Skip to content

chore(deps): consolidate Dependabot updates (GitHub Actions, Python, npm) + security fixes#622

Merged
barakb merged 4 commits into
stagingfrom
chore/deps-consolidated
Jul 9, 2026
Merged

chore(deps): consolidate Dependabot updates (GitHub Actions, Python, npm) + security fixes#622
barakb merged 4 commits into
stagingfrom
chore/deps-consolidated

Conversation

@barakb

@barakb barakb commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Consolidates 17 open Dependabot PRs into a single PR against staging. Dependency manifests were updated and lock files (uv.lock, package-lock.json, app/package-lock.json) were regenerated cleanly, so there are no lock-file merge conflicts. Frontend build, ESLint, pylint (10/10), and the full unit-test suite (138 passed, 1 skipped) all pass locally.

Consolidated PRs

GitHub Actions (.github/workflows/*.yml)

Python (pyproject.toml + uv.lock)

npm (app/package.json, package-lock.json, app/package-lock.json)

Notable decisions

Validation

  • make build-prod — ✅ vite build succeeds (vite 8.1.4, TS 6.0.3, React 19.2.7)
  • make lint — ✅ pylint 10.00/10, ESLint clean
  • uv sync --locked --all-extras — ✅ lock consistent
  • unit tests (pytest -k "not e2e and not test_sdk") — ✅ 138 passed, 1 skipped
  • npm audit (root & app) — ✅ 0 vulnerabilities

Closes #621, #620, #618, #617, #609, #608, #605, #604, #603, #602, #600, #599, #598, #597, #596, #594, #592

Summary by CodeRabbit

  • Chores
    • Updated frontend dependencies, React libraries, UI components, and TypeScript/Vite/Tailwind tooling to newer versions.
    • Updated Python optional-extras and dev dependency constraints (including AI, server, and testing/playwright tooling).
    • Refreshed pinned CI workflow actions across testing, linting, spellcheck, Docker, and PyPI publishing.
  • Bug Fixes
    • Improves reliability and consistency of CI/test/release automation by updating workflow action revisions and related tooling pins.

@railway-app

railway-app Bot commented Jul 9, 2026

Copy link
Copy Markdown

This PR was not deployed automatically as @barakb does not have access to the Railway project.

In order to get automatic PR deploys, please add @barakb to your workspace on Railway.

@overcut-ai

overcut-ai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Completed Working on "Code Review"

✅ Review submitted: COMMENT. Total comments: 1 across 1 files.

✅ Workflow completed successfully.


👉 View complete log

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9147fc23-6cb5-4a93-8f43-5e751399f168

📥 Commits

Reviewing files that changed from the base of the PR and between 9a7eab8 and cfc9df0.

📒 Files selected for processing (7)
  • .github/workflows/dependency-review.yml
  • .github/workflows/playwright.yml
  • .github/workflows/publish-docker.yml
  • .github/workflows/publish-pypi.yml
  • .github/workflows/pylint.yml
  • .github/workflows/spellcheck.yml
  • .github/workflows/tests.yml
✅ Files skipped from review due to trivial changes (2)
  • .github/workflows/publish-docker.yml
  • .github/workflows/pylint.yml
🚧 Files skipped from review as they are similar to previous changes (4)
  • .github/workflows/spellcheck.yml
  • .github/workflows/playwright.yml
  • .github/workflows/tests.yml
  • .github/workflows/publish-pypi.yml

📝 Walkthrough

Walkthrough

This PR updates pinned GitHub Actions revisions, npm dependency versions, and Python dependency constraints across CI workflows, app/package.json, and pyproject.toml.

