Skip to content

chore: security audit cleanup — CodeQL, workflow permissions, dependency overrides#2884

Merged
ihabadham merged 13 commits into
mainfrom
ihabadham/chore/security-audit-cleanup
Mar 29, 2026
Merged

chore: security audit cleanup — CodeQL, workflow permissions, dependency overrides#2884
ihabadham merged 13 commits into
mainfrom
ihabadham/chore/security-audit-cleanup

Conversation

@ihabadham

@ihabadham ihabadham commented Mar 29, 2026

Copy link
Copy Markdown
Collaborator

Summary

Addresses all 65 open GitHub security alerts (49 code scanning + 16 Dependabot) identified during a full security audit. None represent real risk to end users — see #2883 for the complete investigation.

  • Switch CodeQL to advanced setup with path exclusions for test fixtures and spec/dummy apps (eliminates 14 false-positive code scanning alerts from build artifacts and test infrastructure)
  • Add permissions: { contents: read } to all 14 CI workflows that lacked a top-level permissions block (resolves 22 code scanning alerts, follows GitHub's principle of least privilege)
  • Generate pnpm overrides via pnpm audit --fix for 28 transitive dependency vulnerabilities (all dev-only, reduces npm audit from 38 to 8 — remaining are unfixable or pnpm edge cases)
  • Update loofah 2.25.0 → 2.25.1 across 4 Gemfile.lock files (URI detection fix)

Additionally, 13 code scanning false positives were dismissed via API with documented reasons (by-design VM execution, internal service architecture, non-vulnerable regex patterns). See #2883 for each dismissal rationale.

Post-merge admin action

After merging, disable the "Default setup" CodeQL scanner in Settings > Code security > Code scanning. The new advanced setup workflow replaces it — if both run, the default scanner ignores path exclusions.

Test plan

  • CI passes on all existing workflows (the permissions change is additive and non-breaking)
  • CodeQL workflow runs successfully on this PR (new workflow)
  • After merge + default CodeQL disabled: code scanning alerts drop to ~0
  • After merge: Dependabot detects lockfile changes and auto-closes resolved alerts

Closes #2883

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Restrict CI workflow permissions to read-only access for repository contents.
    • Add a scheduled automated CodeQL security scan covering JavaScript/TypeScript and Ruby.
    • Exclude test fixture and dummy application directories from automated security analysis.
    • Expand package manager override rules to pin/remap many transitive dependency versions for more consistent installs.

ihabadham and others added 4 commits March 28, 2026 23:59
Exclude test fixtures (pre-built webpack bundles) and spec/dummy apps
from CodeQL scanning. These generate false positive alerts for code
that is not production source.

Resolves 14 code scanning alerts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add explicit permissions: { contents: read } to every workflow that
lacked a top-level permissions block. Follows GitHub's principle of
least privilege for GITHUB_TOKEN.

Resolves 22 code scanning alerts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Generated via `pnpm audit --fix`. Forces non-vulnerable versions of
28 transitive dependencies that cannot be fixed by bumping direct deps.

Reduces npm audit vulnerabilities from 38 to 8. Remaining 8 are either
unfixable (elliptic has no patched version) or edge cases with pnpm's
range-based override resolution for deeply nested deps.

These overrides should be removed when upstream packages update.
Addresses Dependabot advisory for improper detection of disallowed
URIs via `allowed_uri?` in loofah 2.25.0.

react_on_rails/spec/dummy/Gemfile.lock not updated due to a local
bootsnap compilation issue — CI can handle this lockfile update.
@coderabbitai

coderabbitai Bot commented Mar 29, 2026

Copy link
Copy Markdown
Contributor

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Adds CodeQL advanced setup with path exclusions for test fixtures and spec/dummy apps, introduces a new CodeQL workflow, adds workflow-level GitHub Actions permissions (contents: read) across many workflows, and expands pnpm.overrides in package.json to pin/widen transitive dev dependency versions for security fixes.

