Update dependency express to v5

Release/1 3 5

agents/proxmox_auto_enroll.sh

@@ -197,6 +197,40 @@ while IFS= read -r line; do
         continue
     fi
 
+    # Check if agent is already installed and working BEFORE enrollment
+    info "  Checking if agent is already configured..."
+    config_check=$(timeout 10 pct exec "$vmid" -- bash -c "
+        if [[ -f /etc/patchmon/config.yml ]] && [[ -f /etc/patchmon/credentials.yml ]]; then
+            if [[ -f /usr/local/bin/patchmon-agent ]]; then
+                # Try to ping using existing configuration
+                if /usr/local/bin/patchmon-agent ping >/dev/null 2>&1; then
+                    echo 'ping_success'
+                else
+                    echo 'ping_failed'
+                fi
+            else
+                echo 'binary_missing'
+            fi
+        else
+            echo 'not_configured'
+        fi
+    " 2>/dev/null </dev/null || echo "error")
+
+    if [[ "$config_check" == "ping_success" ]]; then
+        info "  ✓ Host already enrolled and agent ping successful - skipping enrollment"
+        ((skipped_count++)) || true
+        echo ""
+        continue
+    elif [[ "$config_check" == "ping_failed" ]]; then
+        warn "  ⚠ Agent configuration exists but ping failed - will re-enroll and reinstall"
+    elif [[ "$config_check" == "binary_missing" ]]; then
+        warn "  ⚠ Config exists but agent binary missing - will re-enroll and reinstall"
+    elif [[ "$config_check" == "not_configured" ]]; then
+        info "  ℹ Agent not yet configured - proceeding with enrollment"
+    else
+        warn "  ⚠ Could not check agent status - proceeding with enrollment"
+    fi
+
     # Call PatchMon auto-enrollment API
     info "  Enrolling $friendly_name in PatchMon..."
     
@@ -230,40 +264,6 @@ while IFS= read -r line; do
 
         info "  ✓ Host enrolled successfully: $api_id"
 
-        # Check if agent is already installed and working
-        info "  Checking if agent is already configured..."
-        config_check=$(timeout 10 pct exec "$vmid" -- bash -c "
-            if [[ -f /etc/patchmon/config.yml ]] && [[ -f /etc/patchmon/credentials.yml ]]; then
-                if [[ -f /usr/local/bin/patchmon-agent ]]; then
-                    # Try to ping using existing configuration
-                    if /usr/local/bin/patchmon-agent ping >/dev/null 2>&1; then
-                        echo 'ping_success'
-                    else
-                        echo 'ping_failed'
-                    fi
-                else
-                    echo 'binary_missing'
-                fi
-            else
-                echo 'not_configured'
-            fi
-        " 2>/dev/null </dev/null || echo "error")
-
-        if [[ "$config_check" == "ping_success" ]]; then
-            info "  ✓ Host already enrolled and agent ping successful - skipping"
-            ((skipped_count++)) || true
-            echo ""
-            continue
-        elif [[ "$config_check" == "ping_failed" ]]; then
-            warn "  ⚠ Agent configuration exists but ping failed - will reinstall"
-        elif [[ "$config_check" == "binary_missing" ]]; then
-            warn "  ⚠ Config exists but agent binary missing - will reinstall"
-        elif [[ "$config_check" == "not_configured" ]]; then
-            info "  ℹ Agent not yet configured - proceeding with installation"
-        else
-            warn "  ⚠ Could not check agent status - proceeding with installation"
-        fi
-
         # Ensure curl is installed in the container
         info "  Checking for curl in container..."
         curl_check=$(timeout 10 pct exec "$vmid" -- bash -c "command -v curl >/dev/null 2>&1 && echo 'installed' || echo 'missing'" 2>/dev/null </dev/null || echo "error")

