Skip to content

chore(deps): clear release branch advisories#85

Open
100yenadmin wants to merge 1 commit into
reconcile/r22-release-governancefrom
reconcile/r21-dependency-security
Open

chore(deps): clear release branch advisories#85
100yenadmin wants to merge 1 commit into
reconcile/r22-release-governancefrom
reconcile/r21-dependency-security

Conversation

@100yenadmin

Copy link
Copy Markdown
Member

Summary

  • update only advisory-affected compatible transitive locks and scoped overrides;
  • clear root and web npm audit findings without force or a major downgrade;
  • advance eval-only Pygments to the advisory-fixed 2.20.0 floor.

Closes #84. Supports the R21 validation gate in #60 and epic #39.

Scope

  • package-lock.json
  • gitnexus-web/package.json
  • gitnexus-web/package-lock.json
  • eval/uv.lock

No runtime source, LadybugDB version, capability behavior, publication, release, rollout, or live index changes.

Validation

  • root, core, and web npm audit --package-lock-only: 0 vulnerabilities;
  • fresh root and web installs: passed;
  • uv lock --check: passed; Pygments 2.20.0, aiohttp 3.14.1;
  • shared and core builds: passed;
  • core npx tsc --noEmit: passed;
  • web build/typecheck: passed;
  • web tests: 34 files, 384 tests passed;
  • release-governance and CI-equivalent formatting checks: passed;
  • ESLint: 0 errors; existing warning inventory only.

Evidence: /Volumes/LEXAR/Codex/session-notes/2026-07-13/gitnexus-fork-upstream-reconciliation/r21a-dependency-security-evidence.md.

Proof boundary

Focused local validation is complete. Current-head remote CI, dependency review, CodeQL, review lifecycle, and the R19 disposable canary gate remain required before promotion or release readiness.

@100yenadmin 100yenadmin added reconciliation Upstream reconciliation program P0 Release-blocking priority zero work evidence-gate Must close with retained validation evidence release-blocker Blocks promotion or release readiness labels Jul 13, 2026
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Warning

Review limit reached

You’ve reached a temporary PR review limit under our Fair Usage Limits Policy.

Your recent review volume is higher than typical usage, so adaptive limits are currently applied.

Next review available in: 41 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: def08f75-217d-4fd6-9c67-f2e66dc8a018

📥 Commits

Reviewing files that changed from the base of the PR and between bb307bd and 6bebd09.

⛔ Files ignored due to path filters (3)
  • eval/uv.lock is excluded by !**/*.lock
  • gitnexus-web/package-lock.json is excluded by !**/package-lock.json
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • gitnexus-web/package.json
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch reconcile/r21-dependency-security

Comment @coderabbitai help to get the list of available commands.

@100yenadmin

Copy link
Copy Markdown
Member Author

@coderabbitai review\n\nPlease review the exact current head as a four-file dependency-security change; focus on override scope, lock consistency, and unintended major/downgrade behavior.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
repo="electricsheephq/evaOS-gitnexus"
pr=85

echo "=== PR metadata ==="
gh pr view $pr --repo "$repo" --json title,body,baseRefName,headRefName,mergeable,additions,deletions,changedFiles

echo "=== Files changed ==="
gh pr diff $pr --repo "$repo" --name-only

echo "=== Full diff ==="
gh pr diff $pr --repo "$repo" > /tmp/pr85.diff
wc -l /tmp/pr85.diff

Length of output: 2301


🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "=== package.json (gitnexus-web) diff ==="
awk '/^diff --git a\/gitnexus-web\/package.json/,/^diff --git a\/gitnexus-web\/package-lock.json/' /tmp/pr85.diff | head -100

echo "=== package-lock.json (root) diff ==="
awk '/^diff --git a\/package-lock.json/,0' /tmp/pr85.diff | head -300

Length of output: 4757


🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "=== search undici/js-yaml/smol-toml/minimatch/path-to-regexp occurrences in full diff ==="
grep -n -E "undici|js-yaml|smol-toml|minimatch|path-to-regexp" /tmp/pr85.diff

echo "=== eval/uv.lock diff ==="
sed -n '/^diff --git a\/eval\/uv.lock/,$p' /tmp/pr85.diff

echo "=== gitnexus-web/package-lock.json diff (undici/js-yaml sections) ==="
grep -n -B2 -A15 '"undici"' /tmp/pr85.diff | head -200

