public-ui
diff --git a/‎.github/workflows/manage-npm-tags.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/manage-npm-tags.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/update-pnpm-lock.yml‎
Lines changed: 150 additions & 0 deletions b/‎.github/workflows/update-pnpm-lock.yml‎
Lines changed: 150 additions & 0 deletions
diff --git a/‎docs/CVE_OVERVIEW.md‎
Lines changed: 12 additions & 5 deletions b/‎docs/CVE_OVERVIEW.md‎
Lines changed: 12 additions & 5 deletions
diff --git a/‎docs/arc42/07-deployment-view.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/arc42/07-deployment-view.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎docs/arc42_de/07-deployment-view.md‎
Lines changed: 1 addition & 0 deletions b/‎docs/arc42_de/07-deployment-view.md‎
Lines changed: 1 addition & 0 deletions
@@ -56,7 +56,7 @@ jobs:
           - '@public-ui/theme-default'
           - '@public-ui/theme-ecl'
           - '@public-ui/theme-kern'
-          - '@public-ui/stylelint-rules'
+          # - '@public-ui/stylelint-rules'
           - '@public-ui/themes'
           - '@public-ui/visual-tests'
           - '@public-ui/vue'
 
@@ -0,0 +1,150 @@
+name: 04 - Update pnpm Lock
+
+on:
+  workflow_dispatch:
+    inputs:
+      target_branch:
+        description: 'Branch that should receive a refreshed pnpm-lock.yaml'
+        required: true
+        type: string
+
+concurrency:
+  group: 'workflow-${{ github.workflow }}-${{ inputs.target_branch }}'
+  cancel-in-progress: true
+
+jobs:
+  validate-branch:
+    runs-on: ubuntu-latest
+    outputs:
+      target_branch: ${{ steps.validate.outputs.target_branch }}
+    steps:
+      - name: Validate target branch
+        id: validate
+        run: |
+          RAW_TARGET_BRANCH='${{ inputs.target_branch }}'
+          TARGET_BRANCH="${RAW_TARGET_BRANCH#refs/heads/}"
+          TARGET_BRANCH="${TARGET_BRANCH#origin/}"
+
+          if [ -z "$TARGET_BRANCH" ]; then
+            echo 'The workflow requires a target branch.' >&2
+            exit 1
+          fi
+
+          if [ "${TARGET_BRANCH#refs/}" != "$TARGET_BRANCH" ]; then
+            echo "Use a branch name instead of a ref: '$RAW_TARGET_BRANCH'." >&2
+            exit 1
+          fi
+
+          if ! LC_ALL=C printf '%s' "$TARGET_BRANCH" | grep -Eq '^[ -~]+$'; then
+            echo "Branch '$TARGET_BRANCH' must only contain printable ASCII characters." >&2
+            exit 1
+          fi
+
+          if ! git check-ref-format --branch "$TARGET_BRANCH" >/dev/null 2>&1; then
+            echo "Branch '$TARGET_BRANCH' is not a valid branch name." >&2
+            exit 1
+          fi
+
+          case "$TARGET_BRANCH" in
+            develop|release/*)
+              echo "The workflow must not run for branch '$TARGET_BRANCH'." >&2
+              exit 1
+              ;;
+          esac
+
+          echo "target_branch=$TARGET_BRANCH" >> "$GITHUB_OUTPUT"
+
+  update:
+    needs: validate-branch
+    runs-on: ubuntu-latest
+    outputs:
+      changed: ${{ steps.detect.outputs.changed }}
+    steps:
+      - name: Checkout target branch
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.validate-branch.outputs.target_branch }}
+          persist-credentials: false
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@v5
+        with:
+          version: 10
+          run_install: false
+
+      - name: Use Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 24
+          cache: pnpm
+
+      - name: Refresh pnpm lock file
+        run: pnpm install --ignore-scripts --lockfile-only --no-frozen-lockfile
+
+      - name: Git status after lock file refresh
+        run: git status
+
+      - name: Check for lock file changes
+        id: detect
+        run: |
+          if git diff --quiet -- pnpm-lock.yaml; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Upload lock file artifact
+        if: steps.detect.outputs.changed == 'true'
+        uses: actions/upload-artifact@v7
+        with:
+          name: pnpm-lock-${{ github.run_id }}
+          path: pnpm-lock.yaml
+          if-no-files-found: error
+          retention-days: 1
+
+  push:
+    needs: [validate-branch, update]
+    if: needs.update.outputs.changed == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/create-github-app-token@v3
+        id: app-token
+        with:
+          app-id: ${{ secrets.APP_ID }}
+          private-key: ${{ secrets.PRIVATE_KEY }}
+
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+
+      - name: Checkout target branch
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ needs.validate-branch.outputs.target_branch }}
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Download lock file artifact
+        uses: actions/download-artifact@v8
+        with:
+          name: pnpm-lock-${{ github.run_id }}
+          path: lockfile-artifact
+
+      - name: Apply lock file update
+        run: cp lockfile-artifact/pnpm-lock.yaml pnpm-lock.yaml
+
+      - name: Stage lock file
+        run: git add pnpm-lock.yaml
+
+      - name: Git status after staging
+        run: git status
+
+      - name: Commit and push changes
+        uses: stefanzweifel/git-auto-commit-action@v7
+        with:
+          commit_message: 'chore: update pnpm-lock.yaml'
+          # Disable internal git add so that only the file staged above is committed.
+          file_pattern: ''
+          commit_user_name: '${{ steps.app-token.outputs.app-slug }}[bot]'
+          commit_user_email: '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
@@ -32,8 +32,8 @@
 | Severity |  v4 |  v3 |  v2 |  v1 |
 | -------- | --: | --: | --: | --: |
 | critical |   5 |   5 |   5 |   3 |
-| high     |  35 |  33 |  45 |  29 |
-| moderate |  18 |  19 |  28 |   8 |
+| high     |  33 |  31 |  43 |  29 |
+| moderate |  17 |  19 |  34 |   8 |
 | low      |   4 |   4 |   9 |   1 |
 | info     |   0 |   0 |   0 |   0 |
 | unknown  |   0 |   0 |   0 |   0 |
@@ -96,9 +96,11 @@
 | undici               | high     | CVE-2026-1528       | v4, v3, v2        | Undici: Malicious WebSocket 64-bit length overflows parser and crashes the clien   |
 | undici               | high     | CVE-2026-1526       | v4, v3, v2        | Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompre   |
 | undici               | high     | CVE-2026-2229       | v4, v3, v2        | Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_win   |
-| vite                 | high     | GHSA-v2wj-q39q-566r | v4, v3, v2, v1    | Vite: `server.fs.deny` bypassed with queries                                       |
-| vite                 | high     | CVE-2026-39363      | v4, v3, v2, v1    | Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket               |
+| vite                 | high     | CVE-2026-39364      | v1                | Vite: `server.fs.deny` bypassed with queries                                       |
+| vite                 | high     | CVE-2026-39363      | v1                | Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket               |
+| @hono/node-server    | moderate | CVE-2026-39406      | v2                | @hono/node-server: Middleware bypass via repeated slashes in serveStatic           |
 | ajv                  | moderate | CVE-2025-69873      | v3, v2            | ajv has ReDoS when using `$data` option                                            |
+| axios                | moderate | CVE-2026-39865      | v3, v2            | Axios HTTP/2 Session Cleanup State Corruption Vulnerability                        |
 | brace-expansion      | moderate | CVE-2026-33750      | v4, v3, v2        | brace-expansion: Zero-step sequence causes process hang and memory exhaustion      |
 | ejs                  | moderate | CVE-2024-33883      | v2                | ejs lacks certain pollution protection                                             |
 | esbuild              | moderate | GHSA-67mh-4wv8-2f99 | v2                | esbuild enables any website to send any requests to the development server and r   |
@@ -109,6 +111,11 @@
 | hono                 | moderate | CVE-2026-29086      | v2                | Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in   |
 | hono                 | moderate | CVE-2026-29085      | v2                | Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE()             |
 | hono                 | moderate | GHSA-v8w9-8mx6-g223 | v2                | Hono vulnerable to Prototype Pollution possible through **proto** key allowed in   |
+| hono                 | moderate | GHSA-26pp-8wgv-hjvm | v2                | Hono missing validation of cookie name on write path in setCookie()                |
+| hono                 | moderate | CVE-2026-39410      | v2                | Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()      |
+| hono                 | moderate | CVE-2026-39409      | v2                | Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses   |
+| hono                 | moderate | CVE-2026-39408      | v2                | Hono: Path traversal in toSSG() allows writing files outside the output director   |
+| hono                 | moderate | CVE-2026-39407      | v2                | Hono: Middleware bypass via repeated slashes in serveStatic                        |
 | js-yaml              | moderate | CVE-2025-64718      | v2                | js-yaml has prototype pollution in merge (<<)                                      |
 | locutus              | moderate | CVE-2026-33993      | v4, v3, v2, v1    | Locutus has Prototype Pollution via **proto** Key Injection in unserialize()       |
 | lodash               | moderate | CVE-2026-2950       | v4, v3            | lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and    |
@@ -122,7 +129,7 @@
 | undici               | moderate | CVE-2026-1525       | v4, v3, v2        | Undici has an HTTP Request/Response Smuggling issue                                |
 | undici               | moderate | CVE-2026-1527       | v4, v3, v2        | Undici has CRLF Injection in undici via `upgrade` option                           |
 | undici               | moderate | CVE-2026-2581       | v4, v3            | Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response   |
-| vite                 | moderate | GHSA-4w7w-66w2-5vf9 | v4, v3, v2, v1    | Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling                |
+| vite                 | moderate | CVE-2026-39365      | v1                | Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling                |
 | webpack              | moderate | CVE-2024-43788      | v2                | Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to    |
 | webpack-dev-server   | moderate | CVE-2025-30360      | v2                | webpack-dev-server users' source code may be stolen when they access a malicious   |
 | webpack-dev-server   | moderate | CVE-2025-30359      | v2                | webpack-dev-server users' source code may be stolen when they access a malicious   |
 
