From 7ba8eff6164c0e64b47c8b4ad59d5edc6303ee66 Mon Sep 17 00:00:00 2001
From: Giuseppe Scuglia <peppescg@gmail.com>
Date: Wed, 6 May 2026 12:11:24 +0200
Subject: [PATCH 1/2] fix: exclude static assets from middleware matcher

The proxy middleware intercepted requests to public static files
(e.g. /bg-pattern.png on the signin page), causing a broken image
icon. Extend the matcher regex to skip common image extensions.

Backport of stacklok/stacklok-enterprise-platform#746.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/proxy.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/proxy.ts b/src/proxy.ts
index fd84bbd0..1a846637 100644
--- a/src/proxy.ts
+++ b/src/proxy.ts
@@ -16,5 +16,7 @@ export function proxy(request: NextRequest) {
 
 export const config = {
   // Run on all routes except Next.js internals and static assets
-  matcher: ["/((?!_next/static|_next/image|favicon.ico).*)"],
+  matcher: [
+    "/((?!_next/static|_next/image|favicon\\.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
+  ],
 };

From 26f82cc9de74568586f2512eb91b704a1a801d49 Mon Sep 17 00:00:00 2001
From: Giuseppe Scuglia <peppescg@gmail.com>
Date: Wed, 6 May 2026 12:17:31 +0200
Subject: [PATCH 2/2] fix: add ip-address override to resolve
 GHSA-v2v4-37r5-5v8g
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Transitive dep ip-address@10.1.0 (via @modelcontextprotocol/sdk →
express-rate-limit) has a medium severity vulnerability. Override
to >=10.1.1 resolves the Grype and pnpm audit failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 package.json   | 3 ++-
 pnpm-lock.yaml | 9 +++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/package.json b/package.json
index 1b440c27..a7de8aa0 100644
--- a/package.json
+++ b/package.json
@@ -127,7 +127,8 @@
       "yaml": ">=2.8.3",
       "path-to-regexp@>=8.0.0 <8.4.0": "8.4.0",
       "path-to-regexp@>=0.1.0 <0.1.13": "0.1.13",
-      "postcss": ">=8.5.10"
+      "postcss": ">=8.5.10",
+      "ip-address": ">=10.1.1"
     }
   }
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index cf4109b0..d9a26d69 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -20,6 +20,7 @@ overrides:
   path-to-regexp@>=8.0.0 <8.4.0: 8.4.0
   path-to-regexp@>=0.1.0 <0.1.13: 0.1.13
   postcss: '>=8.5.10'
+  ip-address: '>=10.1.1'
 
 importers:
 
@@ -2731,8 +2732,8 @@ packages:
   inline-style-parser@0.2.7:
     resolution: {integrity: sha512-Nb2ctOyNR8DqQoR0OwRG95uNWIC0C1lCgf5Naz5H6Ji72KZ8OcFZLz2P5sNgwlyoJ8Yif11oMuYs5pBQa86csA==}
 
-  ip-address@10.1.0:
-    resolution: {integrity: sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==}
+  ip-address@10.2.0:
+    resolution: {integrity: sha512-/+S6j4E9AHvW9SWMSEY9Xfy66O5PWvVEJ08O0y5JGyEKQpojb0K0GKpz/v5HJ/G0vi3D2sjGK78119oXZeE0qA==}
     engines: {node: '>= 12'}
 
   ipaddr.js@1.9.1:
@@ -6305,7 +6306,7 @@ snapshots:
   express-rate-limit@8.3.1(express@5.2.1):
     dependencies:
       express: 5.2.1
-      ip-address: 10.1.0
+      ip-address: 10.2.0
 
   express@4.22.1:
     dependencies:
@@ -6630,7 +6631,7 @@ snapshots:
 
   inline-style-parser@0.2.7: {}
 
-  ip-address@10.1.0: {}
+  ip-address@10.2.0: {}
 
   ipaddr.js@1.9.1: {}