Changes

Cohort / File(s) Summary
CodeQL configuration
\.github/codeql/codeql-config.yml
Added paths-ignore entries to exclude packages/react-on-rails-pro-node-renderer/tests/fixtures/**, react_on_rails_pro/spec/dummy/**, react_on_rails_pro/spec/execjs-compatible-dummy/**, and react_on_rails/spec/dummy/** from CodeQL analysis.
New CodeQL workflow
\.github/workflows/codeql.yml
Added a CodeQL workflow (triggers: push/pr to main, weekly cron). Defines an analyze job with a language matrix (javascript-typescript, ruby), initializes CodeQL with the repo config, runs autobuild, and analyzes; sets job permissions (security-events: write, contents: read, actions: read).
Workflows — permissions added
\.github/workflows/.../*.yml
\.github/workflows/actionlint.yml, bundle-size.yml, check-markdown-links.yml, examples.yml, gem-tests.yml, integration-tests.yml, lint-js-and-ruby.yml, package-js-tests.yml, playwright.yml, precompile-check.yml, pro-integration-tests.yml, pro-lint.yml, pro-test-package-and-gem.yml, trigger-docs-site.yml
Added a top-level permissions: { contents: read } to many workflow files to explicitly scope the GITHUB_TOKEN default permission for each workflow.
pnpm overrides / package.json
package.json
Expanded pnpm.overrides with many entries remapping transitive dev dependency versions (examples: handlebars, path-to-regexp, serialize-javascript, minimatch, svgo, @tootallnate/once, yaml, etc.) to patched or constrained versions to address Dependabot findings.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Dev as Developer / PR
participant GH as GitHub Actions
participant CodeQL as CodeQL Action
participant Repo as Repository
Dev->>GH: Push PR / merge triggers workflows
GH->>CodeQL: Start CodeQL workflow (init with ./.github/codeql/codeql-config.yml)
CodeQL->>Repo: Read repository files (obey paths-ignore)
CodeQL->>GH: Run autobuild and analyze
CodeQL->>GH: Upload security events

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through YAML, pinning each thread,
Ignored the test-bundles, gave CodeQL new bed,
Workflows now whisper only read in their song,
Overrides stitched fixes where transitive things went wrong,
A little rabbit cheer—CI safe and strong 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title accurately reflects the main changes: security audit cleanup addressing CodeQL setup, workflow permissions, and dependency overrides.
Linked Issues check ✅ Passed The PR successfully implements all key coding objectives from #2883: advanced CodeQL setup with path exclusions, workflow permissions on 14 CI workflows, pnpm overrides for npm vulnerabilities, and loofah gem updates.
Out of Scope Changes check ✅ Passed All changes directly address the security audit objectives: CodeQL configuration, workflow permissions, dependency overrides, and gem updates. No unrelated or out-of-scope modifications detected.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ihabadham/chore/security-audit-cleanup

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions

github-actions Bot commented Mar 29, 2026

Copy link
Copy Markdown
Contributor

size-limit report 📦

Path Size
react-on-rails/client bundled (gzip) 62.63 KB (0%)
react-on-rails/client bundled (gzip) (time) 62.63 KB (0%)
react-on-rails/client bundled (brotli) 53.7 KB (0%)
react-on-rails/client bundled (brotli) (time) 53.7 KB (0%)
react-on-rails-pro/client bundled (gzip) 63.65 KB (0%)
react-on-rails-pro/client bundled (gzip) (time) 63.65 KB (0%)
react-on-rails-pro/client bundled (brotli) 54.67 KB (0%)
react-on-rails-pro/client bundled (brotli) (time) 54.67 KB (0%)
registerServerComponent/client bundled (gzip) 127.46 KB (0%)
registerServerComponent/client bundled (gzip) (time) 127.46 KB (0%)
registerServerComponent/client bundled (brotli) 61.65 KB (0%)
registerServerComponent/client bundled (brotli) (time) 61.65 KB (0%)
wrapServerComponentRenderer/client bundled (gzip) 122.02 KB (0%)
wrapServerComponentRenderer/client bundled (gzip) (time) 122.02 KB (0%)
wrapServerComponentRenderer/client bundled (brotli) 56.77 KB (0%)
wrapServerComponentRenderer/client bundled (brotli) (time) 56.77 KB (0%)

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f42b61ba61

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread package.json Outdated
Comment thread package.json Outdated
@greptile-apps

greptile-apps Bot commented Mar 29, 2026

Copy link
Copy Markdown

Greptile Summary

This PR is a thorough security audit cleanup that addresses 65 open GitHub security alerts through four coordinated changes: switching CodeQL from default to advanced setup with path exclusions, adding permissions: contents: read to 14 CI workflows, adding pnpm overrides for 28 transitive dev-only dependency vulnerabilities, and bumping loofah/nokogiri across 4 Gemfile.lock files.

