Security package update

# ZajLibrary — operations runbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: Security package update
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/runbooks/security-package-update/
- shelf: Build & Create
- doc_type: operations runbook
- status: current
- kind: runbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- description: composer/npm audit fix loop — backup, isolated branch, rigorous artisan checks, merge or rollback. Peeled from MWF5.
- tags: codecanyon, laravel, security, composer, npm, audit

## Execution rules (binding)
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# Security package update

**Execute from:** [Vendor updates playbook](/tech-stack/laravel/codecanyon/build/playbooks/vendor-updates/) for vendor-owned packages; this runbook is the security-audit fix card.

## When

`composer audit` or `npm audit` reports a vulnerability you intend to fix now.

## Phase 0 — production safety

👤 Create a **Hostinger (or host) backup** in hPanel **before** local changes.

## Local branch + update

```bash
cp composer.lock composer.lock.backup
git checkout develop && git pull
git checkout -b security-update/<package>-$(date +%Y%m%d)

composer update <vendor/package> --with-dependencies
# npm: cp package-lock.json package-lock.json.backup && npm audit fix
```

## Automated gate (all must pass)

```bash
php artisan list > /dev/null && echo OK boots
php artisan route:list > /dev/null && echo OK routes
php artisan config:cache > /dev/null && echo OK config
php artisan view:cache > /dev/null && echo OK views
composer dump-autoload > /dev/null && echo OK autoload
npm run build 2>/dev/null || true
```

If any fails → `git checkout develop && git branch -D security-update/...` and restore lock file.

## Merge + deploy

```bash
git checkout develop && git merge security-update/<branch>
git push origin develop
# Then follow code-test-ship runbook: staging → production
```

Document vendor-owned packages in `_CUSTOMIZATIONS.md` — WF4 vendor merge may conflict.

## Abort if

Any automated check fails · manual smoke test fails · Friday after 3 PM · production backup not confirmed.

## Related

<LinkCard title="Vendor updates playbook" href="/tech-stack/laravel/codecanyon/build/playbooks/vendor-updates/" />
<LinkCard title="Code → test → ship" href="/tech-stack/laravel/codecanyon/build/runbooks/code-test-ship/" />

# Security package update

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/runbooks/security-package-update/

**Execute from:** [Vendor updates playbook](/tech-stack/laravel/codecanyon/build/playbooks/vendor-updates/) for vendor-owned packages; this runbook is the security-audit fix card.

## When

`composer audit` or `npm audit` reports a vulnerability you intend to fix now.

## Phase 0 — production safety

👤 Create a **Hostinger (or host) backup** in hPanel **before** local changes.

## Local branch + update

```bash
cp composer.lock composer.lock.backup
git checkout develop && git pull
git checkout -b security-update/<package>-$(date +%Y%m%d)

composer update <vendor/package> --with-dependencies
# npm: cp package-lock.json package-lock.json.backup && npm audit fix
```

## Automated gate (all must pass)

```bash
php artisan list > /dev/null && echo OK boots
php artisan route:list > /dev/null && echo OK routes
php artisan config:cache > /dev/null && echo OK config
php artisan view:cache > /dev/null && echo OK views
composer dump-autoload > /dev/null && echo OK autoload
npm run build 2>/dev/null || true
```

If any fails → `git checkout develop && git branch -D security-update/...` and restore lock file.

## Merge + deploy

```bash
git checkout develop && git merge security-update/<branch>
git push origin develop
# Then follow code-test-ship runbook: staging → production
```

Document vendor-owned packages in `_CUSTOMIZATIONS.md` — WF4 vendor merge may conflict.

## Abort if

Any automated check fails · manual smoke test fails · Friday after 3 PM · production backup not confirmed.

## Related

<LinkCard title="Vendor updates playbook" href="/tech-stack/laravel/codecanyon/build/playbooks/vendor-updates/" />
<LinkCard title="Code → test → ship" href="/tech-stack/laravel/codecanyon/build/runbooks/code-test-ship/" />

Execute from: Vendor updates playbook for vendor-owned packages; this runbook is the security-audit fix card.

When

composer audit or npm audit reports a vulnerability you intend to fix now.

Phase 0 — production safety

👤 Create a Hostinger (or host) backup in hPanel before local changes.

Local branch + update

cp composer.lock composer.lock.backup
git checkout develop && git pull
git checkout -b security-update/<package>-$(date +%Y%m%d)

composer update <vendor/package> --with-dependencies
# npm: cp package-lock.json package-lock.json.backup && npm audit fix

Automated gate (all must pass)

php artisan list > /dev/null && echo OK boots
php artisan route:list > /dev/null && echo OK routes
php artisan config:cache > /dev/null && echo OK config
php artisan view:cache > /dev/null && echo OK views
composer dump-autoload > /dev/null && echo OK autoload
npm run build 2>/dev/null || true

If any fails → git checkout develop && git branch -D security-update/... and restore lock file.

