Bump actions/checkout from 6.0.2 to 7.0.0

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 7.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](de0fac2e45...9c091bb21b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/cicd.yml

@@ -62,7 +62,7 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
             - name: Monitor storage space
               run: |
@@ -134,7 +134,7 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
             - name: Monitor storage space
               run: |
@@ -201,7 +201,7 @@ jobs:
         timeout-minutes: 30
         steps:
             - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
             - name: Log in to Docker Hub
               uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
@@ -256,7 +256,7 @@ jobs:
 
         steps:
             - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
             - name: Extract tag name
               id: get-tag

.github/workflows/linting.yml

@@ -21,7 +21,7 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout code
-              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
             - name: Set up Node.js
               uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0

.github/workflows/test.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Install Node
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
@@ -62,7 +62,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Build Docker image sqlite
         run: make dev-build-sqlite
@@ -71,7 +71,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
 
       - name: Build Docker image pg
         run: make dev-build-pg

server/db/sqlite/driver.ts

@@ -1,5 +1,6 @@
 import { drizzle as DrizzleSqlite } from "drizzle-orm/better-sqlite3";
 import Database from "better-sqlite3";
+import type BetterSqlite3 from "better-sqlite3";
 import * as schema from "./schema/schema";
 import path from "path";
 import fs from "fs";
@@ -11,31 +12,68 @@ export const exists = checkFileExists(location);
 
 bootstrapVolume();
 
+/**
+ * Wraps better-sqlite3 Statement to call `finalize()` immediately after
+ * execution, freeing native sqlite3_stmt memory deterministically instead
+ * of waiting for GC. Fixes steady off-heap growth under load (#2120).
+ * WARNING: Finalizes after first execution — incompatible with drizzle's
+ * reusable .prepare() builders. No such usage exists in this codebase.
+ */
+function autoFinalizeStatement(
+    stmt: BetterSqlite3.Statement
+): BetterSqlite3.Statement {
+    const wrapExec = <T extends (...args: any[]) => any>(fn: T): T => {
+        return function (this: any, ...args: any[]) {
+            try {
+                return fn.apply(this, args);
+            } finally {
+                try {
+                    // finalize() exists on the native Statement at runtime but
+                    // is missing from @types/better-sqlite3.
+                    (stmt as any).finalize();
+                } catch {
+                    // Already finalized — harmless
+                }
+            }
+        } as unknown as T;
+    };
+
+    stmt.run = wrapExec(stmt.run);
+    stmt.get = wrapExec(stmt.get);
+    stmt.all = wrapExec(stmt.all);
+
+    return stmt;
+}
+
 function createDb() {
     const sqlite = new Database(location);
 
     if (process.env.ENABLE_SQLITE_WAL_MODE == "true") {
         // Enable WAL mode — allows concurrent readers + single writer, preventing
         // contention across subsystems (verifySession, Traefik, audit, ping).
-        // NOTE: journal_mode persists in the DB file once set; unsetting this
-        // env var does NOT revert an existing WAL database.
         sqlite.pragma("journal_mode = WAL");
         // NORMAL sync mode: safe with WAL, reduces write lock hold time.
         sqlite.pragma("synchronous = NORMAL");
     }
 
-    // No busy_timeout pragma: better-sqlite3 already arms
-    // sqlite3_busy_timeout(db, 5000) via its default `timeout` option
-    // (lib/database.js), so an explicit pragma is redundant.
+    // Wait up to 5s on SQLITE_BUSY instead of failing — prevents audit log
+    // retry loops that accumulate memory.
+    sqlite.pragma("busy_timeout = 5000");
 
-    // Intentionally NOT setting cache_size or mmap_size: a large page cache plus
-    // a multi-hundred-MB mmap region inflate RSS and cause page-cache thrashing
-    // on small (~1 GB) instances. Leave SQLite on its conservative defaults.
+    // 64 MB page cache (default 2 MB) — reduces I/O round-trips on large
+    // TraefikConfigManager JOINs that block the event loop.
+    sqlite.pragma("cache_size = -65536");
 
-    // Intentionally NOT wrapping prepare()/statements: better-sqlite3 finalizes
-    // sqlite3_stmt in the Statement destructor at GC, and drizzle-orm prepares a
-    // fresh statement per query (no statement cache), so statements cannot
-    // accumulate. better-sqlite3 11.x exposes no Statement.finalize() at all.
+    // 256 MB memory-mapped I/O — OS serves reads from page cache directly,
+    // reducing event-loop blocking.
+    sqlite.pragma("mmap_size = 268435456");
+
+    // Wrap prepare() so every drizzle-orm statement is auto-finalized after
+    // first use, preventing sqlite3_stmt accumulation between GC cycles.
+    const originalPrepare = sqlite.prepare.bind(sqlite);
+    (sqlite as any).prepare = function autoFinalizePrepare(source: string) {
+        return autoFinalizeStatement(originalPrepare(source));
+    };
 