Key changes:

  • codeql.yml — new advanced-setup workflow replacing the default GitHub scanner; analyzes JavaScript/TypeScript and Ruby via a matrix with a custom config file
  • .github/codeql/codeql-config.yml — excludes test fixtures and spec/dummy apps from CodeQL to eliminate false positives
  • 14 workflow files — permissions: contents: read added at the top level; job-level overrides (e.g., pull-requests: write in bundle-size.yml) are preserved and not broken by the additive top-level block
  • package.json / pnpm-lock.yaml — 28 pnpm override entries generated by pnpm audit --fix for dev-only transitive vulnerabilities; several entries are redundant/duplicate but do not produce incorrect pinning behavior
  • Gemfile.locks — loofah 2.25.0 → 2.25.1 and nokogiri 1.19.1 → 1.19.2 applied consistently across all four lockfiles

Confidence Score: 5/5

Safe to merge — all findings are P2 suggestions with no runtime or security impact.

All three comments are P2: the missing category in the CodeQL analyze step is a best-practice gap that doesn't break analysis (v4 infers language from the matrix), the omitted execjs-compatible-dummy exclusion may leave some false positives but doesn't reduce security coverage, and the duplicate pnpm overrides are cosmetic. No P0/P1 issues were found. The permission additions are strictly additive and correct, the Gemfile.lock bumps are straightforward patch updates, and the lockfile diff is mechanically generated.

.github/workflows/codeql.yml and .github/codeql/codeql-config.yml deserve a second look for the two P2 suggestions, but neither blocks merging.

Important Files Changed

Filename Overview
.github/workflows/codeql.yml New advanced CodeQL workflow analyzing JS/TypeScript and Ruby via a matrix; missing category in the analyze step is a best-practice gap when using matrix strategy.
.github/codeql/codeql-config.yml New CodeQL config excluding known false-positive directories; react_on_rails_pro/spec/execjs-compatible-dummy is missing from the exclusion list.
package.json 28 pnpm transitive-dependency overrides added for dev-only vulnerabilities; several entries are redundant/duplicate but functionally safe.
.github/workflows/actionlint.yml Top-level permissions: contents: read added; additive change, no functional impact.
.github/workflows/trigger-docs-site.yml Top-level permissions: contents: read added; dispatch to external repo uses a GitHub App token (not GITHUB_TOKEN), so the restriction is safe.
react_on_rails/Gemfile.lock loofah bumped 2.25.0 → 2.25.1 and nokogiri bumped 1.19.1 → 1.19.2 for URI detection security fix.
pnpm-lock.yaml Lockfile regenerated to reflect the new pnpm overrides; large diff but mechanically correct.

Reviews (1): Last reviewed commit: "chore: update loofah to 2.25.1 for URI d..." | Re-trigger Greptile

Comment thread .github/workflows/codeql.yml
Comment thread .github/codeql/codeql-config.yml
Comment thread package.json Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
package.json (1)

129-157: Security overrides look reasonable; consider consolidating redundant entries.

The security-focused version overrides address the transitive dev-dependency vulnerabilities as intended. However, there are several overlapping rules that could be consolidated for maintainability:

Package Redundant entries Could consolidate to
minimatch <3.1.3, <3.1.4 <3.1.4>=3.1.4
minimatch <9.0.6, <9.0.7 <9.0.7>=9.0.7
serialize-javascript <=7.0.2, <7.0.5 <7.0.5>=7.0.5
flatted <3.4.0, <=3.4.1 <=3.4.1>=3.4.2
handlebars <=4.7.8, <4.7.9 <4.7.9>=4.7.9

This is likely because pnpm audit --fix was run multiple times against different advisory states. The current entries are functionally correct—pnpm will resolve them appropriately—but fewer entries would be easier to maintain.

🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 129 - 157, Consolidate redundant pnpm overrides in
package.json by removing duplicate rules and keeping the stricter single
override per package: for "minimatch" remove the `<3.1.3` and `<9.0.6` entries
and keep the `>=3.1.4` and `>=9.0.7` overrides respectively; for
"serialize-javascript" remove `<=7.0.2` and keep `>=7.0.5`; for "flatted" remove
`<3.4.0` and `<=3.4.1` and keep `>=3.4.2`; for "handlebars" remove `<=4.7.8` and
`<4.7.9` and keep `>=4.7.9`; update the override keys (the string entries like
"minimatch@<3.1.3") accordingly so each package appears once with the
consolidated constraint.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@package.json`:
- Around line 129-157: Consolidate redundant pnpm overrides in package.json by
removing duplicate rules and keeping the stricter single override per package:
for "minimatch" remove the `<3.1.3` and `<9.0.6` entries and keep the `>=3.1.4`
and `>=9.0.7` overrides respectively; for "serialize-javascript" remove
`<=7.0.2` and keep `>=7.0.5`; for "flatted" remove `<3.4.0` and `<=3.4.1` and
keep `>=3.4.2`; for "handlebars" remove `<=4.7.8` and `<4.7.9` and keep
`>=4.7.9`; update the override keys (the string entries like "minimatch@<3.1.3")
accordingly so each package appears once with the consolidated constraint.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0dce4e64-f208-4ba0-82ce-f7c46a69498e

📥 Commits

Reviewing files that changed from the base of the PR and between 0ccbe3a and f42b61b.

