Update several packages to the latest version and fix the subsequent lint violations

[ar27111994]

Description

This PR updates several packages to the latest version and fixes the subsequent lint violations introduced in forwarding and test helper paths, so the branch passes the project lint gate cleanly.

Summary of changes:

• Bump the dependencies group with 9 updates.
• Removed a useless assignment in the forwarding payload-size check.
• Preserved original caught errors by attaching cause metadata when rethrowing in test helpers.
• Removed an unused eslint-disable directive in unit tests.

Issue fixed:

• Resolves current lint failures on this branch (no-useless-assignment, preserve-caught-error, and unused eslint-disable warning).

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update

If you selected "Breaking change", please describe the impact and migration path below:

Checklist

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• I have reviewed my changes for security implications

Summary by CodeRabbit

• Chores

  • Bumped dev tooling and TypeScript; raised Node.js minimum to >=20.19.0.

• Bug Fixes

  • More robust webhook payload size determination to reliably enforce payload limits.

• Tests

  • Preserve original error causes in test diagnostics and harness failures.
  • Removed an unnecessary lint suppression.
  • Reorganized and expanded forwarding tests to cover Content-Length edge cases, retries, aborts, circuit-breaker behavior, header handling, logging, and security validations.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint-plugin-sonarjs@​3.0.7 ⏵ 4.0.2				-3
	@​types/​supertest@​6.0.3 ⏵ 7.2.0	+1		+1
	@​apify/​actor-memory-expression@​0.1.10 ⏵ 0.1.11				+1
	@​types/​node@​25.5.2 ⏵ 25.6.0
	globals@​17.4.0 ⏵ 17.5.0	+1		+1
	typescript@​5.9.3 ⏵ 6.0.2	+1		+1
	prettier@​3.8.1 ⏵ 3.8.3			+1
	@​eslint/​js@​9.39.4 ⏵ 10.0.1
	dotenv@​17.4.1 ⏵ 17.4.2

View full report

[Copilot]

Pull request overview

Updates the repo’s dev dependency set and adjusts a few code paths to satisfy new/updated lint rules (primarily around useless assignments and preserving caught errors).

Changes:

• Bump multiple dev dependencies (ESLint stack, TypeScript, typings) and refresh package-lock.json.
• Remove a lint-triggering useless assignment in the forwarding payload size check.
• Preserve original errors when rethrowing in test harness/helpers via Error(..., { cause }).
• Clean up an unused ESLint disable in a unit test.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
tests/unit/utils/common.test.js	Removes an unused lint suppression.
tests/setup/helpers/e2e-process-harness.js	Rethrows startup diagnostics while preserving the original failure as cause.
tests/setup/helpers/constant-discovery.js	Preserves the original discovery error as cause when rethrowing.
src/services/ForwardingService.js	Adjusts body size check to remove a useless initial assignment.
package.json	Updates dev dependency versions (ESLint stack, TypeScript, typings).
package-lock.json	Lockfile refresh to match updated dependency graph.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5a8d2df0-ab20-408d-b0ce-e67dc7f0da84

📥 Commits

Reviewing files that changed from the base of the PR and between 314a285 and 8e16118.

📒 Files selected for processing (1)

• tests/unit/services/forwarding_service.test.js

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/unit/services/forwarding_service.test.js

---

📝 Walkthrough

Walkthrough

Updated Node engine minimum and devDependencies in package.json. Tightened Content-Length parsing and body-size calculation in ForwardingService. Test harness helpers now preserve original errors via cause. Tests reorganized and expanded; one ESLint suppression removed.

