Skip to content

Fix various dependabot alerts #2063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Fix various dependabot alerts #2063

wants to merge 10 commits into from

Conversation

ericallam
Copy link
Member

@ericallam ericallam commented May 15, 2025
edited
Loading

Testing:

  • We will need to test slack alerts and posthog telemetry
  • Test list filters that accept durations
  • Test various forms, especially when errors happen
  • Test code highlighting in editors
  • Plus standard testing of deployed and dev tasks using the test-suite

Summary by CodeRabbit

Summary by CodeRabbit

  • Chores
    • Updated several dependencies to newer versions for improved stability and compatibility.
    • Enhanced server security by adjusting header handling to mitigate potential denial-of-service risks.
    • Bundled additional package for improved server-side build consistency.
    • Removed obsolete build configuration file to streamline the build process.
  • Bug Fixes
    • Standardized error message format across multiple user actions by wrapping error messages in arrays for consistent display and handling.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented May 15, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: a874299

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented May 15, 2025
edited
Loading

Walkthrough

This update revises dependency versions in the package.json files for three projects. The @slack/web-api package is upgraded from version ^6.8.1 to 7.9.1 across all projects. Additionally, in the webapp, posthog-node is updated from ^3.1.3 to 4.17.1 and parse-duration from ^1.1.0 to ^2.1.0. The webapp server configuration was also modified to set maxHeadersCount to 0 to address a potential denial-of-service vulnerability related to HTTP headers. The root package.json adds an override to force body-parser version 1.20.3 for express 4+ dependencies. The webapp removes two devDependencies and deletes its Babel configuration file, and adds parse-duration to the Remix server bundle dependencies. Multiple route files in the webapp have their error handling updated to wrap error message strings in single-element arrays for consistency.

Changes

File(s) Change Summary
apps/webapp/package.json Updated @slack/web-api to 7.9.1, posthog-node to 4.17.1, parse-duration to ^2.1.0, and prismjs to ^1.30.0; updated react-use to 17.5.1; updated @conform-to/react and @conform-to/zod to fixed 0.9.2; removed babel-loader and babel-preset-react-app devDependencies.
references/d3-chat/package.json,
references/d3-openai-agents/package.json		 Updated @slack/web-api to 7.9.1.
apps/webapp/server.ts Set server.maxHeadersCount = 0 to mitigate potential HTTP header DoS vulnerability.
package.json Added pnpm.overrides to force body-parser version 1.20.3 for express version 4 or higher.
apps/webapp/.babelrc.json (deleted) Removed Babel configuration file specifying presets for environment, TypeScript, and React.
apps/webapp/remix.config.js Added "parse-duration" to serverDependenciesToBundle array to bundle it on the server side.
apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.alerts.new/route.tsx,
apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.alerts/route.tsx,
apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables.new/route.tsx,
apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables/route.tsx,
apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.promote.ts,
apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.retry-indexing.ts,
apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.rollback.ts,
apps/webapp/app/routes/resources.feedback.ts,
apps/webapp/app/routes/resources.taskruns.$runParam.cancel.ts		 Modified error handling in multiple route action functions to wrap error message strings in single-element arrays instead of plain strings for consistent error key structure. No other logic or flow changes.

Poem

A hop, a skip, a version bump or two,
Slack’s web API shines anew!
Posthog’s numbers leap ahead,
Dependencies fresh, the old ones shed.
Errors wrapped in arrays, neat and bright,
The garden’s code hops with delight.
🐇✨

✨ Finishing Touches
  • 📝 Generate Docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@ericallam ericallam changed the title Fix dependabot alert 316 - upgrade axios deps >=1.8.2 Fix various dependabot alerts May 15, 2025
coderabbitai[bot]
coderabbitai bot reviewed May 15, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 7c02423 and cbc52ba.

📒 Files selected for processing (1)
  • apps/webapp/server.ts (1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms (7)
  • GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
  • GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
  • GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
  • GitHub Check: units / 🧪 Unit Tests
  • GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
  • GitHub Check: typecheck / typecheck
  • GitHub Check: Analyze (javascript-typescript)

apps/webapp/server.ts
Comment on lines +132 to +135
// Mitigate against https://github.com/triggerdotdev/trigger.dev/security/dependabot/128
// by not allowing 2000+ headers to be sent and causing a DoS
// headers will instead be limited by the maxHeaderSize
server.maxHeadersCount = 0;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Verify the intended behavior of setting maxHeadersCount = 0

Setting maxHeadersCount = 0 in Node.js HTTP server typically means "unlimited" or "no limit" on the number of headers, which seems contradictory to the stated goal of preventing DoS attacks from 2000+ headers.

In standard Node.js behavior:

  • Default value is 2000
  • Setting to 0 means "unlimited headers"

This configuration might not achieve the intended security mitigation unless there's additional context about how your specific Node.js environment interprets this value.