⛔ Files ignored due to path filters (5)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
  • react_on_rails/Gemfile.lock is excluded by !**/*.lock
  • react_on_rails_pro/Gemfile.lock is excluded by !**/*.lock
  • react_on_rails_pro/spec/dummy/Gemfile.lock is excluded by !**/*.lock
  • react_on_rails_pro/spec/execjs-compatible-dummy/Gemfile.lock is excluded by !**/*.lock
📒 Files selected for processing (17)
  • .github/codeql/codeql-config.yml
  • .github/workflows/actionlint.yml
  • .github/workflows/bundle-size.yml
  • .github/workflows/check-markdown-links.yml
  • .github/workflows/codeql.yml
  • .github/workflows/examples.yml
  • .github/workflows/gem-tests.yml
  • .github/workflows/integration-tests.yml
  • .github/workflows/lint-js-and-ruby.yml
  • .github/workflows/package-js-tests.yml
  • .github/workflows/playwright.yml
  • .github/workflows/precompile-check.yml
  • .github/workflows/pro-integration-tests.yml
  • .github/workflows/pro-lint.yml
  • .github/workflows/pro-test-package-and-gem.yml
  • .github/workflows/trigger-docs-site.yml
  • package.json

@claude

claude Bot commented Mar 29, 2026

Copy link
Copy Markdown
Contributor

Review: chore: security audit cleanup

Overall this is a well-structured security sweep. The four change categories (CodeQL advanced setup, workflow permissions, pnpm overrides, loofah/nokogiri bumps) are all sound. A few things worth flagging.

Concerns

1. yaml major version bump (v1 to v2) via transitive override

The override yaml@>=1.0.0 <1.10.3 resolves to yaml 2.8.3, a major-version jump. yaml v1 and v2 have incompatible JavaScript APIs. Any build tool in the dependency tree that calls yaml API rather than just its CLI could silently misbehave. The lockfile shows tailwindcss now resolves as tailwindcss@3.4.19(yaml@2.8.3), which suggests tailwindcss already handles yaml v2 as a peer - but worth a smoke-test of the full build and CSS pipeline before merging.

2. Redundant/overlapping pnpm overrides

pnpm audit --fix emitted several duplicate range patterns in package.json:

  • minimatch@<3.1.3 and minimatch@<3.1.4 - the latter fully subsumes the former
  • minimatch@>=9.0.0 <9.0.6 and minimatch@>=9.0.0 <9.0.7 - latter subsumes former
  • handlebars@>=4.0.0 <=4.7.8 and handlebars@>=4.0.0 <4.7.9 - identical ranges expressed differently

These are harmless auto-generated artefacts, but cleaning them up would reduce noise in future pnpm audit output. Low priority.

3. react_on_rails/spec/dummy/Gemfile.lock not updated

Mentioned in the commit message (bootsnap compilation issue). This leaves a stale lockfile in the PR. It would be cleaner to update it here; leaving it as-is means the security fix for that lockfile depends on a follow-up run that may never be triggered.

4. trigger-docs-site.yml - contents: read is harmless but vestigial

The workflow dispatches to a third-party repo using a GitHub App token (secrets.DOCS_DISPATCH_APP_KEY), never using GITHUB_TOKEN directly. The new top-level permissions: contents: read applies to GITHUB_TOKEN only and has no effect on what the workflow actually does. Not a problem - consistent with the rest of the batch change - just noting it so the intent is clear.

Looks good

  • CodeQL advanced setup + path exclusions is the right call; excluding tests/fixtures (pre-built webpack bundles) and spec/dummy (Rails test apps) eliminates genuine false positives without hiding real issues.
  • permissions: contents: read on all 14 workflows is the correct default; job-level blocks on workflows that need pull-requests: write (e.g. bundle-size.yml) correctly override this.
  • codeql.yml uses fail-fast: false on the language matrix - a Ruby analysis failure will not abort the JS/TS scan.
  • security-events: write is present on the CodeQL job; actions: read is not needed for this public repo.
  • loofah + nokogiri patch bumps are straightforward and correct.

