chore(deps): consolidate Dependabot updates (GitHub Actions, Python, npm) + security fixes#622
Conversation
Completed Working on "Code Review"✅ Review submitted: COMMENT. Total comments: 1 across 1 files. ✅ Workflow completed successfully. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (7)
✅ Files skipped from review due to trivial changes (2)
🚧 Files skipped from review as they are similar to previous changes (4)
📝 WalkthroughWalkthroughThis PR updates pinned GitHub Actions revisions, npm dependency versions, and Python dependency constraints across CI workflows, ChangesCI Workflow Action Pin Updates
Frontend npm Dependency Bumps
Python Dependency Version Bumps
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Dependency ReviewThe following issues were found:
|
There was a problem hiding this comment.
Review Summary
Found 1 MAJOR issue (0 BLOCKER, 0 CRITICAL, 0 MINOR, 0 SUGGESTION, 0 PRAISE) across 1 file (pyproject.toml).
Key theme
- Dependency version constraints currently allow unbounded major-version upgrades for critical runtime libraries, which risks unexpected breakage and non-reproducible environments.
Next steps
- Replace open-ended lower bounds with bounded compatible ranges for critical deps (e.g.,
<next-major>upper caps). - Regenerate
uv.lockafter constraint updates. - Keep lockfile and manifest aligned to preserve deterministic installs.
…18, react-resizable-panels 4, vite 8.1, TypeScript 6) + security fixes (js-yaml 4.3, brace-expansion) Consolidates dependabot PRs #621, #620, #605, #604, #603, #602. Bumps typescript-eslint to ^8.63.0 so it supports TypeScript 6 (peer <6.1.0), and applies npm audit fixes for js-yaml and brace-expansion DoS advisories. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
b644bd4 to
9a7eab8
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/playwright.yml (1)
30-40: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winAdd
persist-credentials: falseto checkout step.zizmor flags an "artipacked" risk:
actions/checkoutpersists theGITHUB_TOKENin.git/configby default. Since this workflow doesn't need to push or commit, explicitly disabling credential persistence reduces the attack surface if a later step is compromised.This applies to every
actions/checkoutstep across all workflow files in this PR. I'll mark it as duplicate on the remaining files.🔒️ Proposed fix
steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + with: + persist-credentials: false # Setup Python🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/playwright.yml around lines 30 - 40, Add persist-credentials: false to the actions/checkout step in this workflow to avoid storing GITHUB_TOKEN in .git/config. Update the checkout configuration wherever actions/checkout is used in the workflow files, since this job only needs read access and does not commit or push. Use the existing checkout step as the anchor for the change.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/playwright.yml:
- Around line 30-40: Add persist-credentials: false to the actions/checkout step
in this workflow to avoid storing GITHUB_TOKEN in .git/config. Update the
checkout configuration wherever actions/checkout is used in the workflow files,
since this job only needs read access and does not commit or push. Use the
existing checkout step as the anchor for the change.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 89e1c636-2051-4f5a-8865-a4419e18dcf4
⛔ Files ignored due to path filters (3)
app/package-lock.jsonis excluded by!**/package-lock.jsonpackage-lock.jsonis excluded by!**/package-lock.jsonuv.lockis excluded by!**/*.lock
📒 Files selected for processing (9)
.github/workflows/dependency-review.yml.github/workflows/playwright.yml.github/workflows/publish-docker.yml.github/workflows/publish-pypi.yml.github/workflows/pylint.yml.github/workflows/spellcheck.yml.github/workflows/tests.ymlapp/package.jsonpyproject.toml
Add persist-credentials: false to all actions/checkout steps to avoid persisting GITHUB_TOKEN in .git/config (zizmor 'artipacked'). None of these jobs push via git; docker/pypi publish use their own auth. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/dependency-review.yml (1)
32-32: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winAdd
persist-credentials: falseto allactions/checkoutsteps across workflow files.zizmor flags this checkout step (and every other
