Skip to content

chore: Upgrade packages to resolve Dependabot issues#39710

Merged
riodeuno merged 18 commits intoreleasefrom
chore/upgrade-packages-for-CVE-resolution-1
Mar 20, 2025
Merged

chore: Upgrade packages to resolve Dependabot issues#39710
riodeuno merged 18 commits intoreleasefrom
chore/upgrade-packages-for-CVE-resolution-1

Conversation

@riodeuno
Copy link
Contributor

@riodeuno riodeuno commented Mar 13, 2025
edited by github-actions bot
Loading

Description

Automation

/ok-to-test tags="@tag.All"

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/13967528524
Commit: 6a36c97
Cypress dashboard.
Tags: @tag.All
Spec:

Thu, 20 Mar 2025 12:03:08 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

  • Yes
  • No

Summary by CodeRabbit

Summary by CodeRabbit

  • New Features
    • Enhanced the text editor experience by introducing quick markdown-style shortcuts for headings, lists, and quotes.
  • Chores
    • Upgraded numerous underlying libraries and tools for improved performance and stability.
    • Streamlined error logging by refining how errors are categorized and reported.
    • Improved accessibility by updating element selectors to use aria-label attributes.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 13, 2025
edited
Loading

Walkthrough

This pull request updates various dependency versions across several package.json files and adjusts error logging in multiple source files by replacing imported enum values with their corresponding string literals. Additionally, the Rich Text Editor configuration is enhanced by refining plugin declarations and adding new text pattern triggers for markdown-like formatting. The changes are confined to dependency upgrades and minor modifications in error handling and editor configuration.

Changes

File(s) Change Summary
app/client/package.json, app/client/packages/design-system/widgets/package.json, app/client/packages/rts/package.json, app/client/packages/storybook/package.json Upgraded dependency versions (e.g., @sentry/react, @tinymce/tinymce-react, axios, prismjs, tinymce, @babel/core, etc.). Added new resolutions (e.g., for webpack and esbuild) where applicable.
app/client/src/{components/editorComponents/CodeEditor/EvaluatedValuePopup.tsx, pages/UserAuth/Login.tsx, pages/UserAuth/SignUp.tsx, sagas/AppThemingSaga.tsx, sagas/EvalErrorHandler.ts} Removed imports of Severity from @sentry/react and replaced enum references with equivalent string literals ("debug", "error", "fatal", "warning") in error logging.
app/client/src/widgets/RichTextEditorWidget/component/index.tsx Updated TinyMCE editor configuration by clarifying plugin usage (e.g., for lists), removing extraneous spaces in plugin names, and adding new text_patterns configuration for markdown-style formatting triggers.
app/client/src/PluginActionEditor/components/PluginActionResponse/components/Visualization/Visualization.tsx Modified the ErrorBoundary component's fallback prop to use a React fragment for rendering the fallback message.
app/client/src/ce/pages/AppIDE/layouts/routers/MainPane/MainPane.tsx, app/client/src/ce/pages/AppIDE/layouts/routers/MainPane/constants.ts Added type annotations for route variables to enhance type safety and clarity.
app/client/src/components/formControls/utils.ts Changed parameter and return types in fixActionPayloadForMongoQuery function to broaden type acceptance.
app/client/src/sagas/ActionSagas.ts Included type assertion for the action variable in updateActionSaga to clarify expected type after transformation.
app/client/cypress/support/Objects/CommonLocators.ts Updated selectors for _richText_Heading and _richText_color to use aria-label attributes instead of title attributes for improved accessibility.

Sequence Diagram(s)

sequenceDiagram
    participant U as User
    participant RTE as Rich Text Editor
    participant T as TinyMCE Engine

    U->>RTE: Type text with markdown pattern (e.g., "# " for heading)
    RTE->>T: Evaluate text patterns
    alt Pattern Match Found
        T->>RTE: Trigger formatting command (e.g., apply heading style)
    else No Match
        T->>RTE: Process input normally
    end
Loading

Possibly related PRs

Suggested labels

Dependencies

Suggested reviewers

  • ApekshaBhosale
  • sagar-qa007
  • ankitakinger
  • jsartisan

Poem

Dependencies dance in JSON files,
Severity enums replaced with string styles.
TinyMCE now listens to markdown cues,
Alerts and logs receive simplified views.
Code flows lighter with every update, cheers! 🎉

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro (Legacy)

📥 Commits

Reviewing files that changed from the base of the PR and between a7f8fab and 46a88a5.

