangolin.net/auth/signup/";
 const ENTERPRISE_DOCS_URL =
     "https://docs.pangolin.net/self-host/enterprise-edition";
-const BOOK_A_DEMO_URL = "https://click.fossorial.io/ep922";
 
 function getTierLinkRenderer(billingHref: string) {
     return function tierLinkRenderer(chunks: React.ReactNode) {
@@ -79,22 +78,6 @@ function getPangolinCloudLinkRenderer() {
     };
 }
 
-function getBookADemoLinkRenderer() {
-    return function bookADemoLinkRenderer(chunks: React.ReactNode) {
-        return (
-            <Link
-                href={BOOK_A_DEMO_URL}
-                target="_blank"
-                rel="noopener noreferrer"
-                className={docsLinkClassName}
-            >
-                {chunks}
-                <ExternalLink className="size-3.5 shrink-0" />
-            </Link>
-        );
-    };
-}
-
 function getDocsLinkRenderer(href: string) {
     return function docsLinkRenderer(chunks: React.ReactNode) {
         return (
@@ -133,7 +116,6 @@ export function PaidFeaturesAlert({ tiers }: Props) {
     const tierLinkRenderer = getTierLinkRenderer(billingHref);
     const pangolinCloudLinkRenderer = getPangolinCloudLinkRenderer();
     const enterpriseDocsLinkRenderer = getDocsLinkRenderer(ENTERPRISE_DOCS_URL);
-    const bookADemoLinkRenderer = getBookADemoLinkRenderer();
 
     if (env.flags.disableEnterpriseFeatures) {
         return null;
@@ -175,8 +157,7 @@ export function PaidFeaturesAlert({ tiers }: Props) {
                                 {t.rich("licenseRequiredToUse", {
                                     enterpriseLicenseLink:
                                         enterpriseDocsLinkRenderer,
-                                    pangolinCloudLink: pangolinCloudLinkRenderer,
+                                    pangolinCloudLink: pangolinCloudLinkRenderer
-                                    bookADemoLink: bookADemoLinkRenderer
                                 })}
                             </span>
                         </div>
@@ -193,8 +174,7 @@ export function PaidFeaturesAlert({ tiers }: Props) {
                                 {t.rich("ossEnterpriseEditionRequired", {
                                     enterpriseEditionLink:
                                         enterpriseDocsLinkRenderer,
-                                    pangolinCloudLink: pangolinCloudLinkRenderer,
+                                    pangolinCloudLink: pangolinCloudLinkRenderer
-                                    bookADemoLink: bookADemoLinkRenderer
                                 })}
                             </span>
                         </div>