Changes

CI Workflow Action Pin Updates

Layer / File(s) Summary
Checkout and Python/uv toolchain pin bumps in test/lint workflows
.github/workflows/playwright.yml, .github/workflows/pylint.yml, .github/workflows/tests.yml
Updates actions/checkout, actions/setup-python, and astral-sh/setup-uv pins in workflow setup steps.
Publish and dependency-review workflow pin bumps
.github/workflows/dependency-review.yml, .github/workflows/publish-docker.yml, .github/workflows/publish-pypi.yml, .github/workflows/spellcheck.yml
Updates checkout pins in dependency-review and publish-docker, setup-uv and download-artifact pins in publish-pypi, and checkout/spellcheck action versions in spellcheck.

Frontend npm Dependency Bumps

Layer / File(s) Summary
Radix UI, React runtime, and build tooling version bumps
app/package.json
Bumps @radix-ui/* packages, React runtime packages, and Tailwind/TypeScript/vite tooling versions.

Python Dependency Version Bumps

Layer / File(s) Summary
Optional dependency and dependency-group version bumps
pyproject.toml
Updates openai, snowflake-connector-python, aiohttp, pytest-asyncio, and playwright version constraints.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

  • FalkorDB/QueryWeaver#590: Both PRs update pinned GitHub Actions revisions, including astral-sh/setup-uv in .github/workflows/tests.yml.

Suggested reviewers: galshubeli

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Out of Scope Changes check ⚠️ Warning Workflow and Python dependency changes are outside #621, which only requested /app npm dependency updates. Split the GitHub Actions and Python dependency updates into a separate PR, or link an issue that explicitly covers them.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the dependency consolidation across GitHub Actions, Python, and npm with security fixes.
Linked Issues check ✅ Passed The /app dependency bumps match #621, including React 19.2.7, @types/react, Radix UI, and Tailwind/PostCSS updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/deps-consolidated

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown

Dependency Review

The following issues were found:

  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 5 package(s) with unknown licenses.

View full job summary

@overcut-ai overcut-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

Found 1 MAJOR issue (0 BLOCKER, 0 CRITICAL, 0 MINOR, 0 SUGGESTION, 0 PRAISE) across 1 file (pyproject.toml).

Key theme

  • Dependency version constraints currently allow unbounded major-version upgrades for critical runtime libraries, which risks unexpected breakage and non-reproducible environments.

Next steps

  1. Replace open-ended lower bounds with bounded compatible ranges for critical deps (e.g., <next-major> upper caps).
  2. Regenerate uv.lock after constraint updates.
  3. Keep lockfile and manifest aligned to preserve deterministic installs.

Comment thread pyproject.toml
barakb and others added 3 commits July 9, 2026 10:15
…wnload-artifact 8.0.1, setup-uv 8.2.0, spellcheck 0.62.0)

Consolidates dependabot PRs #608, #618, #617, #594, #609.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…connector-python 4.6, playwright 1.60, pytest-asyncio 1.4)

Consolidates dependabot PRs #600, #598, #599, #596, #597, #592.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…18, react-resizable-panels 4, vite 8.1, TypeScript 6) + security fixes (js-yaml 4.3, brace-expansion)

Consolidates dependabot PRs #621, #620, #605, #604, #603, #602.
Bumps typescript-eslint to ^8.63.0 so it supports TypeScript 6 (peer <6.1.0),
and applies npm audit fixes for js-yaml and brace-expansion DoS advisories.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@barakb barakb force-pushed the chore/deps-consolidated branch from b644bd4 to 9a7eab8 Compare July 9, 2026 07:15

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/playwright.yml (1)

30-40: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add persist-credentials: false to checkout step.

zizmor flags an "artipacked" risk: actions/checkout persists the GITHUB_TOKEN in .git/config by default. Since this workflow doesn't need to push or commit, explicitly disabling credential persistence reduces the attack surface if a later step is compromised.

This applies to every actions/checkout step across all workflow files in this PR. I'll mark it as duplicate on the remaining files.