⛔ Files ignored due to path filters (1)
  • app/client/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (2)
  • app/client/packages/design-system/headless/src/components/Popover/stories/Popover.stories.tsx (0 hunks)
  • app/client/packages/design-system/widgets/src/components/Modal/stories/Modal.stories.tsx (0 hunks)
💤 Files with no reviewable changes (2)
  • app/client/packages/design-system/widgets/src/components/Modal/stories/Modal.stories.tsx
  • app/client/packages/design-system/headless/src/components/Popover/stories/Popover.stories.tsx
⏰ Context from checks skipped due to timeout of 90000ms (12)
  • GitHub Check: perform-test / server-build / server-unit-tests
  • GitHub Check: perform-test / client-build / client-build
  • GitHub Check: perform-test / rts-build / build
  • GitHub Check: client-unit-tests / client-unit-tests
  • GitHub Check: client-lint / client-lint
  • GitHub Check: client-build / client-build
  • GitHub Check: client-check-cyclic-deps / check-cyclic-dependencies
  • GitHub Check: client-prettier / prettier-check
  • GitHub Check: chromatic-deployment
  • GitHub Check: build
  • GitHub Check: chromatic-deployment
  • GitHub Check: storybook-tests
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@riodeuno riodeuno changed the title WIP: CVE Resolutions WIP: Upgrade packages Mar 14, 2025
@riodeuno riodeuno self-assigned this Mar 14, 2025
@riodeuno riodeuno added the Security Issues related to information security within the product label Mar 14, 2025
@riodeuno riodeuno changed the title WIP: Upgrade packages chore: Upgrade packages to resolve Dependabot issues Mar 14, 2025
@riodeuno riodeuno marked this pull request as ready for review March 14, 2025 07:59
@riodeuno riodeuno requested review from a team and KelvinOm as code owners March 14, 2025 07:59
@riodeuno riodeuno requested review from jacquesikot and removed request for a team March 14, 2025 07:59
@github-actions github-actions bot added the skip-changelog Adding this label to a PR prevents it from being listed in the changelog label Mar 14, 2025
@riodeuno riodeuno added the ok-to-test Required label for CI label Mar 14, 2025
@riodeuno
Copy link
Contributor Author

riodeuno commented Mar 14, 2025

/build-deploy-preview skip-tests=true

@github-actions
Copy link

github-actions bot commented Mar 14, 2025

Deploying Your Preview: https://github.com/appsmithorg/appsmith/actions/runs/13852275514.
Workflow: On demand build Docker image and deploy preview.
skip-tests: true.
env: ``.
PR: 39710.
recreate: .

@riodeuno riodeuno marked this pull request as draft March 14, 2025 08:12
@github-actions
Copy link

github-actions bot commented Mar 14, 2025

🔴🔴🔴 Cyclic Dependency Check:

This PR has increased the number of cyclic dependencies by 1, when compared with the release branch.

Refer this document to identify the cyclic dependencies introduced by this PR.

You can view the dependency diff in the run log. Look for the check-cyclic-dependencies job in the run.

@github-actions
Copy link

github-actions bot commented Mar 17, 2025

🔴🔴🔴 Cyclic Dependency Check:

This PR has increased the number of cyclic dependencies by 1, when compared with the release branch.

Refer this document to identify the cyclic dependencies introduced by this PR.

You can view the dependency diff in the run log. Look for the check-cyclic-dependencies job in the run.

@riodeuno riodeuno marked this pull request as ready for review March 18, 2025 05:03
@riodeuno
Copy link
Contributor Author

riodeuno commented Mar 18, 2025

/build-deploy-preview skip-tests=true

@github-actions
Copy link

github-actions bot commented Mar 18, 2025

Deploying Your Preview: https://github.com/appsmithorg/appsmith/actions/runs/13916143252.
Workflow: On demand build Docker image and deploy preview.
skip-tests: true.
env: ``.
PR: 39710.
recreate: .

@github-actions
Copy link

github-actions bot commented Mar 18, 2025

Deploy-Preview-URL: https://ce-39710.dp.appsmith.com

@riodeuno riodeuno requested a review from hetunandu March 18, 2025 06:32
KelvinOm
KelvinOm previously approved these changes Mar 18, 2025
View reviewed changes
KelvinOm
KelvinOm previously approved these changes Mar 18, 2025
View reviewed changes
app/client/packages/rts/package.json
"@opentelemetry/semantic-conventions": "^1.27.0",
"@shared/ast": "workspace:^",
"axios": "^1.7.4",
"axios": "^1.8.3",
Copy link
Collaborator

@KelvinOm KelvinOm Mar 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you also add esbuild here?