Changes

Cohort / File(s)	Summary
Package metadata / dev deps package.json	Bumped engines.node to >=20.19.0; upgraded devDependencies (@eslint/js, @types/supertest, eslint-plugin-sonarjs, typescript). No scripts or public API changes.
Forwarding payload sizing & validation src/services/ForwardingService.js	Introduced parseStrictContentLength usage to accept only a single, trimmed, non-negative decimal Content-Length; disallow array/malformed headers. Fallbacks measure Buffer/string or JSON byte length. Existing max-payload gating preserved.
Error cause preservation in harnesses tests/setup/helpers/constant-discovery.js, tests/setup/helpers/e2e-process-harness.js	Thrown Error constructions now include the original caught error via the { cause: error } option to retain error chains for diagnostics.
Tests — structure, coverage, lint tweak tests/unit/services/forwarding_service.test.js, tests/unit/utils/common.test.js	Major reorganization and expansion of forwarding tests (added sendSafeRequest block, parameterized Content-Length edge cases, circuit-breaker/retry/logging assertions). Removed one inline ESLint suppression comment. All changes are test-only.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

Review effort 3/5

Poem

🐰 I counted headers, trimmed each length with care,
I wrapped old errors so their roots stay there.
I nibbled at arrays and nudged malformed away,
I hopped through tests and made the checks all play. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures the main objective: updating packages to latest versions and fixing resulting lint violations, which aligns with all the file changes shown.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pr-37-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/services/ForwardingService.js (1)

272-288: ⚠️ Potential issue | 🟠 Major

Validate Content-Length before using it in the size guard.

At Line 273, malformed Content-Length parses to NaN; then Line 288 (bodySize > MAX_FORWARD_BODY) is false, so oversized payloads can bypass this defensive check. Fall back to computed body size when header parsing is invalid.

Proposed fix

-    let bodySize;
-    if (req.headers[HTTP_HEADERS.CONTENT_LENGTH]) {
-      bodySize = parseInt(String(req.headers[HTTP_HEADERS.CONTENT_LENGTH]), 10);
-    } else {
+    let bodySize;
+    const rawContentLength = req.headers[HTTP_HEADERS.CONTENT_LENGTH];
+    const parsedContentLength = rawContentLength
+      ? Number.parseInt(String(rawContentLength), 10)
+      : Number.NaN;
+
+    if (Number.isFinite(parsedContentLength) && parsedContentLength >= 0) {
+      bodySize = parsedContentLength;
+    } else {
       if (Buffer.isBuffer(req.body)) {
         bodySize = req.body.length;
       } else if (typeof req.body === "string") {
         bodySize = Buffer.byteLength(req.body);
       } else {
         try {
           bodySize = Buffer.byteLength(JSON.stringify(req.body));
         } catch {
           bodySize = 0;
         }
       }
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/services/ForwardingService.js` around lines 272 - 288, The Content-Length
header parsing in ForwardingService (the
req.headers[HTTP_HEADERS.CONTENT_LENGTH] branch setting bodySize) can produce
NaN and bypass the MAX_FORWARD_BODY check; update the logic that assigns
bodySize from Content-Length to validate the parsed value (Number.isFinite or
isNaN check) and if invalid fall back to the computed sizes (the existing
Buffer.isBuffer/typeof string/JSON.stringify path) before comparing against
MAX_FORWARD_BODY so oversized payloads cannot bypass the guard; keep references
to req.headers[HTTP_HEADERS_CONTENT_LENGTH], the bodySize variable, and the
MAX_FORWARD_BODY comparison in your fix.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@src/services/ForwardingService.js`:
- Around line 272-288: The Content-Length header parsing in ForwardingService
(the req.headers[HTTP_HEADERS.CONTENT_LENGTH] branch setting bodySize) can
produce NaN and bypass the MAX_FORWARD_BODY check; update the logic that assigns
bodySize from Content-Length to validate the parsed value (Number.isFinite or
isNaN check) and if invalid fall back to the computed sizes (the existing
Buffer.isBuffer/typeof string/JSON.stringify path) before comparing against
MAX_FORWARD_BODY so oversized payloads cannot bypass the guard; keep references
to req.headers[HTTP_HEADERS_CONTENT_LENGTH], the bodySize variable, and the
MAX_FORWARD_BODY comparison in your fix.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7eeb48e2-fd7b-44b4-885f-d9bf794848b9

📥 Commits

Reviewing files that changed from the base of the PR and between 1766094 and 9ec9269.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (5)

• package.json
• src/services/ForwardingService.js
• tests/setup/helpers/constant-discovery.js
• tests/setup/helpers/e2e-process-harness.js
• tests/unit/utils/common.test.js

💤 Files with no reviewable changes (1)

• tests/unit/utils/common.test.js

[ar27111994]

@copilot apply changes based on the comments in this thread

[Copilot]

@copilot apply changes based on the comments in this thread

Done in commits a9336d0 and b38af5d:

1. Content-Length NaN bypass (src/services/ForwardingService.js): Separated the header parse from the body-fallback chain. parseInt result is now validated with Number.isFinite before use; any missing, empty, or non-numeric header falls through to measure the body directly via Buffer.isBuffer → typeof === "string" → JSON.stringify. Added a comment explaining the intentional fallback.