Merge + deploy

git checkout develop && git merge security-update/<branch>
git push origin develop
# Then follow code-test-ship runbook: staging → production

Document vendor-owned packages in _CUSTOMIZATIONS.md — WF4 vendor merge may conflict.

Abort if

Any automated check fails · manual smoke test fails · Friday after 3 PM · production backup not confirmed.

Vendor updates playbook

Code → test → ship

# ZajLibrary — operations runbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: Security package update
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/runbooks/security-package-update/
- shelf: Build & Create
- doc_type: operations runbook
- status: current
- kind: runbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- description: composer/npm audit fix loop — backup, isolated branch, rigorous artisan checks, merge or rollback. Peeled from MWF5.
- tags: codecanyon, laravel, security, composer, npm, audit

## Execution rules (binding)
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# Security package update

**Execute from:** [Vendor updates playbook](/tech-stack/laravel/codecanyon/build/playbooks/vendor-updates/) for vendor-owned packages; this runbook is the security-audit fix card.

## When

`composer audit` or `npm audit` reports a vulnerability you intend to fix now.

## Phase 0 — production safety

👤 Create a **Hostinger (or host) backup** in hPanel **before** local changes.

## Local branch + update

```bash
cp composer.lock composer.lock.backup
git checkout develop && git pull
git checkout -b security-update/<package>-$(date +%Y%m%d)

composer update <vendor/package> --with-dependencies
# npm: cp package-lock.json package-lock.json.backup && npm audit fix
```

## Automated gate (all must pass)

```bash
php artisan list > /dev/null && echo OK boots
php artisan route:list > /dev/null && echo OK routes
php artisan config:cache > /dev/null && echo OK config
php artisan view:cache > /dev/null && echo OK views
composer dump-autoload > /dev/null && echo OK autoload
npm run build 2>/dev/null || true
```

If any fails → `git checkout develop && git branch -D security-update/...` and restore lock file.

## Merge + deploy

```bash
git checkout develop && git merge security-update/<branch>
git push origin develop
# Then follow code-test-ship runbook: staging → production
```

Document vendor-owned packages in `_CUSTOMIZATIONS.md` — WF4 vendor merge may conflict.

## Abort if

Any automated check fails · manual smoke test fails · Friday after 3 PM · production backup not confirmed.

## Related

<LinkCard title="Vendor updates playbook" href="/tech-stack/laravel/codecanyon/build/playbooks/vendor-updates/" />
<LinkCard title="Code → test → ship" href="/tech-stack/laravel/codecanyon/build/runbooks/code-test-ship/" />

# Security package update

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/runbooks/security-package-update/

**Execute from:** [Vendor updates playbook](/tech-stack/laravel/codecanyon/build/playbooks/vendor-updates/) for vendor-owned packages; this runbook is the security-audit fix card.

## When

`composer audit` or `npm audit` reports a vulnerability you intend to fix now.

## Phase 0 — production safety

👤 Create a **Hostinger (or host) backup** in hPanel **before** local changes.

## Local branch + update

```bash
cp composer.lock composer.lock.backup
git checkout develop && git pull
git checkout -b security-update/<package>-$(date +%Y%m%d)

composer update <vendor/package> --with-dependencies
# npm: cp package-lock.json package-lock.json.backup && npm audit fix
```

## Automated gate (all must pass)

```bash
php artisan list > /dev/null && echo OK boots
php artisan route:list > /dev/null && echo OK routes
php artisan config:cache > /dev/null && echo OK config
php artisan view:cache > /dev/null && echo OK views
composer dump-autoload > /dev/null && echo OK autoload
npm run build 2>/dev/null || true
```

If any fails → `git checkout develop && git branch -D security-update/...` and restore lock file.

## Merge + deploy

```bash
git checkout develop && git merge security-update/<branch>
git push origin develop
# Then follow code-test-ship runbook: staging → production
```

Document vendor-owned packages in `_CUSTOMIZATIONS.md` — WF4 vendor merge may conflict.

## Abort if

Any automated check fails · manual smoke test fails · Friday after 3 PM · production backup not confirmed.

## Related

<LinkCard title="Vendor updates playbook" href="/tech-stack/laravel/codecanyon/build/playbooks/vendor-updates/" />
<LinkCard title="Code → test → ship" href="/tech-stack/laravel/codecanyon/build/runbooks/code-test-ship/" />