hetunandu
hetunandu previously approved these changes Mar 18, 2025
View reviewed changes
@riodeuno riodeuno dismissed stale reviews from hetunandu and KelvinOm via 46a88a5 March 19, 2025 09:50
@riodeuno riodeuno merged commit 9de62e0 into release Mar 20, 2025
91 checks passed
@riodeuno riodeuno deleted the chore/upgrade-packages-for-CVE-resolution-1 branch March 20, 2025 12:09
github-actions bot pushed a commit to Zeral-Zhang/appsmith that referenced this pull request Apr 12, 2025
@riodeuno
chore: Upgrade packages to resolve Dependabot issues (appsmithorg#39710)
d4766e7 
## Description
- Fix XSS issue by upgrading packages such that the
`serialize-javascript` dependency resolves to `v6.0.2`
Fixes https://github.com/appsmithorg/appsmith/security/dependabot/376

- Fix XSS issue by upgrading `esbuild` to `v0.25.1`
Fixes https://github.com/appsmithorg/appsmith/security/dependabot/367

- Fix vite vulnerability by upgrading `vite` to `v6.2.1` (this is a
major version upgrade and effects the `storybook` package)
Fixes https://github.com/appsmithorg/appsmith/security/dependabot/364
Fixes https://github.com/appsmithorg/appsmith/security/dependabot/334
Fixes https://github.com/appsmithorg/appsmith/security/dependabot/336


- Fixes TinyMCE XSS vulnerabilities by upgrading `tinymce` to `v7.7.1`
and `tinymce-react` to `v6.0.0` (Major version upgrade)
Fixes https://github.com/appsmithorg/appsmith/security/dependabot/347
Fixes https://github.com/appsmithorg/appsmith/security/dependabot/348
Fixes https://github.com/appsmithorg/appsmith/security/dependabot/290

- Fix vulnerability in `webpack` by upgrading to `v5.98.0`
Fixes https://github.com/appsmithorg/appsmith/security/dependabot/324

- Fix vulnerability in `@sentry/browser` by upgrading `@sentry/react` to
`v7.120.3` (Major version upgrade)
_Note: [`Severity` enum has been
deprecated](https://docs.sentry.io/platforms/javascript/migration/v7-to-v8/#removal-of-severity-enum)_
Fixes https://github.com/appsmithorg/appsmith/security/dependabot/345

- Fix vulnerability in `axios` by upgrading to `v1.8.3`
Fixes https://github.com/appsmithorg/appsmith/security/dependabot/391

- Fix vulnerability in `@babel/runtime` by upgrading to `v7.26.10`
Fixes https://github.com/appsmithorg/appsmith/security/dependabot/393

- Fix vulnerability in `@babel/helper` by upgrading `@babel/core` to
`v7.26.10`
Fixes https://github.com/appsmithorg/appsmith/security/dependabot/392

- Fix vulnerability in `prismjs` by upgrading to `v1.30.0`
Fixes https://github.com/appsmithorg/appsmith/security/dependabot/390

- Fix vulnerability in `cookie` by upgrading to `v0.7.0`
Fixes https://github.com/appsmithorg/appsmith/security/dependabot/346

## Automation

/ok-to-test tags="@tag.All"

### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/13967528524>
> Commit: 6a36c97
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=13967528524&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.All`
> Spec:
> <hr>Thu, 20 Mar 2025 12:03:08 UTC
<!-- end of auto-generated comment: Cypress test results  -->


## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [x] No


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Summary by CodeRabbit

- **New Features**
- Enhanced the text editor experience by introducing quick
markdown-style shortcuts for headings, lists, and quotes.
- **Chores**
- Upgraded numerous underlying libraries and tools for improved
performance and stability.
- Streamlined error logging by refining how errors are categorized and
reported.
- Improved accessibility by updating element selectors to use
`aria-label` attributes.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
@danguilherme danguilherme mentioned this pull request Apr 24, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KelvinOm KelvinOm KelvinOm approved these changes

@hetunandu hetunandu hetunandu left review comments

@jacquesikot jacquesikot Awaiting requested review from jacquesikot jacquesikot is a code owner automatically assigned from appsmithorg/widgets-blocks

@ApekshaBhosale ApekshaBhosale Awaiting requested review from ApekshaBhosale

@ayushpahwa ayushpahwa Awaiting requested review from ayushpahwa

Assignees

@riodeuno riodeuno

Labels

ok-to-test Required label for CI Security Issues related to information security within the product skip-changelog Adding this label to a PR prevents it from being listed in the changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@riodeuno @KelvinOm @hetunandu