chore(security): update vulnerable packages#323
Conversation
WalkthroughDependency updates only. Python backend: version bumps for requests and elasticsearch, plus added libraries. UI frontend: added several JS dependencies. No source code, scripts, or public API declarations changed. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
✨ Finishing Touches🧪 Generate unit tests
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
SupportNeed help? Create a ticket on our support page for assistance with any issues or questions. CodeRabbit Commands (Invoked using PR/Issue comments)Type Other keywords and placeholders
CodeRabbit Configuration File (
|
PR Reviewer Guide 🔍Here are some key observations to aid the review process:
|
PR Code Suggestions ✨Explore these optional code suggestions:
|
|||||||||||||||
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (5)
pyproject.toml (1)
50-55: Remove unnecessary runtime dependencies.
- setuptools → move to
[build-system]requires.- urllib3 → use as a dev dependency only; remove from runtime deps.
- h11, protobuf, tornado, jinja2 → no direct imports in production code; remove pins and, if needed, manage them via constraints or re-declare only when actually used.
ui/package.json (4)
7-9: Align @babel packages to avoid subtle build/runtime mismatches.Core is 7.9.0 while helpers/runtime are 7.26.10. Either bump @babel/core to 7.26.x or pin helpers/runtime near 7.9.x.
Two options:
A) Bump core:
-"@babel/core": "7.9.0", +"@babel/core": "^7.26.10",B) Pin runtimes closer to core:
-"@babel/helpers": "^7.26.10", -"@babel/runtime": "^7.26.10", -"@babel/runtime-corejs3": "^7.26.10", +"@babel/helpers": "^7.9.0", +"@babel/runtime": "^7.9.0", +"@babel/runtime-corejs3": "^7.9.0",
43-43: Move serialize-javascript to devDependencies
serialize-javascript isn’t imported by any application code and is only pulled in by build tooling; remove it fromdependenciesand add it underdevDependenciesinui/package.json.
23-23: Move cross-spawn to devDependencies: it isn’t imported at runtime in the ui/ codebase (norequire/importorcrossSpawnusage) and is only needed for scripting/build.
45-45: Move “tmp” to devDependencies
No imports, requires, or runtime references to tmp were found in ui/**/*; it’s only needed at build time.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
💡 Knowledge Base configuration:
- MCP integration is disabled by default for public repositories
- Jira integration is disabled by default for public repositories
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
⛔ Files ignored due to path filters (2)
poetry.lockis excluded by!**/*.lockui/yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (2)
pyproject.toml(3 hunks)ui/package.json(3 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Pytest Unit Tests with all supported python versions (3.12)
🔇 Additional comments (3)
pyproject.toml (2)
30-30: Bump to requests ^2.32.4 verified: pyproject.toml pins requests (^2.32.4) and urllib3 (^2.5.0); poetry.lock resolves to requests-2.32.5, urllib3-2.5.0 and charset_normalizer-3.4.1, with no conflicting constraints. Minimal import smoke test imports requests, urllib3 and charset_normalizer without errors.
40-40: Confirm Elasticsearch 9.1 upgrade intent and reconcile optional flag in pyproject.toml
- Upgrading from 7.x→9.x is breaking; verify client initialization (
http_authvsbasic_auth), exception types, helpers, and transport options in
dcs_core/integrations/databases/elasticsearch.py(lines 16–47)examples/data_generator/datasource.py(lines 26–29, 188–191)- PR description states “remove optional flag,” but in
pyproject.toml:
elasticsearch = { version="^9.1.0", optional=true }(line 40)- listed under
[tool.poetry.extras](line 85) and in"all"(line 97)
Either update the description or removeoptional=trueand clean up extras.Option A – keep optional and fix summary:
-# PR summary says elasticsearch optional flag removed +# PR summary should reflect: elasticsearch remains optionalOption B – make it non-optional and clean extras:
-elasticsearch = { version="^9.1.0", optional=true } +elasticsearch = { version="^9.1.0" }And in
[tool.poetry.extras]:- elasticsearch = ["elasticsearch"] - all = [ - "elasticsearch", - ... - ] + # remove "elasticsearch" from extras and from "all"ui/package.json (1)
1-132: Installation errors need resolution
Theyarn install --check-filesstep failed with a postinstall error incore-js-pure. Refresh the lockfile, commit it alongside thepackageManagerfield, then verify that bothcd ui yarn install --check-files yarn audit --groups dependenciescomplete without errors.
| "@typescript-eslint/eslint-plugin": "^2.10.0", | ||
| "@typescript-eslint/parser": "^2.10.0", | ||
| "babel-jest": "^24.9.0", | ||
| "braces": "^3.0.3", |
There was a problem hiding this comment.
