Skip to content

other: resolve frontend dep vulns #36820

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hainenber wants to merge 6 commits into
base: master
Choose a base branch
from
Open

other: resolve frontend dep vulns #36820

hainenber wants to merge 6 commits into from
+429 −125

Conversation

@hainenber
Copy link
Contributor

@hainenber hainenber commented Dec 24, 2025
edited by codeant-ai-for-open-source bot
Loading

User description

sec: resolve frontend dep vulns

SUMMARY

Resolves following sec issues

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

CodeAnt-AI Description

Resolve frontend dependency security vulnerabilities and update test tooling

What Changed

  • Upgraded vulnerable packages in the frontend to remove known CVEs (notably js-yaml, form-data, jspdf and related transitive packages)
  • Bumped Storybook to 8.6.15 to pick up dependency fixes and theming changes
  • Added an override for Cypress to force a non-vulnerable form-data version used during test runs
  • Updated lockfiles to replace several vulnerable transitive modules and remove obsolete atob/btoa entries

Impact

✅ Fewer frontend vulnerability alerts
✅ Safer Cypress test runs
✅ More stable Storybook builds

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

@codeant-ai-for-open-source
Copy link
Contributor

codeant-ai-for-open-source bot commented Dec 24, 2025

CodeAnt AI is reviewing your PR.

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

@bito-code-review
Copy link
Contributor

bito-code-review bot commented Dec 24, 2025
edited
Loading

Code Review Agent Run #178a67

Actionable Suggestions - 0
Review Details
  • Files reviewed - 1 · Commit Range: 0af2e49..6e34fbb
    • docs/yarn.lock
  • Files skipped - 4
    • superset-frontend/cypress-base/package-lock.json - Reason: Filter setting
    • superset-frontend/cypress-base/package.json - Reason: Filter setting
    • superset-frontend/package-lock.json - Reason: Filter setting
    • superset-frontend/package.json - Reason: Filter setting
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at [email protected].

Documentation & Help

AI Code Review powered by Bito Logo

@github-actions github-actions bot added the doc Namespace | Anything related to documentation label Dec 24, 2025
@codeant-ai-for-open-source codeant-ai-for-open-source bot added the size:L This PR changes 100-499 lines, ignoring generated files label Dec 24, 2025
@codeant-ai-for-open-source
Copy link
Contributor

codeant-ai-for-open-source bot commented Dec 24, 2025

Sequence Diagram

This PR upgrades frontend dependencies and lockfiles to fix multiple security advisories. The diagram shows the high-level authoring → CI → security scan → verification flow for the dependency fix.

sequenceDiagram
    participant Developer
    participant Repository
    participant CI
    participant SecurityScanner

    Developer->>Repository: Update frontend package.json and package-lock.json (upgrade deps, add overrides)
    Repository->>CI: Push PR / trigger CI pipeline
    CI->>SecurityScanner: Run dependency vulnerability scan (npm audit / SCA)
    SecurityScanner-->>CI: Report vulnerabilities resolved
    CI-->>Developer: Tests & scan pass (CI green)
Loading

Generated by CodeAnt AI

@hainenber hainenber changed the title sec: resolve frontend dep vulns other: resolve frontend dep vulns Dec 24, 2025
@codeant-ai-for-open-source
Copy link
Contributor

codeant-ai-for-open-source bot commented Dec 24, 2025

CodeAnt AI finished reviewing your PR.

@codeant-ai-for-open-source
Copy link
Contributor

codeant-ai-for-open-source bot commented Dec 24, 2025

💡 Enhance Your PR Reviews

We noticed that 3 feature(s) are not configured for this repository. Enabling these features can help improve your code quality and workflow:

🚦 Quality Gates

Status: Quality Gates are not enabled at the organization level
Learn more about Quality Gates

🎫 Jira Ticket Compliance

Status: Jira credentials file not found. Please configure Jira integration in your settings
Learn more about Jira Integration

⚙️ Custom Rules

Status: No custom rules configured. Add rules via organization settings or .codeant/review.json in your repository
Learn more about Custom Rules

Want to enable these features? Contact your organization admin or check our documentation for setup instructions.

@codeant-ai-for-open-source
Copy link
Contributor

codeant-ai-for-open-source bot commented Dec 24, 2025

CodeAnt AI is running Incremental review

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

@bito-code-review
Copy link
Contributor

bito-code-review bot commented Dec 24, 2025
edited
Loading

Code Review Agent Run #730465

Actionable Suggestions - 0
Review Details
  • Files reviewed - 2 · Commit Range: 6e34fbb..f2c36ac
    • docs/yarn.lock
    • superset-frontend/spec/helpers/shim.tsx
  • Files skipped - 4
    • superset-frontend/cypress-base/package-lock.json - Reason: Filter setting
    • superset-frontend/cypress-base/package.json - Reason: Filter setting
    • superset-frontend/package-lock.json - Reason: Filter setting
    • superset-frontend/package.json - Reason: Filter setting
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at [email protected].

Documentation & Help

AI Code Review powered by Bito Logo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sadpandajoe sadpandajoe Awaiting requested review from sadpandajoe sadpandajoe is a code owner

@geido geido Awaiting requested review from geido geido is a code owner

@eschutho eschutho Awaiting requested review from eschutho eschutho is a code owner

@rusackas rusackas Awaiting requested review from rusackas rusackas is a code owner

@betodealmeida betodealmeida Awaiting requested review from betodealmeida betodealmeida is a code owner

@mistercrunch mistercrunch Awaiting requested review from mistercrunch mistercrunch is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies:npm doc Namespace | Anything related to documentation size:L This PR changes 100-499 lines, ignoring generated files size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hainenber