chore(deps): clear release branch advisories#85
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Review limit reachedYou’ve reached a temporary PR review limit under our Fair Usage Limits Policy. Next review available in: 41 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: ⛔ Files ignored due to path filters (3)
📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
@coderabbitai review\n\nPlease review the exact current head as a four-file dependency-security change; focus on override scope, lock consistency, and unintended major/downgrade behavior. |
🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
repo="electricsheephq/evaOS-gitnexus"
pr=85
echo "=== PR metadata ==="
gh pr view $pr --repo "$repo" --json title,body,baseRefName,headRefName,mergeable,additions,deletions,changedFiles
echo "=== Files changed ==="
gh pr diff $pr --repo "$repo" --name-only
echo "=== Full diff ==="
gh pr diff $pr --repo "$repo" > /tmp/pr85.diff
wc -l /tmp/pr85.diffLength of output: 2301 🏁 Script executed: #!/bin/bash
set -euo pipefail
echo "=== package.json (gitnexus-web) diff ==="
awk '/^diff --git a\/gitnexus-web\/package.json/,/^diff --git a\/gitnexus-web\/package-lock.json/' /tmp/pr85.diff | head -100
echo "=== package-lock.json (root) diff ==="
awk '/^diff --git a\/package-lock.json/,0' /tmp/pr85.diff | head -300Length of output: 4757 🏁 Script executed: #!/bin/bash
set -euo pipefail
echo "=== search undici/js-yaml/smol-toml/minimatch/path-to-regexp occurrences in full diff ==="
grep -n -E "undici|js-yaml|smol-toml|minimatch|path-to-regexp" /tmp/pr85.diff
echo "=== eval/uv.lock diff ==="
sed -n '/^diff --git a\/eval\/uv.lock/,$p' /tmp/pr85.diff
echo "=== gitnexus-web/package-lock.json diff (undici/js-yaml sections) ==="
grep -n -B2 -A15 '"undici"' /tmp/pr85.diff | head -200Length of output: 27159 🏁 Script executed: #!/bin/bash
set -euo pipefail
echo "=== Full gitnexus-web/package-lock.json diff, undici root-level entries and other version bumps ==="
sed -n '/^diff --git a\/gitnexus-web\/package-lock.json/,/^diff --git a\/gitnexus-web\/package.json/p' /tmp/pr85.diff
echo "=== rest of root package-lock.json diff after node-releases ==="
sed -n '/2185,11/,$p' /tmp/pr85.diff | tail -100
echo "=== check advisories via gh api for brace-expansion, babel, undici, js-yaml ==="
gh api graphql -f query='
{
securityVulnerabilities(ecosystem: NPM, package: "brace-expansion", first: 10) {
nodes { advisory { summary severity } vulnerableVersionRange firstPatchedVersion { identifier } }
}
}' 2>&1 | head -50Length of output: 6228 🏁 Script executed: #!/bin/bash
set -euo pipefail
echo "=== undici advisories ==="
gh api graphql -f query='
{
securityVulnerabilities(ecosystem: NPM, package: "undici", first: 15) {
nodes { advisory { summary severity } vulnerableVersionRange firstPatchedVersion { identifier } }
}
}'
echo "=== `@babel/helpers`, `@babel/traverse` advisories ==="
for pkg in "`@babel/helpers`" "`@babel/traverse`" "`@babel/core`"; do
echo "--- $pkg ---"
gh api graphql -f query="
{
securityVulnerabilities(ecosystem: NPM, package: \"$pkg\", first: 10) {
nodes { advisory { summary severity } vulnerableVersionRange firstPatchedVersion { identifier } }
}
}"
done
echo "=== js-yaml advisories ==="
gh api graphql -f query='
{
securityVulnerabilities(ecosystem: NPM, package: "js-yaml", first: 10) {
nodes { advisory { summary severity } vulnerableVersionRange firstPatchedVersion { identifier } }
}
}'
echo "=== pygments advisories ==="
gh api graphql -f query='
{
securityVulnerabilities(ecosystem: PIP, package: "pygments", first: 10) {
nodes { advisory { summary severity } vulnerableVersionRange firstPatchedVersion { identifier } }
}
}'Length of output: 8606 🏁 Script executed: #!/bin/bash
set -euo pipefail
echo "=== root package.json overrides section ==="
fd package.json --max-depth 1 --exec cat {} \; | python3 -c "
import json,sys
data=json.load(sys.stdin)
print(json.dumps(data.get('overrides',{}), indent=2))
"
echo "=== root package.json full overrides via jq (from repo) ==="
jq '.overrides' package.json 2>/dev/null || echo "not found at root, trying find"
find . -maxdepth 1 -name package.json
echo "=== search for undici in root package.json ==="
grep -n -B3 -A3 '"undici"' package.json || true
grep -n -B3 -A3 'overrides' package.json || trueLength of output: 893 🏁 Script executed: #!/bin/bash
set -euo pipefail
echo "=== count hunks per file ==="
awk '/^diff --git/{print; count=0} /^@@/{count++} END{}' /tmp/pr85.diff | sort | uniq -c
echo "=== all @@ hunks in eval/uv.lock diff ==="
sed -n '/^diff --git a\/eval\/uv.lock/,/^diff --git a\/gitnexus-web/p' /tmp/pr85.diff
echo "=== check aiohttp current locked version in repo ==="
grep -n -A3 'name = "aiohttp"' eval/uv.lock | head -10Length of output: 2675
1. Advisory-to-bump mapping — verified via GitHub Security Advisory GraphQL (confidence: 95%)Cross-checked every version bump against actual GHSA data instead of trusting the PR narrative:
No major-version jumps anywhere (undici stayed on 6.x/7.x, js-yaml on 4.x, babel on 7.x, pygments on 2.x) and no downgrades exist in the diff. The "no force, no major downgrade" claim holds. 2. Override scope — correctly narrow (confidence: 90%)
3.
|
evaOS review status: completedPR: #85 - chore(deps): clear release branch advisories evaOS review completed for this PR head. Automation note: agents should wait for this comment to reach PR URL: #85 Review URL: #85 (review) |
|
Direct dependency-diff audit completed because both Codex review and CodeRabbit were service-limited.