@@ -143,6 +143,7 @@ graph LR
 | ------------------------ | ---------------------------- | --------------------------------------- |
 | **ci.yml**               | Push, Pull Request           | Run tests, linting, builds              |
 | **publish.yml**          | Tag creation                 | Publish packages to npm with provenance |
+| **update-pnpm-lock.yml** | Manual trigger               | Refresh `pnpm-lock.yaml` for a branch   |
 | **update-snapshots.yml** | Manual trigger               | Update visual regression test snapshots |
 | **codeql.yml**           | Push, Pull Request, Schedule | Security scanning with CodeQL           |
 
 
@@ -143,6 +143,7 @@ graph LR
 | ------------------------ | ---------------------------- | ---------------------------------------------- |
 | **ci.yml**               | Push, Pull Request           | Tests, Linting, Builds ausführen               |
 | **publish.yml**          | Tag-Erstellung               | Pakete zu npm mit Provenance veröffentlichen   |
+| **update-pnpm-lock.yml** | Manueller Trigger            | `pnpm-lock.yaml` für einen Branch erneuern     |
 | **update-snapshots.yml** | Manueller Trigger            | Visual Regression Test Snapshots aktualisieren |
 | **codeql.yml**           | Push, Pull Request, Schedule | Sicherheits-Scanning mit CodeQL                |