🔒️ Proposed fix
     steps:
     - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6
+      with:
+        persist-credentials: false
     
     # Setup Python
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/playwright.yml around lines 30 - 40, Add
persist-credentials: false to the actions/checkout step in this workflow to
avoid storing GITHUB_TOKEN in .git/config. Update the checkout configuration
wherever actions/checkout is used in the workflow files, since this job only
needs read access and does not commit or push. Use the existing checkout step as
the anchor for the change.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/playwright.yml:
- Around line 30-40: Add persist-credentials: false to the actions/checkout step
in this workflow to avoid storing GITHUB_TOKEN in .git/config. Update the
checkout configuration wherever actions/checkout is used in the workflow files,
since this job only needs read access and does not commit or push. Use the
existing checkout step as the anchor for the change.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 89e1c636-2051-4f5a-8865-a4419e18dcf4

📥 Commits

Reviewing files that changed from the base of the PR and between 37c2013 and b644bd4.

⛔ Files ignored due to path filters (3)
  • app/package-lock.json is excluded by !**/package-lock.json
  • package-lock.json is excluded by !**/package-lock.json
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (9)
  • .github/workflows/dependency-review.yml
  • .github/workflows/playwright.yml
  • .github/workflows/publish-docker.yml
  • .github/workflows/publish-pypi.yml
  • .github/workflows/pylint.yml
  • .github/workflows/spellcheck.yml
  • .github/workflows/tests.yml
  • app/package.json
  • pyproject.toml

Add persist-credentials: false to all actions/checkout steps to avoid
persisting GITHUB_TOKEN in .git/config (zizmor 'artipacked'). None of these
jobs push via git; docker/pypi publish use their own auth.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/dependency-review.yml (1)

32-32: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add persist-credentials: false to all actions/checkout steps across workflow files.

zizmor flags this checkout step (and every other actions/checkout in this PR) for credential persistence — by default the GITHUB_TOKEN is saved in .git/config and could leak via artifact uploads or downstream steps. Adding persist-credentials: false is a low-cost defense-in-depth hardening. This applies to all checkout steps updated in this PR: dependency-review.yml, playwright.yml, publish-docker.yml, publish-pypi.yml, pylint.yml, spellcheck.yml, and tests.yml (two jobs).

🔒️ Proposed fix (apply to every `actions/checkout` step)
       - name: 'Checkout repository'
         uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
+        with:
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/dependency-review.yml at line 32, Add persist-credentials:
false to every actions/checkout step in the workflow updates, including the
checkout usages in dependency-review.yml and the other affected workflows
(playwright, publish-docker, publish-pypi, pylint, spellcheck, and both tests
jobs). Update each checkout configuration so the actions/checkout invocation
explicitly disables credential persistence while keeping the existing
ref/version pins unchanged.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/dependency-review.yml:
- Line 32: Add persist-credentials: false to every actions/checkout step in the
workflow updates, including the checkout usages in dependency-review.yml and the
other affected workflows (playwright, publish-docker, publish-pypi, pylint,
spellcheck, and both tests jobs). Update each checkout configuration so the
actions/checkout invocation explicitly disables credential persistence while
keeping the existing ref/version pins unchanged.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f8f40c53-69b9-405b-b1e3-6c7eb7d8ce31

📥 Commits

Reviewing files that changed from the base of the PR and between b644bd4 and 9a7eab8.

⛔ Files ignored due to path filters (3)
  • app/package-lock.json is excluded by !**/package-lock.json
  • package-lock.json is excluded by !**/package-lock.json
  • uv.lock is excluded by !**/*.lock
📒 Files selected for processing (9)
  • .github/workflows/dependency-review.yml
  • .github/workflows/playwright.yml
  • .github/workflows/publish-docker.yml
  • .github/workflows/publish-pypi.yml
  • .github/workflows/pylint.yml
  • .github/workflows/spellcheck.yml
  • .github/workflows/tests.yml
  • app/package.json
  • pyproject.toml
🚧 Files skipped from review as they are similar to previous changes (2)
  • pyproject.toml
  • app/package.json

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant