From 7c39453b24b6d3eedc8a34c20fa4995909bedd0d Mon Sep 17 00:00:00 2001
From: yxsj245 <17737475682@163.com>
Date: Thu, 30 Apr 2026 09:15:30 +0800
Subject: [PATCH] Upgrade node-cron and postcss to fix Dependabot alerts

---
 client/package-lock.json                      |  8 +++---
 client/package.json                           |  2 +-
 docs/依赖升级说明.md                          |  5 +++-
 server/package-lock.json                      | 28 +++----------------
 server/package.json                           |  3 +-
 .../src/modules/scheduler/SchedulerManager.ts |  9 +++---
 6 files changed, 18 insertions(+), 37 deletions(-)

diff --git a/client/package-lock.json b/client/package-lock.json
index cc46525..83c0015 100644
--- a/client/package-lock.json
+++ b/client/package-lock.json
@@ -39,7 +39,7 @@
         "eslint-plugin-react-hooks": "^4.6.2",
         "eslint-plugin-react-refresh": "^0.4.26",
         "fast-check": "^4.6.0",
-        "postcss": "^8.5.8",
+        "postcss": "^8.5.10",
         "tailwindcss": "^3.4.19",
         "typescript": "^5.9.3",
         "vite": "^5.4.21",
@@ -4526,9 +4526,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.5.9",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.9.tgz",
-      "integrity": "sha512-7a70Nsot+EMX9fFU3064K/kdHWZqGVY+BADLyXc8Dfv+mTLLVl6JzJpPaCZ2kQL9gIJvKXSLMHhqdRRjwQeFtw==",
+      "version": "8.5.12",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.12.tgz",
+      "integrity": "sha512-W62t/Se6rA0Az3DfCL0AqJwXuKwBeYg6nOaIgzP+xZ7N5BFCI7DYi1qs6ygUYT6rvfi6t9k65UMLJC+PHZpDAA==",
       "dev": true,
       "funding": [
         {
diff --git a/client/package.json b/client/package.json
index bfcf5a1..ed7977c 100644
--- a/client/package.json
+++ b/client/package.json
@@ -43,7 +43,7 @@
     "eslint": "^8.57.1",
     "eslint-plugin-react-hooks": "^4.6.2",
     "eslint-plugin-react-refresh": "^0.4.26",
-    "postcss": "^8.5.8",
+    "postcss": "^8.5.10",
     "tailwindcss": "^3.4.19",
     "typescript": "^5.9.3",
     "vite": "^5.4.21",
diff --git a/docs/依赖升级说明.md b/docs/依赖升级说明.md
index b959af9..1a5a826 100644
--- a/docs/依赖升级说明.md
+++ b/docs/依赖升级说明.md
@@ -18,7 +18,9 @@
 
 - `client` 保持在与现有代码兼容的 React 18、`react-router-dom` 6、`framer-motion` 11、`lucide-react` 0.x、`vite` 5 组合。
 - `server` 保持在与现有代码兼容的 Express 4、`cron-parser` 4、`node-cron` 3、`tar` 6 组合。
-- `server` 的 `uuid` 已升级为 `>=14.0.0`，同时移除了不再需要的 `@types/uuid`，改用 `uuid` 自带类型声明。
+- `server` 的 `node-cron` 已升级到 `^4.2.1`，移除了旧版 `uuid` 的传递依赖来源。
+- `server` 的 `uuid` 仍保持在 `>=14.0.0`，同时移除了不再需要的 `@types/uuid`，改用 `uuid` 自带类型声明。
+- `client` 的 `postcss` 已升级到 `^8.5.10`，用于修复 Dependabot 提示的字符串化输出风险。
 - `server/src/utils/tarSecurityFilter.ts` 改为通过 `tar.extract` 推导类型，避免直接引用不存在的 `ExtractOptions`。
 