Please verify the expected behavior with this script:

🏁 Script executed:

#!/bin/bash
# Check Node.js documentation for maxHeadersCount behavior

# Find Node.js version used in the project
node -v

# Search for relevant information in Node.js documentation
curl -s https://nodejs.org/api/http.html | grep -A 10 "maxHeadersCount"

# Look for other HTTP header limit settings in the codebase
grep -r "maxHeaderSize\|headersTimeout" --include="*.ts" --include="*.js" .

Length of output: 6692

Adjust maxHeadersCount to enforce a header-count limit

The Node.js docs confirm that server.maxHeadersCount = 0 actually disables the header-count limit (default is 2000), so this override makes your server accept unlimited headers rather than capping them. To mitigate a DoS via excessive headers you should either:

• Remove the override entirely and rely on the default (2000)
• Or set a lower, positive limit (e.g. 1000) that fits your threat model

Please update in apps/webapp/server.ts (lines 132–135):

- // Mitigate against https://github.com/triggerdotdev/trigger.dev/security/dependabot/128
- // by not allowing 2000+ headers to be sent and causing a DoS
- // headers will instead be limited by the maxHeaderSize
- server.maxHeadersCount = 0;
+ // Mitigate against https://github.com/triggerdotdev/trigger.dev/security/dependabot/128
+ // by capping the number of headers; rely on header-size limits for payload size
+ // Remove override to use default (2000) or choose a custom cap:
+ server.maxHeadersCount = 1000;  // e.g. limit to 1000 headers
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// Mitigate against https://github.com/triggerdotdev/trigger.dev/security/dependabot/128
// by not allowing 2000+ headers to be sent and causing a DoS
// headers will instead be limited by the maxHeaderSize
server.maxHeadersCount = 0;
// Mitigate against https://github.com/triggerdotdev/trigger.dev/security/dependabot/128
// by capping the number of headers; rely on header-size limits for payload size
// Remove override to use default (2000) or choose a custom cap:
server.maxHeadersCount = 1000; // e.g. limit to 1000 headers
🤖 Prompt for AI Agents 
In apps/webapp/server.ts around lines 132 to 135, the current setting of
server.maxHeadersCount = 0 disables the header count limit, allowing unlimited
headers, which contradicts the intended DoS mitigation. To fix this, either
remove this override to use the default limit of 2000 headers or set
maxHeadersCount to a positive integer like 1000 to enforce a stricter limit that
fits your security requirements.

coderabbitai[bot]
coderabbitai bot reviewed May 15, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🔭 Outside diff range comments (1)
apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.alerts.new/route.tsx (1)

170-209: 💡 Verification agent

🧩 Analysis chain

Verify error handling consistency across the file

The changes standardize error handling for the two specific error cases, but you might want to confirm that all other potential error cases in this action handler are also standardized.

🏁 Script executed:

#!/bin/bash
# Search for any remaining instances of directly assigned error strings in route files
rg "submission\.error\.[a-zA-Z]+ = \"" --type=tsx --glob="**/app/routes/**" -A 1 -B 1

Length of output: 114

The previous rg --type=tsx failed in this environment—let’s retry by using a glob for .ts and .tsx files:

🏁 Script executed:

#!/bin/bash
# Search for any remaining direct assignments to submission.error.* in route files
rg "submission\.error\.\w+\s*=" --glob "**/app/routes/**/*.{ts,tsx}" -n -B1 -A1

Length of output: 4057

Standardize form error handling across route handlers

We’ve identified direct submission.error.* assignments in multiple routes using different properties (key, message, variables), which can lead to inconsistencies in how errors are surfaced in the UI. Please align all handlers to a single, shared pattern:

• apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.alerts.new/route.tsx (lines 189, 201) – submission.error.key
• apps/webapp/app/routes/resources.feedback.ts (line 86) – submission.error.message
• apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables/route.tsx (lines 145, 155, 178) – submission.error.key
• apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.alerts/route.tsx (line 125) – submission.error.key
• apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables.new/route.tsx (lines 148, 165) – submission.error.key & submission.error.variables

Recommendations:

  1. Choose one error field (e.g. error.key) for validation errors and use it everywhere.
  2. Extract shared error-assignment logic into a helper to reduce duplication.
  3. Update each handler to consume and return errors via the unified schema.
🧹 Nitpick comments (1)
apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.alerts.new/route.tsx (1)

4-209: Consider enhancing error messages with more details

The standardized error messages are quite generic. For better debugging and user experience, consider enhancing them with more specific information.