No actionable dependency-scope or lock-consistency finding was found. Remote current-head CI remains the acceptance gate. |
CI Report✅ All checks passed Pipeline Status
Test Results
✅ All 14623 tests passed 62 test(s) skipped — expand for details
Code CoverageTests
📋 View full run · Generated by CI |
There was a problem hiding this comment.
Walkthrough
PR: #85 - chore(deps): clear release branch advisories
Head: 6bebd098203708c580325d300a238986dfb6f879 into reconcile/r22-release-governance. Review event: COMMENT.
Provider: GLM/Z.ai through ZCode (zcode-glm, zcode, model GLM-5.2).
Estimated review effort: 1/5 (~12 min)
Changed Files
| File | Status | Churn | Purpose | Risk |
|---|---|---|---|---|
package-lock.json |
modified | +117/-114 | Configuration | Moderate: validated P3 finding |
Review Signal
Validated inline findings: 1 (P0: 0, P1: 0, P2: 0, P3: 1).
Dropped findings before posting: 0. High-severity findings: 0.
Risk Taxonomy
- Dependency: 1
Validation and Proof
1 required validation/proof recommendation(s) selected from changed files.
- required: TypeScript/web build or CI proof - Runtime TypeScript/web files or package/config files changed. Proof: npm run build; typecheck; focused Vitest; green GitHub check.
Proof status: sufficient - PR metadata mentions acceptable proof for each required validation recommendation.
Profile validation hints: Call out stale index, wrong repo identity, memory growth, and destructive analyze behavior.
Profile proof expectations: Look for focused CLI, index, query, or migration proof.
Related Context
Related issues/PRs: #84, #60, #39.
Suggested labels: none.
Suggested reviewers: none from current metadata.
Review Settings Preview
- Profile: assertive
- Enabled sections: Review summary (inline_review); Walkthrough (inline_review); Changed-files table (walkthrough); Effort estimate (walkthrough); Related issues/PRs (walkthrough); Suggested labels (suggestion_only); Review status comment (sticky_status)
- Path instructions: none
- Label suggestions: gitnexus, code-intelligence, backend
- Reviewer suggestions: none
- Suggestion behavior: suggestions only; labels and reviewers are not auto-applied.
- Roadmap-only settings: auto-apply labels; auto-request reviewers; required status checks
Pre-merge checklist
- Inline comments target current RIGHT-side diff lines.
- No secret-like content survived into posted inline comments.
- REQUEST_CHANGES is only used when eligible P0/P1 findings survive validation.
- Required behavior proof is present or not applicable.
- Labels and reviewers are suggestions only; the bot did not auto-apply them.
| "integrity": "sha512-wRNIrw4DmVLKQlbgOMdkMx27Wrpzes2hh5Jtbi2bjPd+4wJstWIqP5A+lscnqbm0xxmT5Bpg8Lec5ItEBwx6BQ==", | ||
| "dev": true, | ||
| "license": "MIT" | ||
| "license": "MIT", |
There was a problem hiding this comment.
P3: node-releases 2.0.51 introduces engines: node>=18 (dev-only, advisory)
The bumped node-releases@2.0.51 adds an "engines": {"node": ">=18" } constraint that was absent in 2.0.36. node-releases is a transitive data dependency of browserslist, consumed only by dev tooling (eslint/prettier build chain) at the monorepo root — all entries here are marked "dev": true. It does not affect the published gitnexus CLI runtime, and the root package.json declares no engines field, so this does not raise the package's effective Node requirement. Worth a one-line confirmation that CI still installs on Node >=18 (consistent with the rest of the toolchain), but no code change is required.
Category: Dependency
Why this matters: A newly advertised engine constraint can, in some npm configs (engine-strict), block installs on older Node; here it is dev-only and non-gating, so impact is informational.
Summary
2.20.0floor.Closes #84. Supports the R21 validation gate in #60 and epic #39.
Scope
package-lock.jsongitnexus-web/package.jsongitnexus-web/package-lock.jsoneval/uv.lockNo runtime source, LadybugDB version, capability behavior, publication, release, rollout, or live index changes.
Validation
npm audit --package-lock-only: 0 vulnerabilities;uv lock --check: passed; Pygments2.20.0, aiohttp3.14.1;npx tsc --noEmit: passed;Evidence:
/Volumes/LEXAR/Codex/session-notes/2026-07-13/gitnexus-fork-upstream-reconciliation/r21a-dependency-security-evidence.md.Proof boundary
Focused local validation is complete. Current-head remote CI, dependency review, CodeQL, review lifecycle, and the R19 disposable canary gate remain required before promotion or release readiness.