     return DrizzleSqlite(sqlite, {
         schema

server/lib/billing/usageService.ts

@@ -12,7 +12,7 @@ import {
 import { FeatureId, getFeatureMeterId } from "./features";
 import logger from "@server/logger";
 import { build } from "@server/build";
-import { regionalCache as cache } from "#dynamic/lib/cache";
+import cache from "#dynamic/lib/cache";
 
 export function noop() {
     if (build !== "saas") {
@@ -22,6 +22,7 @@ export function noop() {
 }
 
 export class UsageService {
+
     constructor() {
         if (noop()) {
             return;
@@ -56,10 +57,7 @@ export class UsageService {
             try {
                 let usage;
                 if (transaction) {
-                    const orgIdToUse = await this.getBillingOrg(
-                        orgId,
-                        transaction
-                    );
+                    const orgIdToUse = await this.getBillingOrg(orgId, transaction);
                     usage = await this.internalAddUsage(
                         orgIdToUse,
                         featureId,

server/lib/blueprints/applyBlueprint.ts

@@ -48,18 +48,18 @@ export async function applyBlueprint({
     name,
     source = "API"
 }: ApplyBlueprintArgs): Promise<Blueprint> {
-    let blueprintSucceeded: boolean = false;
-    let blueprintMessage = "";
-    let error: any | null = null;
-
-    try {
+    // Validate the input data
     const validationResult = ConfigSchema.safeParse(configData);
     if (!validationResult.success) {
         throw new Error(fromError(validationResult.error).toString());
     }
 
     const config: Config = validationResult.data;
+    let blueprintSucceeded: boolean = false;
+    let blueprintMessage: string;
+    let error: any | null = null;
 
+    try {
         let proxyResourcesResults: PublicResourcesResults = [];
         let clientResourcesResults: ClientResourcesResults = [];
         await db.transaction(async (trx) => {

server/lib/validators.test.ts

@@ -1,7 +1,4 @@
-import {
-    getResourceRuleValueValidationError,
-    isValidUrlGlobPattern
-} from "./validators";
+import { isValidUrlGlobPattern } from "./validators";
 import { assertEquals } from "@test/assert";
 
 function runTests() {
@@ -239,43 +236,6 @@ function runTests() {
         "Path with isolated percent sign should be invalid"
     );
 
-    // ASN validation tests
-    assertEquals(
-        getResourceRuleValueValidationError("ASN", "AS15169"),
-        null,
-        "Standard ASN should be valid"
-    );
-    assertEquals(
-        getResourceRuleValueValidationError("ASN", "  As15169  "),
-        null,
-        "Standard ASN should be valid with mixed case and whitespace"
-    );
-    assertEquals(
-        getResourceRuleValueValidationError("ASN", "ALL"),
-        null,
-        "ALL ASN selector should be valid"
-    );
-    assertEquals(
-        getResourceRuleValueValidationError("ASN", " all "),
-        null,
-        "ALL ASN selector should be valid with mixed case and whitespace"
-    );
-    assertEquals(
-        getResourceRuleValueValidationError("ASN", "AS0"),
-        null,
-        "AS0 alias should be valid"
-    );
-    assertEquals(
-        getResourceRuleValueValidationError("ASN", " as0 "),
-        null,
-        "AS0 alias should be valid with mixed case and whitespace"
-    );
-    assertEquals(
-        getResourceRuleValueValidationError("ASN", "not-an-asn"),
-        "Invalid ASN provided",
-        "Invalid ASN should return an error"
-    );
-
     console.log("All tests passed!");
 }
 

server/lib/validators.ts

@@ -100,10 +100,7 @@ export function getResourceRuleValueValidationError(
                 ? null
                 : "Invalid country code provided";
         case "ASN":
-            const normalizedValue = value.trim().toUpperCase();
-            return /^AS\d+$/.test(normalizedValue) ||
-                normalizedValue === "ALL" ||
-                normalizedValue === "AS0"
+            return /^AS\d+$/i.test(value.trim())
                 ? null
                 : "Invalid ASN provided";
         default:

server/private/lib/certificates.ts

@@ -17,7 +17,7 @@ import { certificates, db } from "@server/db";
 import { and, eq, isNotNull, or, inArray, sql } from "drizzle-orm";
 import { decrypt } from "@server/lib/crypto";
 import logger from "@server/logger";
-import { regionalCache as cache } from "#private/lib/cache";
+import cache from "#private/lib/cache";
 import { build } from "@server/build";
 