backend/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "patchmon-backend",
-	"version": "1.3.4",
+	"version": "1.3.5",
 	"description": "Backend API for Linux Patch Monitoring System",
 	"license": "AGPL-3.0",
 	"main": "src/server.js",
@@ -23,7 +23,7 @@
 		"cookie-parser": "^1.4.7",
 		"cors": "^2.8.5",
 		"dotenv": "^16.4.7",
-		"express": "^4.21.2",
+		"express": "^5.0.0",
 		"express-rate-limit": "^7.5.0",
 		"express-validator": "^7.2.0",
 		"helmet": "^8.0.0",

backend/prisma/schema.prisma

@@ -1,6 +1,6 @@
 generator client {
   provider      = "prisma-client-js"
-  binaryTargets = ["native", "linux-musl-openssl-3.0.x"]
+  binaryTargets = ["native", "linux-musl-openssl-3.0.x", "linux-musl-arm64-openssl-3.0.x"]
 }
 
 datasource db {

backend/src/routes/autoEnrollmentRoutes.js

@@ -588,8 +588,11 @@ router.get("/script", async (req, res) => {
 		// Check for --force parameter
 		const force_install = req.query.force === "true" || req.query.force === "1";
 
+		// Use bash for proxmox-lxc, sh for others
+		const shebang = script_type === "proxmox-lxc" ? "#!/bin/bash" : "#!/bin/sh";
+
 		// Inject the token credentials, server URL, curl flags, and force flag into the script
-		const env_vars = `#!/bin/sh
+		const env_vars = `${shebang}
 # PatchMon Auto-Enrollment Configuration (Auto-generated)
 export PATCHMON_URL="${server_url}"
 export AUTO_ENROLLMENT_KEY="${token.token_key}"

backend/src/routes/dashboardRoutes.js

@@ -242,33 +242,48 @@ router.get("/hosts", authenticateToken, requireViewHosts, async (_req, res) => {
 			orderBy: { last_update: "desc" },
 		});
 
-		// OPTIMIZATION: Get all package counts in 2 batch queries instead of N*2 queries
+		// OPTIMIZATION: Get all package counts in 3 batch queries instead of N*3 queries
 		const hostIds = hosts.map((h) => h.id);
 
-		const [updateCounts, totalCounts] = await Promise.all([
+		const [updateCounts, securityUpdateCounts, totalCounts] = await Promise.all(
-			// Get update counts for all hosts at once
+			[
-			prisma.host_packages.groupBy({
+				// Get update counts for all hosts at once
-				by: ["host_id"],
+				prisma.host_packages.groupBy({
-				where: {
+					by: ["host_id"],
-					host_id: { in: hostIds },
+					where: {
-					needs_update: true,
+						host_id: { in: hostIds },
-				},
+						needs_update: true,
-				_count: { id: true },
+					},
-			}),
+					_count: { id: true },
-			// Get total counts for all hosts at once
+				}),
-			prisma.host_packages.groupBy({
+				// Get security update counts for all hosts at once
-				by: ["host_id"],
+				prisma.host_packages.groupBy({
-				where: {
+					by: ["host_id"],
-					host_id: { in: hostIds },
+					where: {
-				},
+						host_id: { in: hostIds },
-				_count: { id: true },
+						needs_update: true,
-			}),
+						is_security_update: true,
-		]);
+					},
+					_count: { id: true },
+				}),
+				// Get total counts for all hosts at once
+				prisma.host_packages.groupBy({
+					by: ["host_id"],
+					where: {
+						host_id: { in: hostIds },
+					},
+					_count: { id: true },
+				}),
+			],
+		);
 