 ## 验证方式
@@ -41,5 +43,6 @@ npm run build
 
 - 这次升级已经同步更新了锁文件。
 - `uuid@14.0.0` 仍然保持 ESM 导出和 `types` 声明导出，和当前服务端的 `type: module`、TypeScript 配置兼容。
+- `node-cron@4.2.1` 继续保留 `schedule`、`validate` 等当前用法，且不再额外引入老版 `uuid`。
 - 构建时如果看到 Vite 的 chunk size 警告，属于体积提示，不影响本次升级结果。
 - 如果后续要继续冲主版本，建议分模块推进，先改依赖，再改类型和运行时调用。
diff --git a/server/package-lock.json b/server/package-lock.json
index 3c953ab..a07a39a 100644
--- a/server/package-lock.json
+++ b/server/package-lock.json
@@ -25,7 +25,7 @@
         "jsonwebtoken": "^9.0.3",
         "mime-types": "^2.1.35",
         "multer": "^2.1.1",
-        "node-cron": "^3.0.3",
+        "node-cron": "^4.2.1",
         "properties-reader": "^2.3.0",
         "smol-toml": "^1.4.2",
         "socket.io": "^4.8.3",
@@ -46,7 +46,6 @@
         "@types/mime-types": "^2.1.4",
         "@types/multer": "2.0.0",
         "@types/node": "^20.19.37",
-        "@types/node-cron": "^3.0.11",
         "@types/tar-stream": "^3.1.4",
         "fast-check": "^4.6.0",
         "jest": "^29.7.0",
@@ -1793,13 +1792,6 @@
         "undici-types": "~6.21.0"
       }
     },
-    "node_modules/@types/node-cron": {
-      "version": "3.0.11",
-      "resolved": "https://registry.npmjs.org/@types/node-cron/-/node-cron-3.0.11.tgz",
-      "integrity": "sha512-0ikrnug3/IyneSHqCBeslAhlK2aBfYek1fGo4bP4QnZPmiqSGRK+Oy7ZMisLWkesffJvQ1cqAcBnJC+8+nxIAg==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@types/qs": {
       "version": "6.15.0",
       "resolved": "https://registry.npmjs.org/@types/qs/-/qs-6.15.0.tgz",
@@ -5329,26 +5321,14 @@
       "license": "MIT"
     },
     "node_modules/node-cron": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/node-cron/-/node-cron-3.0.3.tgz",
-      "integrity": "sha512-dOal67//nohNgYWb+nWmg5dkFdIwDm8EpeGYMekPMrngV3637lqnX0lbUcCtgibHTz6SEz7DAIjKvKDFYCnO1A==",
+      "version": "4.2.1",
+      "resolved": "https://registry.npmjs.org/node-cron/-/node-cron-4.2.1.tgz",
+      "integrity": "sha512-lgimEHPE/QDgFlywTd8yTR61ptugX3Qer29efeyWw2rv259HtGBNn1vZVmp8lB9uo9wC0t/AT4iGqXxia+CJFg==",
       "license": "ISC",
-      "dependencies": {
-        "uuid": "8.3.2"
-      },
       "engines": {
         "node": ">=6.0.0"
       }
     },
-    "node_modules/node-cron/node_modules/uuid": {
-      "version": "8.3.2",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz",
-      "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==",
-      "license": "MIT",
-      "bin": {
-        "uuid": "dist/bin/uuid"
-      }
-    },
     "node_modules/node-int64": {
       "version": "0.4.0",
       "resolved": "https://registry.npmjs.org/node-int64/-/node-int64-0.4.0.tgz",
diff --git a/server/package.json b/server/package.json
index 3666d16..5043c04 100644
--- a/server/package.json
+++ b/server/package.json
@@ -27,7 +27,7 @@
     "jsonwebtoken": "^9.0.3",
     "mime-types": "^2.1.35",
     "multer": "^2.1.1",
-    "node-cron": "^3.0.3",
+    "node-cron": "^4.2.1",
     "properties-reader": "^2.3.0",
     "smol-toml": "^1.4.2",
     "socket.io": "^4.8.3",
@@ -54,7 +54,6 @@
     "@types/mime-types": "^2.1.4",
     "@types/multer": "2.0.0",
     "@types/node": "^20.19.37",
-    "@types/node-cron": "^3.0.11",
     "@types/tar-stream": "^3.1.4",
     "jest": "^29.7.0",
     "tsx": "^4.21.0",
diff --git a/server/src/modules/scheduler/SchedulerManager.ts b/server/src/modules/scheduler/SchedulerManager.ts
index 2bb7e35..801a089 100644
--- a/server/src/modules/scheduler/SchedulerManager.ts
+++ b/server/src/modules/scheduler/SchedulerManager.ts
@@ -3,6 +3,7 @@ import { promises as fs } from 'fs'
 import path from 'path'
 import { fileURLToPath } from 'url'
 import { v4 as uuidv4 } from 'uuid'
+import type { ScheduledTask as CronScheduledTask } from 'node-cron'
 import winston from 'winston'
 import cron from 'node-cron'
 import cronParser from 'cron-parser'
@@ -40,7 +41,7 @@ export interface ScheduledTask {
 }
 
 interface ScheduledTaskWithJob extends ScheduledTask {
-  job?: cron.ScheduledTask
+  job?: CronScheduledTask
 }
 
 export class SchedulerManager extends EventEmitter {
@@ -174,11 +175,9 @@ export class SchedulerManager extends EventEmitter {
       }
 
       // 创建新的定时任务
-      task.job = cron.schedule(task.schedule, async () => {
+      task.job = cron.createTask(task.schedule, async () => {
         this.logger.info(`[Scheduler] Cron callback triggered for task: ${task.name} (${taskId})`);
         await this.executeTask(taskId)
-      }, {
-        scheduled: false
       })
 
       // 设置下次执行时间
@@ -612,4 +611,4 @@ export class SchedulerManager extends EventEmitter {
     this.tasks.clear()
     this.logger.info('定时任务管理器已销毁')
   }
-}
\ No newline at end of file
+}