The ajv overrides (v6→v6.14+ and v7→v8.18+) cause incompatibility
with ajv-keywords used by schema-utils in terser-webpack-plugin.
ajv v8 removed APIs that webpack's toolchain depends on.

These two moderate-severity dev-only alerts are accepted as tolerable
risk since fixing them requires a breaking API change.
Comment thread package.json
Comment thread package.json Outdated
@claude

claude Bot commented Mar 29, 2026

Copy link
Copy Markdown
Contributor

Code Review

Overall this is a solid security hardening PR. The approach of using CodeQL advanced setup with path exclusions, adding least-privilege permissions to CI workflows, and using pnpm overrides to pin vulnerable transitive dependencies is well-reasoned. The changes are largely additive and non-breaking.

Three issues worth addressing before merge:

1. codeql-action@v4 may not exist

The new codeql.yml workflow references github/codeql-action/init@v4, autobuild@v4, and analyze@v4. GitHub's documented stable release for CodeQL Action is v3. If the v4 tag does not exist on GitHub's registry, all three steps will fail with "Unable to resolve action" — meaning the workflow will never produce results and security events will never be uploaded. Recommend verifying v4 exists, and if not, switching to @v3.

2. react_on_rails_pro/spec/execjs-compatible-dummy not excluded from CodeQL

.github/codeql/codeql-config.yml correctly excludes the two spec/dummy Rails test apps, but misses react_on_rails_pro/spec/execjs-compatible-dummy. That directory is a third integration-test app (it is listed as a workspace in package.json and has its own Gemfile.lock updated in this PR). Omitting it would produce the same class of false positives this PR is trying to eliminate.

3. Redundant pnpm overrides in package.json

The pnpm.overrides block has several entries where a later (broader) override completely supersedes an earlier one — likely from running pnpm audit --fix multiple times without cleaning up stale entries. Superseded entries: minimatch@<3.1.3 (superseded by <3.1.4), minimatch@>=9.0.0 <9.0.6 (superseded by <9.0.7), serialize-javascript@<=7.0.2 (superseded by <7.0.5), flatted@<3.4.0 (superseded by <=3.4.1), and handlebars@>=4.0.0 <=4.7.8 (semantic duplicate of <4.7.9). These are functionally harmless but add noise to future audits.

Comment thread .github/workflows/codeql.yml
Comment thread .github/codeql/codeql-config.yml
Comment thread package.json Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 37354a9a69

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread package.json Outdated
Comment thread package.json Outdated

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6c5017aec9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread package.json Outdated
Comment thread package.json Outdated
Comment thread package.json Outdated
Comment thread package.json Outdated
Comment thread package.json Outdated
Comment thread .github/workflows/codeql.yml
@claude

claude Bot commented Mar 29, 2026

Copy link
Copy Markdown
Contributor

Review: Security Audit Cleanup

Overall this is a solid, well-scoped security hardening PR. The workflow permission changes and CodeQL advanced setup are both correct and follow GitHub's least-privilege recommendations. A few issues worth addressing:

Redundant dependency overrides (see inline comments)

The pnpm audit --fix output contains several duplicated override entries where a broader rule already covers a narrower one (e.g. minimatch@<3.1.3 is made redundant by the later minimatch@<3.1.4; same for flatted, serialize-javascript, and handlebars). These don't cause incorrect behavior, but they clutter the overrides list and make future audits harder to reason about.

Open-ended override ranges can resolve to new major versions

Several overrides use open-ended ranges like >=1.1.13 which resolve all the way to brace-expansion@5.0.5 — a new major version with engines: {node: 18 || 20 || >=22}. Since this is a dev-only dependency tree and CI targets Node 20+, this won't break CI, but it's more aggressive than necessary to fix the vulnerability. Tighter bounds like >=1.1.13 <2.0.0 would be safer. See inline comments.

Post-merge manual step is high-risk to forget

The PR description includes a post-merge admin action: disabling the Default setup CodeQL scanner. If this is missed, both scanners run in parallel and the default one re-raises the false-positive alerts this PR was designed to suppress. Consider adding a comment to codeql.yml or opening a follow-up issue so the action item isn't lost after the PR is closed.

CodeQL paths-ignore coverage looks correct

The three excluded paths match the actual directory structure in this repo — no gaps found.