Length of output: 27159


🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "=== Full gitnexus-web/package-lock.json diff, undici root-level entries and other version bumps ==="
sed -n '/^diff --git a\/gitnexus-web\/package-lock.json/,/^diff --git a\/gitnexus-web\/package.json/p' /tmp/pr85.diff

echo "=== rest of root package-lock.json diff after node-releases ==="
sed -n '/2185,11/,$p' /tmp/pr85.diff | tail -100

echo "=== check advisories via gh api for brace-expansion, babel, undici, js-yaml ==="
gh api graphql -f query='
{
  securityVulnerabilities(ecosystem: NPM, package: "brace-expansion", first: 10) {
    nodes { advisory { summary severity } vulnerableVersionRange firstPatchedVersion { identifier } }
  }
}' 2>&1 | head -50

Length of output: 6228


🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "=== undici advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(ecosystem: NPM, package: "undici", first: 15) {
    nodes { advisory { summary severity } vulnerableVersionRange firstPatchedVersion { identifier } }
  }
}'

echo "=== `@babel/helpers`, `@babel/traverse` advisories ==="
for pkg in "`@babel/helpers`" "`@babel/traverse`" "`@babel/core`"; do
echo "--- $pkg ---"
gh api graphql -f query="
{
  securityVulnerabilities(ecosystem: NPM, package: \"$pkg\", first: 10) {
    nodes { advisory { summary severity } vulnerableVersionRange firstPatchedVersion { identifier } }
  }
}"
done

echo "=== js-yaml advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(ecosystem: NPM, package: "js-yaml", first: 10) {
    nodes { advisory { summary severity } vulnerableVersionRange firstPatchedVersion { identifier } }
  }
}'

echo "=== pygments advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(ecosystem: PIP, package: "pygments", first: 10) {
    nodes { advisory { summary severity } vulnerableVersionRange firstPatchedVersion { identifier } }
  }
}'

Length of output: 8606


🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "=== root package.json overrides section ==="
fd package.json --max-depth 1 --exec cat {} \; | python3 -c "
import json,sys
data=json.load(sys.stdin)
print(json.dumps(data.get('overrides',{}), indent=2))
"

echo "=== root package.json full overrides via jq (from repo) ==="
jq '.overrides' package.json 2>/dev/null || echo "not found at root, trying find"
find . -maxdepth 1 -name package.json

echo "=== search for undici in root package.json ==="
grep -n -B3 -A3 '"undici"' package.json || true
grep -n -B3 -A3 'overrides' package.json || true

Length of output: 893


🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "=== count hunks per file ==="
awk '/^diff --git/{print; count=0} /^@@/{count++} END{}' /tmp/pr85.diff | sort | uniq -c

echo "=== all @@ hunks in eval/uv.lock diff ==="
sed -n '/^diff --git a\/eval\/uv.lock/,/^diff --git a\/gitnexus-web/p' /tmp/pr85.diff

echo "=== check aiohttp current locked version in repo ==="
grep -n -A3 'name = "aiohttp"' eval/uv.lock | head -10

Length of output: 2675


@100yenadmin Reviewed the exact head commit as a four-file dependency-security diff. Findings below, adversarial pass with confidence scores.

1. Advisory-to-bump mapping — verified via GitHub Security Advisory GraphQL (confidence: 95%)

Cross-checked every version bump against actual GHSA data instead of trusting the PR narrative:

Package Old → New Advisory Verdict
undici (root @vercel/node override, gitnexus-web) 6.24.0 → 6.27.0 HIGH WS-DoS fragment bypass, MODERATE Set-Cookie header injection, LOW SameSite bypass — all < 6.27.0 ✅ correctly patched
undici (jsdom override, gitnexus-web) 7.25.0 → 7.28.0 Same family + HIGH SOCKS5 proxy-pool cross-origin routing (>=7.23,<7.28) ✅ correctly patched
js-yaml (@vercel/python-analysis override, gitnexus-web) 4.1.1 → 4.2.0 MODERATE quadratic-DoS in merge-key handling (>=4.0.0,<=4.1.1) ✅ correctly patched
brace-expansion (root, top-level) 5.0.5 → 5.0.7 MODERATE DoS, >=5.0.0,<5.0.6 ✅ correctly patched
@babel/core (root, dev-only) 7.29.0 → 7.29.7 LOW arbitrary-file-read via sourceMappingURL, <=7.29.0, patched at 7.29.6 ✅ correctly patched (sibling @babel/* bumps are lockstep-release artifacts, expected)
pygments (eval, uv.lock) 2.19.2 → 2.20.0 LOW ReDoS in GUID matching, <2.20.0 ✅ correctly patched

No major-version jumps anywhere (undici stayed on 6.x/7.x, js-yaml on 4.x, babel on 7.x, pygments on 2.x) and no downgrades exist in the diff. The "no force, no major downgrade" claim holds.

2. Override scope — correctly narrow (confidence: 90%)

gitnexus-web/package.json overrides are nested per-consumer (@vercel/node.undici, @vercel/python-analysis.js-yaml, jsdom.undici) rather than blanket top-level overrides. This is the right call — a global "undici" override would have forced every other consumer in the tree onto one version regardless of compatibility. I diffed gitnexus-web/package-lock.json against the override map and confirmed exact match: node_modules/undici 6.27.0, jsdom/node_modules/undici 7.28.0, node_modules/js-yaml 4.2.0 — zero override/lock drift.

3. eval/uv.lock — single, clean hunk (confidence: 95%)

Only Pygments changes; aiohttp at 3.14.1 was already present pre-PR (the PR body cites it purely as validation evidence, not a new change — no discrepancy there).

4. Scope-creep in root package-lock.json (confidence: 75%, non-blocking)

The PR description states "update only advisory-affected... locks," but the root lockfile also bumps packages with no matching GHSA advisory:

  • Nested brace-expansion under @eslint/config-array, @eslint/eslintrc, eslint (1.1.13 → 1.1.16) — 1.1.13 was already past the patched threshold (1.1.12/1.1.13), so this isn't advisory-driven.
  • browserslist, caniuse-lite, electron-to-chromium, node-releases, baseline-browser-mapping, update-browserslist-db — pure browser-compat-data bumps, no advisories found for any of them.

Root cause: these are almost certainly incidental byproducts of npm re-resolving the lockfile graph (npm install/audit fix without --force) rather than deliberate scoped edits — npm will happily bump any transitive dependency within its existing semver range while it's rewriting the tree to satisfy the two real overrides. Impact is low: all are dev-only, compatible (non-major) bumps with no behavior-affecting risk I can identify. Flagging only because it slightly contradicts the "only advisory-affected" framing in the PR body — worth a one-line amendment to the description (or leave as-is, since it's benign) rather than a code change.

Net assessment: the four files do what the PR claims for every security-relevant package; the override design is defensively scoped; no unintended downgrades or majors exist. The only nit is the unadvertised (but harmless) incidental transitive churn in the root lockfile.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@evaos-code-review-bot

evaos-code-review-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

evaOS review status: completed

PR: #85 - chore(deps): clear release branch advisories
Head: 6bebd098203708c580325d300a238986dfb6f879
Updated: 2026-07-13T21:10:01.063Z

evaOS review completed for this PR head.

Automation note: agents should wait for this comment to reach completed, stale_head, closed_or_merged_before_review, skipped, or failed before treating evaOS review as settled for this head. provider_deferred means evaOS still intends to retry.

PR URL: #85

Review URL: #85 (review)

@100yenadmin

Copy link
Copy Markdown
Member Author

Direct dependency-diff audit completed because both Codex review and CodeRabbit were service-limited.

  • npm ls reports no dependency problems.
  • Root resolves @babel/core 7.29.7 and patched brace-expansion 5.0.7 / 1.1.16 within existing dependency ranges.
  • Web overrides are scoped to the vulnerable parents: @vercel/node -> undici 6.27.0, @vercel/python-analysis -> js-yaml 4.2.0, and jsdom -> undici 7.28.0.
  • The selected Undici versions satisfy the repository engine floor; no direct runtime dependency or major application package changed.
  • Eval changes only Pygments 2.19.2 to 2.20.0 with regenerated integrity metadata.
  • git diff --check, fresh installs, zero-advisory audits, builds, typechecks, and 384 web tests pass locally.

No actionable dependency-scope or lock-consistency finding was found. Remote current-head CI remains the acceptance gate.