💡 Verification agent
🧩 Analysis chain
Confirm necessity of braces as a direct dependency.
If used only by tooling (via micromatch/webpack), keep it transitive; otherwise, retain and document usage.
🏁 Script executed:
#!/bin/bash
rg -nP '\b(braces|micromatch)\b' ui/src -g '!**/dist/**' -g '!**/build/**' -C2 || trueLength of output: 87
🏁 Script executed:
#!/bin/bash
sed -n '1,200p' ui/package.jsonLength of output: 3479
Remove direct braces dependency
ui/package.json (line 21): drop "braces": "^3.0.3"—it isn’t imported in ui/src and is pulled in transitively via micromatch.
🤖 Prompt for AI Agents
In ui/package.json around line 21, the project has an unnecessary direct
dependency "braces": "^3.0.3" which is not imported from ui/src and is already
pulled in transitively via micromatch; remove the "braces" entry from
dependencies, run your package manager to update the lockfile (npm install or
yarn install / pnpm install as appropriate), commit the updated package.json and
lockfile, and run the build/test to confirm nothing breaks.
| "file-loader": "^6.2.0", | ||
| "jest-watch-typeahead": "0.4.2", | ||
| "material-react-table": "^2.0.4", | ||
| "micromatch": "^4.0.8", |
There was a problem hiding this comment.
💡 Verification agent
❓ Verification inconclusive
micromatch as a direct dep: validate usage.
Same guidance as braces; avoid unused top-level deps.
🏁 Script executed:
#!/bin/bash
rg -nP '\bmicromatch\b' ui/src -C2 || trueLength of output: 43
Remove unused micromatch dependency
Ripgrep finds no references to micromatch in the entire ui directory—please remove it from ui/package.json (line 36).
🤖 Prompt for AI Agents
In ui/package.json around line 36, the dependency "micromatch": "^4.0.8" is
unused; remove the micromatch entry from the dependencies list in package.json,
run package manager (npm/yarn/pnpm) to update lockfile (npm install / yarn
install / pnpm install) and commit both the updated package.json and the updated
lockfile to keep dependency state consistent.
| "jest-watch-typeahead": "0.4.2", | ||
| "material-react-table": "^2.0.4", | ||
| "micromatch": "^4.0.8", | ||
| "nanoid": "^3.3.8\n", |
There was a problem hiding this comment.
Invalid version string: stray newline in nanoid.
The value includes “\n”, which will break installs. Fix to a valid semver string.
Apply this diff:
- "nanoid": "^3.3.8\n",
+ "nanoid": "^3.3.8",📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "nanoid": "^3.3.8\n", | |
| "nanoid": "^3.3.8", |
🤖 Prompt for AI Agents
In ui/package.json around line 37, the nanoid dependency string contains a stray
"\n" which makes the version invalid; remove the escaped newline so the value is
a valid semver string (e.g. change "\"^3.3.8\\n\"" to "\"^3.3.8\"") and save the
file so package.json is valid JSON for installs.
PR Type
Enhancement
Description
Update vulnerable Python packages to secure versions
Add new security-focused dependencies to Python project
Update JavaScript/Node.js packages for security fixes
Remove optional flag from elasticsearch dependency
Diagram Walkthrough
File Walkthrough
pyproject.toml
Update Python dependencies for securitypyproject.toml
requestsfrom ^2.31.0 to ^2.32.4elasticsearchfrom ^7.17.3 to ^9.1.0 and remove optional flagh11,protobuf,tornado,setuptools,urllib3,jinja2package.json
Update JavaScript dependencies for securityui/package.json
braces,cross-spawn,micromatch,nanoiddependenciesserialize-javascriptandtmppackagesSummary by CodeRabbit
Chores
Bug Fixes
Performance
Security