Workflow permissions

All 14 workflows correctly receive contents: read. The bundle-size.yml job-level pull-requests: write is unaffected — job-level permissions override the workflow-level default for that job. The trigger-docs-site.yml correctly relies on the GitHub App token for dispatch rather than GITHUB_TOKEN, so contents: read is sufficient there.

Generated with Claude Code

Comment thread package.json Outdated
Comment thread package.json Outdated
Comment thread package.json Outdated
Comment thread .github/workflows/codeql.yml
@claude

claude Bot commented Mar 29, 2026

Copy link
Copy Markdown
Contributor

Review: chore — security audit cleanup

Overall this is a well-scoped cleanup: the workflow permission hardening is correct and consistent, the CodeQL advanced setup is the right approach for suppressing false positives, and the Ruby gem bumps (loofah, nokogiri) are straightforward. A few issues need attention before merge.

Blocking

1. minimatch upgrades from 9.x → 10.x (see inline comment on package.json lines 140-144)
The override minimatch@>=9.0.0 <9.0.7 → >=9.0.7 resolved to minimatch@10.2.4 in the lockfile — a major-version jump. This contradicts the inline comment "Generated via pnpm audit --fix, with manual caps added to prevent major version jumps." Fixing this (cap to >=9.0.7 <10) should also fix the cascading brace-expansion jump noted below.

2. brace-expansion resolves to 5.0.5 (see inline comment on package.json lines 156-157)
Side-effect of the minimatch@10.x upgrade: minimatch@10 depends on brace-expansion@^5, so the >=2.0.3 override latched onto v5.0.5 instead of the expected 2.0.x patch. Fix the minimatch cap and this resolves itself; add a <3 cap to the brace-expansion override as belt-and-suspenders.

Non-blocking

3. Redundant duplicate overrides (see inline comment on package.json lines 145-155)
Three override pairs where one entry is a strict subset of the other: serialize-javascript, handlebars, and flatted. The duplicates don't cause functional problems but add maintenance noise. Worth cleaning up in this PR since it's already touching these entries.

4. Action refs not SHA-pinned in codeql.yml (see inline comment on line 23)
Using mutable @v4 tags in a security-scanning workflow is slightly ironic. Low risk in practice since GitHub controls the github/codeql-action repo, but SHA pinning is the hardened best practice and GitHub's own CodeQL docs call it out.

- Consolidate redundant pnpm overrides (remove 5 subsumed entries
  that were auto-generated by pnpm audit --fix for different CVEs
  covering the same version ranges)
- Cap minimatch 9.x override at <10 to prevent major version jump
- Add category parameter to CodeQL analyze step (matches official
  GitHub template, provides cleaner labels in Security tab)
- Add actions: read permission to CodeQL workflow (required if repo
  ever becomes private, harmless on public repos)
- Add execjs-compatible-dummy to CodeQL paths-ignore exclusions
Comment thread .github/workflows/bundle-size.yml
Comment thread package.json Outdated
Comment thread package.json Outdated
@claude

claude Bot commented Mar 29, 2026

Copy link
Copy Markdown
Contributor

Review: Security Audit Cleanup

Good overall direction. Three issues to address before merging.

BUG (must fix): bundle-size.yml PR commenting is broken. The new top-level 'permissions: contents: read' silently caps the job-level 'pull-requests: write' permission the check-bundle-size job needs to post size comparison comments. This won't be caught by CI on this PR since the workflow only triggers for PRs touching bundle-related files.

ISSUE: brace-expansion resolves to v5, not v2.x. The '>=2.0.3' range has no upper bound, so pnpm resolved it to 5.0.5 (three major versions ahead). Inconsistent with the stated goal of 'manual caps to prevent major version jumps'. The v5 series also requires node 18/20/22+. Suggest adding <3 as a cap.

NOTE: @tootallnate/once forces v1 and v2 consumers to v3 — a cross-major jump, not a patch bump. Low risk since these are dev-only proxy utilities, but the comment should reflect this.