@github-actions

Copy link
Copy Markdown

CI Report

All checks passed

Pipeline Status

Stage Status Details
✅ Typecheck success tsc --noEmit
✅ Tests success unit tests, 3 platforms
✅ E2E success gitnexus-web changes only

Test Results

Tests Passed Failed Skipped Duration
14685 14623 0 62 19s

✅ All 14623 tests passed

62 test(s) skipped — expand for details

Code Coverage

Tests

Metric Coverage Covered Base Delta Status
Statements 80.9% 54658/67561 N/A% 🟢 ████████████████░░░░
Branches 68.03% 33571/49345 N/A% 🟢 █████████████░░░░░░░
Functions 87.04% 6344/7288 N/A% 🟢 █████████████████░░░
Lines 84.41% 48770/57771 N/A% 🟢 ████████████████░░░░

📋 View full run · Generated by CI

@evaos-code-review-bot evaos-code-review-bot Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Walkthrough

PR: #85 - chore(deps): clear release branch advisories
Head: 6bebd098203708c580325d300a238986dfb6f879 into reconcile/r22-release-governance. Review event: COMMENT.
Provider: GLM/Z.ai through ZCode (zcode-glm, zcode, model GLM-5.2).

Estimated review effort: 1/5 (~12 min)

Changed Files

File Status Churn Purpose Risk
package-lock.json modified +117/-114 Configuration Moderate: validated P3 finding

Review Signal

Validated inline findings: 1 (P0: 0, P1: 0, P2: 0, P3: 1).
Dropped findings before posting: 0. High-severity findings: 0.

Risk Taxonomy

  • Dependency: 1

Validation and Proof

1 required validation/proof recommendation(s) selected from changed files.

  • required: TypeScript/web build or CI proof - Runtime TypeScript/web files or package/config files changed. Proof: npm run build; typecheck; focused Vitest; green GitHub check.
    Proof status: sufficient - PR metadata mentions acceptable proof for each required validation recommendation.
    Profile validation hints: Call out stale index, wrong repo identity, memory growth, and destructive analyze behavior.
    Profile proof expectations: Look for focused CLI, index, query, or migration proof.

Related Context

Related issues/PRs: #84, #60, #39.
Suggested labels: none.
Suggested reviewers: none from current metadata.

Review Settings Preview

  • Profile: assertive
  • Enabled sections: Review summary (inline_review); Walkthrough (inline_review); Changed-files table (walkthrough); Effort estimate (walkthrough); Related issues/PRs (walkthrough); Suggested labels (suggestion_only); Review status comment (sticky_status)
  • Path instructions: none
  • Label suggestions: gitnexus, code-intelligence, backend
  • Reviewer suggestions: none
  • Suggestion behavior: suggestions only; labels and reviewers are not auto-applied.
  • Roadmap-only settings: auto-apply labels; auto-request reviewers; required status checks

Pre-merge checklist

  • Inline comments target current RIGHT-side diff lines.
  • No secret-like content survived into posted inline comments.
  • REQUEST_CHANGES is only used when eligible P0/P1 findings survive validation.
  • Required behavior proof is present or not applicable.
  • Labels and reviewers are suggestions only; the bot did not auto-apply them.

Comment thread package-lock.json
"integrity": "sha512-wRNIrw4DmVLKQlbgOMdkMx27Wrpzes2hh5Jtbi2bjPd+4wJstWIqP5A+lscnqbm0xxmT5Bpg8Lec5ItEBwx6BQ==",
"dev": true,
"license": "MIT"
"license": "MIT",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P3: node-releases 2.0.51 introduces engines: node>=18 (dev-only, advisory)

The bumped node-releases@2.0.51 adds an "engines": {"node": ">=18" } constraint that was absent in 2.0.36. node-releases is a transitive data dependency of browserslist, consumed only by dev tooling (eslint/prettier build chain) at the monorepo root — all entries here are marked "dev": true. It does not affect the published gitnexus CLI runtime, and the root package.json declares no engines field, so this does not raise the package's effective Node requirement. Worth a one-line confirmation that CI still installs on Node >=18 (consistent with the rest of the toolchain), but no code change is required.

Category: Dependency

Why this matters: A newly advertised engine constraint can, in some npm configs (engine-strict), block installs on older Node; here it is dev-only and non-gating, so impact is informational.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

evidence-gate Must close with retained validation evidence P0 Release-blocking priority zero work reconciliation Upstream reconciliation program release-blocker Blocks promotion or release readiness

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant