[Review] Daily Deep Review — 2026-05-11: Repo stale 29 days, 3 new Dependabot PRs all CI-blocked

[evan-zhang11]

Daily Repository Deep Review — 2026-05-11

Summary

• Last commit: 2026-04-12 (29 days stale)
• No new code changes since last review
• 3 new Dependabot PRs opened today, all blocked by CI
• Total open PRs: 10, all blocked by backend_fmt + frontend_unit failures

New PRs (2026-05-11)

PR	Description	CI Status
#254	cargo-minor-patch: 11 crate updates (axum, tower-http, zip, etc.)	❌ fmt + frontend_unit fail
#253	actions/dependency-review-action 4 → 5	❌ fmt + frontend_unit fail
#252	node 25-alpine → 26-alpine	❌ fmt + frontend_unit fail

Systemic CI Blockers (unchanged since April)

These two checks fail on every PR including the base branch:

1. backend_fmt — cargo fmt fails on font_handlers.rs and icon_handlers.rs (issue ci: cargo fmt fails on font_handlers.rs and icon_handlers.rs (rustfmt line-length enforcement) #238)
2. frontend_unit — Frontend unit tests failing (issue fix: main branch CI broken — cargo fmt and biome check failures since 2026-04-12 #223)

Previously Identified Issues (all still open)

Critical/Security:

• security: SVG icon served inline enables stored XSS #237: SVG icon served inline enables stored XSS
• security: 4 npm vulnerabilities — Vite path traversal, picomatch ReDoS, postcss XSS, proto pollution #240: 4 npm vulnerabilities (Vite path traversal, picomatch ReDoS, postcss XSS, proto pollution)
• ci: cargo audit fails — Cargo.lock has unresolvable num-rational dependency #239: cargo audit fails on num-rational dependency

CI:

• ci: cargo fmt fails on font_handlers.rs and icon_handlers.rs (rustfmt line-length enforcement) #238: cargo fmt fails (root cause of all PR blocking)
• fix: main branch CI broken — cargo fmt and biome check failures since 2026-04-12 #223: main branch CI broken

Code Quality:

• code-quality: db.rs grown to 1763 lines — connection management, migrations, and utilities should be split into modules #244: db.rs at 1763 lines
• code-quality: import.rs grown to 1584 lines — OGC_FID workaround logic should be extracted #241: import.rs at 1584 lines
• code-quality: App.jsx grown to 2111 lines (was 612) — needs splitting #230: App.jsx at 2111 lines
• code-quality: workspace_handlers.rs at 1259 lines — needs module split #229: workspace_handlers.rs at 1259 lines

Documentation:

• docs: behaviors.md missing icon management API and other endpoints #251, Documentation gaps: 4 undocumented API endpoints #249, Icon API completely undocumented and untested (5 endpoints from PR #201) #248, docs: Icon upload/management API missing from behaviors.md #247, docs: behaviors.md missing icon API and several endpoint documentation #243: Missing API docs (icon endpoints, etc.)

Recommended Priority

1. Fix ci: cargo fmt fails on font_handlers.rs and icon_handlers.rs (rustfmt line-length enforcement) #238 first — cargo fmt fix is the single highest-leverage action. It unblocks ALL 10 PRs.
2. Fix frontend_unit — Second blocker
3. After CI is green, merge dependency PRs in order: chore(deps): bump actions/dependency-review-action from 4 to 5 #253 (GH action) → chore(deps): bump node from 25-alpine to 26-alpine #252 (node) → chore(deps): bump the cargo-minor-patch group across 1 directory with 11 updates #254 (cargo deps)
4. Address security: SVG icon served inline enables stored XSS #237 SVG XSS before any production deployment

Action Required

@sharkAndshark — The repo has been stalled for nearly a month. The cargo fmt fix (#238) is a one-line change that unblocks everything. Happy to submit a PR if you'd like.