2. Node engine floor (package.json): Bumped engines.node from >=20 to >=20.19.0 to match the ^20.19.0 || ^22.13.0 || >=24 requirement declared by @eslint/js@^10.0.1.

[Copilot]

Pull request overview

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

src/services/ForwardingService.js (1)

274-280: ⚠️ Potential issue | 🟠 Major

Harden Content-Length parsing before trusting it.

Line 275 can be a string[]; String(req.headers[...]) turns that into a comma-joined value, and parseInt() will still accept the leading digits from values like "1,999999" or "1abc". That means malformed or duplicated Content-Length headers can bypass the fallback body measurement and weaken the oversized-payload guard.

Suggested fix

-    const parsedContentLength = parseInt(
-      String(req.headers[HTTP_HEADERS.CONTENT_LENGTH] ?? ""),
-      10,
-    );
+    const rawContentLength = req.headers[HTTP_HEADERS.CONTENT_LENGTH];
+    const parsedContentLength =
+      typeof rawContentLength === "string" && /^\d+$/.test(rawContentLength)
+        ? Number(rawContentLength)
+        : Number.NaN;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/services/ForwardingService.js` around lines 274 - 280,
parsedContentLength is currently derived from
String(req.headers[HTTP_HEADERS.CONTENT_LENGTH]) which can turn string[] and
malformed values like "1,999" or "1abc" into a number; tighten parsing by first
reading req.headers[HTTP_HEADERS.CONTENT_LENGTH] into a local (e.g. rawCL),
reject arrays (Array.isArray(rawCL) -> treat as invalid), verify rawCL matches
/^\d+$/ before calling parseInt, and only set bodySize = parsedContentLength
when the regex passes and Number.isFinite(parsedContentLength); otherwise fall
back to measuring the actual request body length as before. Ensure you update
the checks around parsedContentLength and Number.isFinite to use the new
validated value.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tests/unit/services/forwarding_service.test.js`:
- Around line 27-50: The test imports constants (HTTP_STATUS_MESSAGES,
MIME_TYPES from src/consts/http.js) before calling setupCommonMocks, which
causes the real module to be loaded before mocks are applied; update the test so
that setupCommonMocks({...}) is invoked before any imports of source
modules/constants (including HTTP_STATUS_MESSAGES, MIME_TYPES and
ForwardingService) so mocks (consts: true) take effect — move the static imports
of HTTP_STATUS_MESSAGES and MIME_TYPES (and any other src/consts/* imports)
below the await setupCommonMocks(...) call and then import ForwardingService and
related consts after that.

---

Duplicate comments:
In `@src/services/ForwardingService.js`:
- Around line 274-280: parsedContentLength is currently derived from
String(req.headers[HTTP_HEADERS.CONTENT_LENGTH]) which can turn string[] and
malformed values like "1,999" or "1abc" into a number; tighten parsing by first
reading req.headers[HTTP_HEADERS.CONTENT_LENGTH] into a local (e.g. rawCL),
reject arrays (Array.isArray(rawCL) -> treat as invalid), verify rawCL matches
/^\d+$/ before calling parseInt, and only set bodySize = parsedContentLength
when the regex passes and Number.isFinite(parsedContentLength); otherwise fall
back to measuring the actual request body length as before. Ensure you update
the checks around parsedContentLength and Number.isFinite to use the new
validated value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 02754c7a-758e-442e-9935-da54e1f2c476

📥 Commits

Reviewing files that changed from the base of the PR and between e2f3558 and da788e7.

📒 Files selected for processing (2)

• src/services/ForwardingService.js
• tests/unit/services/forwarding_service.test.js

[Copilot]

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated no new comments.