 		// Create lookup maps for O(1) access
 		const updateCountMap = new Map(
 			updateCounts.map((item) => [item.host_id, item._count.id]),
 		);
+		const securityUpdateCountMap = new Map(
+			securityUpdateCounts.map((item) => [item.host_id, item._count.id]),
+		);
 		const totalCountMap = new Map(
 			totalCounts.map((item) => [item.host_id, item._count.id]),
 		);
@@ -276,6 +291,7 @@ router.get("/hosts", authenticateToken, requireViewHosts, async (_req, res) => {
 		// Process hosts with counts from maps (no more DB queries!)
 		const hostsWithUpdateInfo = hosts.map((host) => {
 			const updatesCount = updateCountMap.get(host.id) || 0;
+			const securityUpdatesCount = securityUpdateCountMap.get(host.id) || 0;
 			const totalPackagesCount = totalCountMap.get(host.id) || 0;
 
 			// Calculate effective status based on reporting interval
@@ -292,6 +308,7 @@ router.get("/hosts", authenticateToken, requireViewHosts, async (_req, res) => {
 			return {
 				...host,
 				updatesCount,
+				securityUpdatesCount,
 				totalPackagesCount,
 				isStale,
 				effectiveStatus,

backend/src/routes/hostRoutes.js

@@ -12,7 +12,6 @@ const {
 } = require("../middleware/permissions");
 const { queueManager, QUEUE_NAMES } = require("../services/automation");
 const { pushIntegrationToggle, isConnected } = require("../services/agentWs");
-const agentVersionService = require("../services/agentVersionService");
 const { compareVersions } = require("../services/automation/shared/utils");
 
 const router = express.Router();
@@ -170,111 +169,101 @@ router.get("/agent/version", async (req, res) => {
 			});
 		} else {
 			// Go agent version check
-			// Detect server architecture and map to Go architecture names
+			// Always check the server's local binary for the requested architecture
-			const os = require("node:os");
+			// The server's agents folder is the source of truth, not GitHub
 			const { exec } = require("node:child_process");
 			const { promisify } = require("node:util");
 			const execAsync = promisify(exec);
 
-			const serverArch = os.arch();
+			const binaryName = `patchmon-agent-linux-${architecture}`;
-			// Map Node.js architecture to Go architecture names
+			const binaryPath = path.join(__dirname, "../../../agents", binaryName);
-			const archMap = {
-				x64: "amd64",
-				ia32: "386",
-				arm64: "arm64",
-				arm: "arm",
-			};
-			const serverGoArch = archMap[serverArch] || serverArch;
 
-			// If requested architecture matches server architecture, execute the binary
+			if (fs.existsSync(binaryPath)) {
-			if (architecture === serverGoArch) {
+				// Binary exists in server's agents folder - use its version
-				const binaryName = `patchmon-agent-linux-${architecture}`;
+				let serverVersion = null;
-				const binaryPath = path.join(__dirname, "../../../agents", binaryName);
 
-				if (!fs.existsSync(binaryPath)) {
+				// Try method 1: Execute binary (works for same architecture)
-					// Binary doesn't exist, fall back to GitHub
+				try {
-					console.log(`Binary ${binaryName} not found, falling back to GitHub`);
+					const { stdout } = await execAsync(`${binaryPath} --help`, {
-				} else {
+						timeout: 10000,
-					// Execute the binary to get its version
+					});
+
+					// Parse version from help output (e.g., "PatchMon Agent v1.3.1")
+					const versionMatch = stdout.match(
+						/PatchMon Agent v([0-9]+\.[0-9]+\.[0-9]+)/i,
+					);
+
+					if (versionMatch) {
+						serverVersion = versionMatch[1];
+					}
+				} catch (execError) {
+					// Execution failed (likely cross-architecture) - try alternative method
+					console.warn(
+						`Failed to execute binary ${binaryName} to get version (may be cross-architecture): ${execError.message}`,
+					);
+
+					// Try method 2: Extract version using strings command (works for cross-architecture)
 					try {
-						const { stdout } = await execAsync(`${binaryPath} --help`, {
+						const { stdout: stringsOutput } = await execAsync(
-							timeout: 10000,
+							`strings "${binaryPath}" | grep -E "PatchMon Agent v[0-9]+\\.[0-9]+\\.[0-9]+" | head -1`,
-						});
+							{
+								timeout: 10000,
+							},
+						);
 