 // Define the return type for clarity and type safety

server/private/routers/remoteExitNode/listRemoteExitNodes.ts

@@ -22,7 +22,7 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { ListRemoteExitNodesResponse } from "@server/routers/remoteExitNode/types";
-import { regionalCache as cache } from "#private/lib/cache";
+import cache from "#private/lib/cache";
 import semver from "semver";
 
 let stalePangolinNodeVersion: string | null = null;

server/routers/newt/getNewtVersion.ts

@@ -10,7 +10,7 @@ import { verifyPassword } from "@server/auth/password";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
 import logger from "@server/logger";
-import { regionalCache as cache } from "#dynamic/lib/cache";
+import cache from "#dynamic/lib/cache";
 import config from "@server/lib/config";
 
 // Stale-while-revalidate in-memory fallback for the releases API.

server/routers/newt/handleSocketMessages.ts

@@ -2,7 +2,7 @@ import { MessageHandler } from "@server/routers/ws";
 import logger from "@server/logger";
 import { Newt } from "@server/db";
 import { applyNewtDockerBlueprint } from "@server/lib/blueprints/applyNewtDockerBlueprint";
-import cache from "#dynamic/lib/cache"; // not using regional here because we dont know where the site is
+import cache from "#dynamic/lib/cache";
 
 export const handleDockerStatusMessage: MessageHandler = async (context) => {
     const { message, client, sendToClient } = context;

server/routers/olm/handleOlmRegisterMessage.ts

@@ -20,7 +20,7 @@ import { handleFingerprintInsertion } from "./fingerprintingUtils";
 import { build } from "@server/build";
 import { canCompress } from "@server/lib/clientVersionChecks";
 import config from "@server/lib/config";
-import cache from "#dynamic/lib/cache"; // not using regional here because we need this in the register message handler before we know where the client is
+import cache from "#dynamic/lib/cache";
 
 const HOLEPUNCH_STALE_CHAIN_THRESHOLD = 18;
 const HOLEPUNCH_STALE_CHAIN_TTL_SECONDS = 1800;

server/routers/resource/listUserResourceAliases.ts

@@ -15,7 +15,8 @@ import logger from "@server/logger";
 import { z } from "zod";
 import { fromZodError } from "zod-validation-error";
 import type { PaginatedResponse } from "@server/types/Pagination";
-import { regionalCache as cache } from "#dynamic/lib/cache";
+import { OpenAPITags, registry } from "@server/openApi";
+import { localCache } from "#dynamic/lib/cache";
 
 const USER_RESOURCE_ALIASES_CACHE_TTL_SEC = 60;
 
@@ -152,7 +153,7 @@ export async function listUserResourceAliases(
             pageSize
         );
         const cachedData: ListUserResourceAliasesResponse | undefined =
-            await cache.get(cacheKey);
+            localCache.get(cacheKey);
 
         if (cachedData) {
             return response<ListUserResourceAliasesResponse>(res, {
@@ -210,11 +211,7 @@ export async function listUserResourceAliases(
                     page
                 }
             };
-            await cache.set(
-                cacheKey,
-                data,
-                USER_RESOURCE_ALIASES_CACHE_TTL_SEC
-            );
+            localCache.set(cacheKey, data, USER_RESOURCE_ALIASES_CACHE_TTL_SEC);
             return response<ListUserResourceAliasesResponse>(res, {
                 data,
                 success: true,
@@ -259,7 +256,7 @@ export async function listUserResourceAliases(
                 page
             }
         };
-        await cache.set(cacheKey, data, USER_RESOURCE_ALIASES_CACHE_TTL_SEC);
+        localCache.set(cacheKey, data, USER_RESOURCE_ALIASES_CACHE_TTL_SEC);
 
         return response<ListUserResourceAliasesResponse>(res, {
             data,

server/routers/site/listSites.ts

@@ -14,7 +14,7 @@ import {
     siteLabels,
     type Label
 } from "@server/db";
-import { regionalCache as cache } from "#dynamic/lib/cache";
+import cache from "#dynamic/lib/cache";
 import response from "@server/lib/response";
 import logger from "@server/logger";
 import { OpenAPITags, registry } from "@server/openApi";

src/components/newt-install-commands.tsx

@@ -139,6 +139,7 @@ Restart=always
 RestartSec=2
 UMask=0077
 
+NoNewPrivileges=true
 PrivateTmp=true
 
 [Install]

src/components/resource-policy/policy-access-rule-validation.ts

@@ -83,19 +83,9 @@ export function createPolicyRuleValueSchema(t: TranslateFn, match: string) {
                 { message: t("rulesErrorInvalidCountryDescription") }
             );
         case "ASN":
-            return required.refine(
-                (value) => {
-                    const normalizedValue = value.trim().toUpperCase();
-                    return (
-                        /^AS\d+$/.test(normalizedValue) ||
-                        normalizedValue === "ALL" ||
-                        normalizedValue === "AS0"
-                    );
-                },
-                {
+            return required.refine((value) => /^AS\d+$/i.test(value.trim()), {
                 message: t("rulesErrorInvalidAsnDescription")
-                }
-            );
+            });
         default:
             return required;
     }