actions/checkoutin this PR) for credential persistence — by default theGITHUB_TOKENis saved in.git/configand could leak via artifact uploads or downstream steps. Addingpersist-credentials: falseis a low-cost defense-in-depth hardening. This applies to all checkout steps updated in this PR:dependency-review.yml,playwright.yml,publish-docker.yml,publish-pypi.yml,pylint.yml,spellcheck.yml, andtests.yml(two jobs).🔒️ Proposed fix (apply to every `actions/checkout` step)
- name: 'Checkout repository' uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/dependency-review.yml at line 32, Add persist-credentials: false to every actions/checkout step in the workflow updates, including the checkout usages in dependency-review.yml and the other affected workflows (playwright, publish-docker, publish-pypi, pylint, spellcheck, and both tests jobs). Update each checkout configuration so the actions/checkout invocation explicitly disables credential persistence while keeping the existing ref/version pins unchanged.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/dependency-review.yml:
- Line 32: Add persist-credentials: false to every actions/checkout step in the
workflow updates, including the checkout usages in dependency-review.yml and the
other affected workflows (playwright, publish-docker, publish-pypi, pylint,
spellcheck, and both tests jobs). Update each checkout configuration so the
actions/checkout invocation explicitly disables credential persistence while
keeping the existing ref/version pins unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: f8f40c53-69b9-405b-b1e3-6c7eb7d8ce31
⛔ Files ignored due to path filters (3)
app/package-lock.jsonis excluded by!**/package-lock.jsonpackage-lock.jsonis excluded by!**/package-lock.jsonuv.lockis excluded by!**/*.lock
📒 Files selected for processing (9)
.github/workflows/dependency-review.yml.github/workflows/playwright.yml.github/workflows/publish-docker.yml.github/workflows/publish-pypi.yml.github/workflows/pylint.yml.github/workflows/spellcheck.yml.github/workflows/tests.ymlapp/package.jsonpyproject.toml
🚧 Files skipped from review as they are similar to previous changes (2)
- pyproject.toml
- app/package.json
Summary
Consolidates 17 open Dependabot PRs into a single PR against
staging. Dependency manifests were updated and lock files (uv.lock,package-lock.json,app/package-lock.json) were regenerated cleanly, so there are no lock-file merge conflicts. Frontend build, ESLint, pylint (10/10), and the full unit-test suite (138 passed, 1 skipped) all pass locally.Consolidated PRs
GitHub Actions (
.github/workflows/*.yml)actions/checkout6.0.2 → 7.0.0actions/setup-python6.2.0 → 6.3.0actions/download-artifact7.0.0 → 8.0.1astral-sh/setup-uv8.1.0 → 8.2.0rojopolis/spellcheck-github-actions0.60.0 → 0.62.0Python (
pyproject.toml+uv.lock)aiohttp3.13.5 → 3.14.xopenai→ 2.41+ (resolves to 2.44)snowflake-connector-python4.4.0 → 4.6.0playwright1.59.0 → 1.60.0pytest-asyncio1.3.0 → 1.4.0npm (
app/package.json,package-lock.json,app/package-lock.json)react-router-dom→ 7.18.1,vite→ 8.1.1, rootjs-yamlbumpreact-router-dom→ 7.17.0 (superseded by chore(deps): bump the npm_and_yarn group across 2 directories with 3 updates #620's 7.18.1)react-resizable-panels2.1.9 → 4.11.2@radix-ui/react-radio-group1.3.7 → 1.4.0typescript5.x → 6.0.3Notable decisions
react-router-dom: took^7.18.1from the security group (chore(deps): bump the npm_and_yarn group across 2 directories with 3 updates #620), which supersedes chore(deps): bump react-router-dom from 7.14.0 to 7.17.0 in /app #605's^7.17.0.typescript-eslint→^8.63.0(companion change): the previous8.57.xpeer range was<6.0.0, incompatible with the TypeScript 6 bump (chore(deps-dev): bump typescript from 5.9.3 to 6.0.3 in /app #602).8.63.0supports<6.1.0, so ESLint runs cleanly against TS 6.0.3.npm audit fixapplied so both locks carryjs-yaml4.3.0 andbrace-expansion≥1.1.13 (DoS advisories); both audits report 0 vulnerabilities.Validation
make build-prod— ✅ vite build succeeds (vite 8.1.4, TS 6.0.3, React 19.2.7)make lint— ✅ pylint 10.00/10, ESLint cleanuv sync --locked --all-extras— ✅ lock consistentpytest -k "not e2e and not test_sdk") — ✅ 138 passed, 1 skippednpm audit(root & app) — ✅ 0 vulnerabilitiesCloses #621, #620, #618, #617, #609, #608, #605, #604, #603, #602, #600, #599, #598, #597, #596, #594, #592
Summary by CodeRabbit