fix: zero Dependabot vulnerabilities (19) and code scanning findings (3)#393
Draft
damianloch wants to merge 4 commits into
Draft
fix: zero Dependabot vulnerabilities (19) and code scanning findings (3)#393damianloch wants to merge 4 commits into
damianloch wants to merge 4 commits into
Conversation
… fix clear-text logging in sentry disconnect - urllib3==2.7.0: fixes GHSA sensitive headers forwarded across origins and decompression-bomb bypass (2 Dependabot alerts) - langchain_core==1.3.3: fixes unsafe deserialization via load() allowlists (1 Dependabot alert) - sentry_routes.py: restructure delete_user_secret return handling to avoid CodeQL clear-text-logging-sensitive-data false positive (alert #943) - Rename hasWebhookSecret -> webhookConfigured in backend responses to prevent CodeQL from flagging the boolean field name as sensitive data Co-authored-by: Damian Loch <damianloch@users.noreply.github.com>
…hookSecret->webhookConfigured - next ^15.5.18: fixes 13 security advisories (7 high, 4 moderate, 2 low) including middleware bypass, DoS, SSRF, XSS, and cache poisoning - ajv: updated via npm audit fix to resolve ReDoS vulnerability - Rename hasWebhookSecret to webhookConfigured across sentry and incident-io components to resolve CodeQL clear-text-storage false positives (alerts #941, #942) Co-authored-by: Damian Loch <damianloch@users.noreply.github.com>
- @babel/plugin-transform-modules-systemjs 7.29.0->7.29.4: fixes arbitrary code generation from malicious input (1 Dependabot alert) - fast-uri 3.1.0->3.1.2: fixes path traversal and host confusion via percent-encoded segments (2 Dependabot alerts) Co-authored-by: Damian Loch <damianloch@users.noreply.github.com>
Contributor
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…n-core 1.3.x compat langchain-anthropic 0.3.x requires langchain-core<0.4.0, which conflicts with langchain-core==1.3.3. Bumping to >=1.0.0 resolves the conflict. Verified ChatAnthropic constructor API is backward compatible. Co-authored-by: Damian Loch <damianloch@users.noreply.github.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all 19 open Dependabot vulnerability alerts and all 3 CodeQL code scanning findings to bring the security dashboard to zero.
Dependabot Fixes (19 alerts)
nexturllib3langchain-core@babel/plugin-transform-modules-systemjsfast-uriajvCode Scanning Fixes (3 alerts)
server/routes/sentry/sentry_routes.pydelete_user_secret()return handling so the integer row count is no longer taint-tracked by CodeQL as sensitive dataclient/src/app/sentry/auth/page.tsxhasWebhookSecret→webhookConfiguredacross backend + frontend to avoid CodeQL flagging the boolean field name as sensitive. The field is a boolean indicating presence, not a secret value.Companion dependency bump
langchain-anthropicbumped from>=0.3.0to>=1.0.0— required becauselangchain-anthropic0.3.x pinslangchain-core<0.4.0, which conflicts withlangchain-core==1.3.3. VerifiedChatAnthropicconstructor API is backward compatible.Scope of changes
urllib3==2.7.0,langchain_core==1.3.3,langchain-anthropic>=1.0.0hasWebhookSecret→webhookConfiguredhasWebhookSecret→webhookConfiguredhasWebhookSecret→webhookConfigurednext ^15.5.18hasWebhookSecret)npm audit fixRisk assessment
next15.5.15→15.5.18npm run buildpassesurllib32.6.3→2.7.0langchain-core1.2→1.3langchain-anthropic0.3→1.xChatAnthropicconstructor API verified identical; instantiation test passeswebhookConfiguredrenamenpm audit fixon lockfile only;npm run buildpassesTesting
npm auditin bothclient/andwebsite/returns 0 vulnerabilitiesnpm run buildinclient/succeedsnpm run buildinwebsite/succeedspip install -r requirements.txtsucceeds with all dependencies resolvedpython3 -m pytest tests/architectural/test_connector_rbac.pypasseslangchain_core,langchain_anthropic,langchain_openai,urllib3all import correctly at expected versionsChatAnthropicconstructor pattern (same as used inanthropic_provider.py) verified workingnpm run linthas a pre-existing failure onmain(unrelated minimatch override issue)