What looks good:

  • The 13 other workflow permissions additions are correct (none have job-level write permissions that would be capped)
  • New codeql.yml and codeql-config.yml path exclusions are well-structured
  • Gemfile.lock bumps (loofah 2.25.1, nokogiri 1.19.2) are clean patch-level security updates
  • ajv exclusion rationale is well-documented
  • Post-merge admin note about disabling default CodeQL is important

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 78759c3e8c

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread package.json Outdated
Comment thread .github/workflows/codeql.yml
Comment thread package.json
Comment thread package.json
Comment thread .github/codeql/codeql-config.yml
@claude

claude Bot commented Mar 29, 2026

Copy link
Copy Markdown
Contributor

Review: Security Audit Cleanup

Overall this is a well-scoped and carefully documented security PR. The incremental commit history shows good discipline. A few items worth addressing before merge:

Several pnpm overrides are missing upper-bound major-version caps (inline comments already posted). The later commits wisely capped brace-expansion, minimatch, svgo, picomatch, and yaml — but the same logic applies to lodash, qs, handlebars, serialize-javascript, @tootallnate/once, basic-ftp, immutable, flatted, and smol-toml. If a new major version is published while the override is in place, pnpm could silently resolve to a breaking version. Suggested caps following the existing pattern: lodash <5, qs <7, handlebars <5, serialize-javascript <8, @tootallnate/once <4, basic-ftp <6, immutable <6, flatted <4, smol-toml <2.

Missing react_on_rails/spec/dummy/Gemfile.lock update. The commit message says "CI can handle this" — but CI does not auto-commit lockfile changes. If that spec/dummy app is exercised by any test job, its loofah version stays at 2.25.0 and the Dependabot alert will not close for that lockfile. Please run bundle update loofah inside react_on_rails/spec/dummy/ locally.

codeql.yml is missing a workflow-level permissions: block (inline suggestion already posted). All 14 workflows modified in this PR have permissions: contents: read at the top level. The new workflow only declares permissions at the job level, which is correct today but leaves read-all as the default if a second job is ever added.

Seven workflows were not touched and still lack a top-level permissions block: claude.yml, stop-run-skipped-ci.yml, run-skipped-ci.yml, detect-invalid-ci-commands.yml, benchmark.yml, claude-code-review.yml, detect-changes.yml. These are likely intentional omissions (they need pull-requests: write or issues: write) but worth documenting so future audits do not re-flag them.

Informational: CodeQL action v4 is pinned — CI will confirm whether the tag is valid; if the workflow fails, fall back to v3. The pnpm-lock.yaml change to fdir's recorded peer dependency (picomatch: ^3 || ^4>=4.0.4) is a lockfile-only artifact from the picomatch override resolution — no action needed, just noting for reviewers.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4df7e19e7d

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread package.json Outdated
pnpm overrides replace the parent's constraint entirely, so an
uncapped ">=4.17.23" would resolve to 5.x if published. Cap every
override at the next major for consistency and to prevent future
surprises. Most of these are currently harmless (no new major exists)
but this matches the intent documented in the comment block.
@claude

claude Bot commented Mar 29, 2026

Copy link
Copy Markdown
Contributor

Review: Security Audit Cleanup

Good, well-scoped PR. Adding least-privilege permissions to all workflows, switching to CodeQL advanced setup with path exclusions to kill false positives, and patching transitive deps via pnpm overrides are all sound approaches. A few things worth checking:

Potential blocker: codeql-action@v4
The new codeql.yml references github/codeql-action/init@v4, autobuild@v4, and analyze@v4. The latest stable tag on that action is v3. If v4 does not exist as a release tag, all three steps will fail with a not-found error and CodeQL will never run. Please verify the tag exists before merge, or fall back to @V3.

Missing top-level permissions block in codeql.yml
Every other workflow touched by this PR gets a top-level permissions: contents: read block. The new codeql.yml has job-level permissions only. While the single job is correct today, any future job added to this file would inherit the default GITHUB_TOKEN permissions (potentially write). Adding permissions: {} at the top level applies the same defense-in-depth the PR uses elsewhere.

trigger-docs-site.yml: verify no functional regression
This workflow dispatches to shakacode/reactonrails.com via a GitHub App token from secrets. The GITHUB_TOKEN is not used for the actual dispatch, so restricting it to contents: read should be safe. Worth a smoke-test after merge since the workflow only runs on pushes to main.

Overrides maintenance note
The pnpm.overrides block has grown significantly. The inline comment array documents the intent well. Consider adding a note about auditing stale overrides over time (run pnpm audit and remove entries once upstream packages update). Informational only, not a blocker.