For example:

- submission.error.key = ["Project not found"];
+ submission.error.key = [`Project with slug "${projectParam}" not found`];
- submission.error.key = ["Failed to create alert channel"];
+ submission.error.key = [`Failed to create alert channel: ${alertChannel?.error || "Unknown error"}`];
📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 75105ba and a874299.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (10)
  • apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.alerts.new/route.tsx (2 hunks)
  • apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.alerts/route.tsx (1 hunks)
  • apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables.new/route.tsx (2 hunks)
  • apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables/route.tsx (3 hunks)
  • apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.promote.ts (1 hunks)
  • apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.retry-indexing.ts (1 hunks)
  • apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.rollback.ts (1 hunks)
  • apps/webapp/app/routes/resources.feedback.ts (1 hunks)
  • apps/webapp/app/routes/resources.taskruns.$runParam.cancel.ts (1 hunks)
  • apps/webapp/package.json (5 hunks)
🚧 Files skipped from review as they are similar to previous changes (1)
  • apps/webapp/package.json
🧰 Additional context used
🧬 Code Graph Analysis (2)
apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.retry-indexing.ts (1)
packages/core/src/v3/apps/http.ts (1)
  • json (65-75)
apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.rollback.ts (1)
packages/core/src/v3/apps/http.ts (1)
  • json (65-75)
⏰ Context from checks skipped due to timeout of 90000ms (7)
  • GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
  • GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
  • GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
  • GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
  • GitHub Check: units / 🧪 Unit Tests
  • GitHub Check: typecheck / typecheck
  • GitHub Check: Analyze (javascript-typescript)
🔇 Additional comments (16)
apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.alerts/route.tsx (1)

125-125: Error message standardization looks good.

The change from string to array format for error messages is consistent with the PR objective of fixing dependency alerts. This standardization ensures compatibility with updated libraries.

apps/webapp/app/routes/resources.feedback.ts (1)

86-86: Error message standardization looks good.

Converting the error message to an array format is consistent with the pattern applied across the application, ensuring compatibility with updated dependencies.

apps/webapp/app/routes/resources.taskruns.$runParam.cancel.ts (1)

35-35: Error format standardization looks good.

The change from a string to an array containing the error message aligns with the pattern applied throughout the codebase, ensuring consistent error handling.

apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.retry-indexing.ts (1)

96-96:

❓ Verification inconclusive

Error standardization looks good, but check error key naming.

The format change to arrays is consistent with other files, but note that the error key is runParam in a deployment-related file. While this might be intentional for error handling consistency, consider whether it accurately represents the context.

Also applies to: 104-104

🏁 Script executed:

#!/bin/bash
# Check if the runParam key is used consistently in deployment-related files
echo "Checking for runParam usage in deployment files..."
rg -l "runParam" "apps/webapp/app/routes/resources.\$projectId.deployments"

Length of output: 281

#!/bin/bash
# Search for 'runParam' usage across all route files
echo "🔍 Searching for 'runParam' in route files..."
rg -H --color=never "runParam" apps/webapp/app/routes

# Search for all instances of submission.error assignments in deployment-related files
echo "🔍 Searching for 'submission.error =' in deployment-related routes..."
rg -H --color=never "submission.error" -g "apps/webapp/app/routes/resources.*.deployments.*.ts"

Review: Validate runParam error key in retry-indexing route

Ensure that using runParam accurately describes the context in this deployment–retry route and aligns with your app’s error-handling schema. If you don’t see this key used elsewhere, consider whether a more descriptive name (e.g. retryParams or deploymentParams) might be clearer.

• apps/webapp/app/routes/resources/[projectId]/deployments/[deploymentShortCode]/retry-indexing.ts: line 96

apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.rollback.ts (2)

85-85: Standardized error message format

The error message for failed deployment rollbacks is now wrapped in an array, making the error handling consistent with other routes in the application.

89-89: Standardized non-Error exception handling

The JSON-stringified error for non-Error exceptions is now wrapped in an array, consistent with the pattern used throughout the application.

apps/webapp/app/routes/resources.$projectId.deployments.$deploymentShortCode.promote.ts (2)

82-82: Standardized error message format

The error message for failed deployment promotions is now wrapped in an array, making the error handling consistent with other routes in the application.

86-86: Standardized non-Error exception handling

The JSON-stringified error for non-Error exceptions is now wrapped in an array, consistent with the pattern used throughout the application.

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables/route.tsx (3)

145-145: Standardized error message format

The "Project not found" error message is now wrapped in an array, making the error handling consistent with other routes in the application.

155-155: Standardized error format for variable editing

The error message for failed environment variable edits is now wrapped in an array, consistent with the pattern used throughout the application.

178-178: Standardized error format for variable deletion

The error message for failed environment variable deletions is now wrapped in an array, consistent with the pattern used throughout the application.

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables.new/route.tsx (3)

148-148: Standardized error message format

The "Project not found" error message is now wrapped in an array, making the error handling consistent with other routes in the application.

161-162: Standardized error format for individual variables

Variable-specific error messages are now wrapped in arrays, maintaining consistency with the error handling pattern used throughout the application.

165-165: Standardized error format for general variable errors

The general error message for environment variables is now wrapped in an array, consistent with the pattern used throughout the application.

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.alerts.new/route.tsx (2)

189-189: Error handling standardized to use arrays

This change standardizes the error format by wrapping the error message in an array, which is consistent with other error handling patterns across the application.

201-201: Error handling standardized to use arrays

This change standardizes the error format by wrapping the error message in an array, which is consistent with other error handling patterns across the application.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ericallam