-						// Parse version from help output (e.g., "PatchMon Agent v1.3.1")
+						const versionMatch = stringsOutput.match(
-						const versionMatch = stdout.match(
 							/PatchMon Agent v([0-9]+\.[0-9]+\.[0-9]+)/i,
 						);
 
 						if (versionMatch) {
-							const serverVersion = versionMatch[1];
+							serverVersion = versionMatch[1];
-							const agentVersion = req.query.currentVersion || serverVersion;
+							console.log(
-
+								`✅ Extracted version ${serverVersion} from binary using strings command`,
-							// Proper semantic version comparison: only update if server version is NEWER
+							);
-							const hasUpdate =
-								compareVersions(serverVersion, agentVersion) > 0;
-
-							return res.json({
-								currentVersion: agentVersion,
-								latestVersion: serverVersion,
-								hasUpdate: hasUpdate,
-								downloadUrl: `/api/v1/hosts/agent/download?arch=${architecture}`,
-								releaseNotes: `PatchMon Agent v${serverVersion}`,
-								minServerVersion: null,
-								architecture: architecture,
-								agentType: "go",
-							});
 						}
-					} catch (execError) {
+					} catch (stringsError) {
-						// Execution failed, fall back to GitHub
+						console.warn(
-						console.log(
+							`Failed to extract version using strings command: ${stringsError.message}`,
-							`Failed to execute binary ${binaryName}: ${execError.message}, falling back to GitHub`,
 						);
 					}
 				}
-			}
 
-			// Fall back to GitHub if architecture doesn't match or binary execution failed
+				// If we successfully got the version, return it
-			try {
+				if (serverVersion) {
-				const versionInfo = await agentVersionService.getVersionInfo();
+					const agentVersion = req.query.currentVersion || serverVersion;
-				const latestVersion = versionInfo.latestVersion;
-				const agentVersion =
-					req.query.currentVersion || latestVersion || "unknown";
 
-				if (!latestVersion) {
+					// Proper semantic version comparison: only update if server version is NEWER
-					return res.status(503).json({
+					const hasUpdate = compareVersions(serverVersion, agentVersion) > 0;
-						error: "Unable to determine latest version from GitHub releases",
+
+					return res.json({
 						currentVersion: agentVersion,
-						latestVersion: null,
+						latestVersion: serverVersion,
-						hasUpdate: false,
+						hasUpdate: hasUpdate,
+						downloadUrl: `/api/v1/hosts/agent/download?arch=${architecture}`,
+						releaseNotes: `PatchMon Agent v${serverVersion}`,
+						minServerVersion: null,
+						architecture: architecture,
+						agentType: "go",
 					});
 				}
 
-				// Proper semantic version comparison: only update if latest version is NEWER
+				// If we couldn't get version, fall through to error response
-				const hasUpdate =
+				console.warn(
-					latestVersion !== null &&
+					`Could not determine version for binary ${binaryName} using any method`,
-					compareVersions(latestVersion, agentVersion) > 0;
-
-				res.json({
-					currentVersion: agentVersion,
-					latestVersion: latestVersion,
-					hasUpdate: hasUpdate,
-					downloadUrl: `/api/v1/hosts/agent/download?arch=${architecture}`,
-					releaseNotes: `PatchMon Agent v${latestVersion}`,
-					minServerVersion: null,
-					architecture: architecture,
-					agentType: "go",
-				});
-			} catch (serviceError) {
-				console.error(
-					"Failed to get version from agentVersionService:",
-					serviceError.message,
 				);
-				return res.status(500).json({
-					error: "Failed to get agent version from service",
-					details: serviceError.message,
-				});
 			}
+
+			// Binary doesn't exist or couldn't get version - return error
+			// Don't fall back to GitHub - the server's agents folder is the source of truth
+			const agentVersion = req.query.currentVersion || "unknown";
+			return res.status(404).json({
+				error: `Agent binary not found for architecture: ${architecture}. Please ensure the binary is in the server's agents folder.`,
+				currentVersion: agentVersion,
+				latestVersion: null,
+				hasUpdate: false,
+				architecture: architecture,
+				agentType: "go",
+			});
 		}
 	} catch (error) {
 		console.error("Version check error:", error);

docker/backend.Dockerfile

@@ -10,8 +10,6 @@ ENV NODE_ENV=development \
 
 RUN apk add --no-cache openssl tini curl libc6-compat
 
-USER node
-
 WORKDIR /app
 
 COPY --chown=node:node package*.json ./
@@ -20,7 +18,10 @@ COPY --chown=node:node agents ./agents_backup
 COPY --chown=node:node agents ./agents
 COPY --chmod=755 docker/backend.docker-entrypoint.sh ./entrypoint.sh
 
-RUN npm install --workspace=backend --ignore-scripts && cd backend && npx prisma generate
+USER node
+
+RUN npm install --workspace=backend --ignore-scripts && cd backend && npx prisma generate && \
+    chmod -R u+w /app/node_modules/@prisma/engines 2>/dev/null || true
 
 EXPOSE 3001
 
@@ -66,8 +67,6 @@ ENV NODE_ENV=production \
 
 RUN apk add --no-cache openssl tini curl libc6-compat
 
-USER node
-
 WORKDIR /app
 
 COPY --from=builder --chown=node:node /app/backend ./backend
@@ -76,6 +75,14 @@ COPY --chown=node:node agents ./agents_backup
 COPY --chown=node:node agents ./agents
 COPY --chmod=755 docker/backend.docker-entrypoint.sh ./entrypoint.sh
 
+# Ensure Prisma engines directory is writable for rootless Docker (Prisma 6.1.0+ requirement)
+# This must be done as root before switching to node user
+# Order: chown first (sets ownership), then chmod (sets permissions)
+RUN chown -R node:node /app/node_modules/@prisma/engines && \
+    chmod -R u+w /app/node_modules/@prisma/engines
+
+USER node
+
 WORKDIR /app/backend
 
 EXPOSE 3001

frontend/env.example

@@ -6,5 +6,5 @@ VITE_API_URL=http://localhost:3001/api/v1
 
 # Application Metadata
 VITE_APP_NAME=PatchMon
-VITE_APP_VERSION=1.3.4
+VITE_APP_VERSION=1.3.5
 

frontend/package.json

@@ -1,7 +1,7 @@
 {
 	"name": "patchmon-frontend",
 	"private": true,
-	"version": "1.3.4",
+	"version": "1.3.5",
 	"license": "AGPL-3.0",
 	"type": "module",
 	"scripts": {
@@ -20,7 +20,7 @@
 		"clsx": "^2.1.1",
 		"cors": "^2.8.5",
 		"date-fns": "^4.1.0",
-		"express": "^4.21.2",
+		"express": "^5.0.0",
 		"http-proxy-middleware": "^3.0.3",
 		"lucide-react": "^0.468.0",
 		"react": "^18.3.1",

frontend/src/pages/Hosts.jsx

@@ -248,7 +248,6 @@ const Hosts = () => {
 		const showFiltersParam = searchParams.get("showFilters");
 		const osFilterParam = searchParams.get("osFilter");
 		const groupParam = searchParams.get("group");
-		const rebootParam = searchParams.get("reboot");
 