Comment thread .github/workflows/codeql.yml
Comment thread .github/workflows/codeql.yml

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d3d3be4c69

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread package.json Outdated
Express 4.22.1 (pulled by webpack-dev-server) declares
path-to-regexp ~0.1.12. The previous cap of <1 allowed resolution
to 0.2.5 which is outside Express 4's router contract.
Comment thread .github/workflows/codeql.yml
Comment thread package.json
Comment thread .github/codeql/codeql-config.yml
@claude

claude Bot commented Mar 29, 2026

Copy link
Copy Markdown
Contributor

Review: chore/security-audit-cleanup

Overall this is a well-scoped and clearly reasoned security hardening PR. The approach — adding least-privilege workflow permissions, switching to advanced CodeQL setup with path exclusions, and using pnpm audit generated overrides — is solid.

Confirmed correct

  • Workflow permissions: All 14 workflows correctly get contents: read. Workflows that use GITHUB_TOKEN for PR comments (e.g. bundle-size.yml) already have job-level pull-requests: write blocks that override the new top-level default, so nothing breaks.
  • trigger-docs-site.yml: Uses a GitHub App token (not GITHUB_TOKEN) for the cross-repo dispatch, so contents: read on GITHUB_TOKEN is the right call.
  • pnpm lockfile: Confirmed overrides resolved correctly — lodash@4.17.23, path-to-regexp@0.1.13, handlebars@4.7.9, serialize-javascript@7.0.5, qs@6.15.0 all present in lock.
  • ajv exclusion comment: The reasoning (ajv v8 breaks webpack schema-utils) is documented and appropriate.

Minor issues (see inline comments)

  1. .github/workflows/codeql.ymlautobuild for JS/TS in a pnpm monorepo may not install workspace deps; explicit pnpm install recommended for better analysis coverage.
  2. package.json — lodash override selector >=4.0.0 <=4.17.22 captures already-patched versions (4.17.21 and 4.17.22); harmless but imprecise.
  3. .github/codeql/codeql-config.ymlpackages/react-on-rails-pro/tests/fixtures/** is not excluded (the parallel fixture dir to the node-renderer one that is excluded). Currently JSON-only so no real-world impact, but worth adding defensively.

Out-of-band dismissals

The PR description mentions 13 alerts were dismissed via API with reasons documented in issue 2883. Since those dismissals are not in the diff, reviewers cannot audit them here — recommend verifying 2883 covers each one before merging.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6d551e929d

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread package.json
@ihabadham ihabadham merged commit b72f12d into main Mar 29, 2026
60 checks passed
@ihabadham ihabadham deleted the ihabadham/chore/security-audit-cleanup branch March 29, 2026 03:11
justin808 pushed a commit that referenced this pull request Mar 29, 2026
…ncy overrides (#2884)

## Summary

Addresses all 65 open GitHub security alerts (49 code scanning + 16
Dependabot) identified during a full security audit. None represent real
risk to end users — see #2883 for the complete investigation.

- **Switch CodeQL to advanced setup** with path exclusions for test
fixtures and spec/dummy apps (eliminates 14 false-positive code scanning
alerts from build artifacts and test infrastructure)
- **Add `permissions: { contents: read }`** to all 14 CI workflows that
lacked a top-level permissions block (resolves 22 code scanning alerts,
follows GitHub's principle of least privilege)
- **Generate pnpm overrides** via `pnpm audit --fix` for 28 transitive
dependency vulnerabilities (all dev-only, reduces npm audit from 38 to 8
— remaining are unfixable or pnpm edge cases)
- **Update loofah** 2.25.0 → 2.25.1 across 4 Gemfile.lock files (URI
detection fix)

Additionally, 13 code scanning false positives were dismissed via API
with documented reasons (by-design VM execution, internal service
architecture, non-vulnerable regex patterns). See #2883 for each
dismissal rationale.

## Post-merge admin action

After merging, disable the "Default setup" CodeQL scanner in Settings >
Code security > Code scanning. The new advanced setup workflow replaces
it — if both run, the default scanner ignores path exclusions.

## Test plan

- [ ] CI passes on all existing workflows (the permissions change is
additive and non-breaking)
- [ ] CodeQL workflow runs successfully on this PR (new workflow)
- [ ] After merge + default CodeQL disabled: code scanning alerts drop
to ~0
- [ ] After merge: Dependabot detects lockfile changes and auto-closes
resolved alerts

Closes #2883

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
- Restrict CI workflow permissions to read-only access for repository
contents.
- Add a scheduled automated CodeQL security scan covering
JavaScript/TypeScript and Ruby.
- Exclude test fixture and dummy application directories from automated
security analysis.
- Expand package manager override rules to pin/remap many transitive
dependency versions for more consistent installs.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security audit: analysis of 65 GitHub security alerts

2 participants