 		if (filter === "needsUpdates") {
 			setShowFilters(true);
@@ -335,9 +334,15 @@ const Hosts = () => {
 			{ id: "status", label: "Status", visible: true, order: 10 },
 			{ id: "needs_reboot", label: "Reboot", visible: true, order: 11 },
 			{ id: "updates", label: "Updates", visible: true, order: 12 },
-			{ id: "notes", label: "Notes", visible: false, order: 13 },
+			{
-			{ id: "last_update", label: "Last Update", visible: true, order: 14 },
+				id: "security_updates",
-			{ id: "actions", label: "Actions", visible: true, order: 15 },
+				label: "Security Updates",
+				visible: true,
+				order: 13,
+			},
+			{ id: "notes", label: "Notes", visible: false, order: 14 },
+			{ id: "last_update", label: "Last Update", visible: true, order: 15 },
+			{ id: "actions", label: "Actions", visible: true, order: 16 },
 		];
 
 		const saved = localStorage.getItem("hosts-column-config");
@@ -781,6 +786,10 @@ const Hosts = () => {
 					aValue = a.updatesCount || 0;
 					bValue = b.updatesCount || 0;
 					break;
+				case "security_updates":
+					aValue = a.securityUpdatesCount || 0;
+					bValue = b.securityUpdatesCount || 0;
+					break;
 				case "needs_reboot":
 					// Sort by boolean: false (0) comes before true (1)
 					aValue = a.needs_reboot ? 1 : 0;
@@ -947,9 +956,15 @@ const Hosts = () => {
 			{ id: "status", label: "Status", visible: true, order: 10 },
 			{ id: "needs_reboot", label: "Reboot", visible: true, order: 11 },
 			{ id: "updates", label: "Updates", visible: true, order: 12 },
-			{ id: "notes", label: "Notes", visible: false, order: 13 },
+			{
-			{ id: "last_update", label: "Last Update", visible: true, order: 14 },
+				id: "security_updates",
-			{ id: "actions", label: "Actions", visible: true, order: 15 },
+				label: "Security Updates",
+				visible: true,
+				order: 13,
+			},
+			{ id: "notes", label: "Notes", visible: false, order: 14 },
+			{ id: "last_update", label: "Last Update", visible: true, order: 15 },
+			{ id: "actions", label: "Actions", visible: true, order: 16 },
 		];
 		updateColumnConfig(defaultConfig);
 	};
@@ -1135,6 +1150,19 @@ const Hosts = () => {
 						{host.updatesCount || 0}
 					</button>
 				);
+			case "security_updates":
+				return (
+					<button
+						type="button"
+						onClick={() =>
+							navigate(`/packages?host=${host.id}&filter=security-updates`)
+						}
+						className="text-sm text-red-600 hover:text-red-900 dark:text-red-400 dark:hover:text-red-300 font-medium hover:underline"
+						title="View security updates for this host"
+					>
+						{host.securityUpdatesCount || 0}
+					</button>
+				);
 			case "last_update":
 				return (
 					<div className="text-sm text-secondary-500 dark:text-secondary-300">
@@ -1190,7 +1218,7 @@ const Hosts = () => {
 		navigate("/hosts", { replace: true });
 	};
 
-	const handleUpToDateClick = () => {
+	const _handleUpToDateClick = () => {
 		// Filter to show only up-to-date hosts
 		setStatusFilter("active");
 		setShowFilters(true);
@@ -1731,6 +1759,17 @@ const Hosts = () => {
 																				{column.label}
 																				{getSortIcon("updates")}
 																			</button>
+																		) : column.id === "security_updates" ? (
+																			<button
+																				type="button"
+																				onClick={() =>
+																					handleSort("security_updates")
+																				}
+																				className="flex items-center gap-2 hover:text-secondary-700"
+																			>
+																				{column.label}
+																				{getSortIcon("security_updates")}
+																			</button>
 																		) : column.id === "needs_reboot" ? (
 																			<button
 																				type="button"

package.json

@@ -1,6 +1,6 @@
 {
 	"name": "patchmon",
-	"version": "1.3.4",
+	"version": "1.3.5",
 	"description": "Linux Patch Monitoring System",
 	"license": "AGPL-3.0",
 	"private": true,