fix: security fix 425

[ApekshaBhosale]

Description

Issue - https://github.com/appsmithorg/appsmith-ee/security/dependabot/425
EE PR - https://github.com/appsmithorg/appsmith-ee/pull/8044

Fixes #Issue Number
or
Fixes Issue URL

Warning

If no issue exists, please create an issue first, and check with the maintainers if the issue is valid.

Automation

/ok-to-test tags="@tag.Sanity"

🔍 Cypress test results

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/16617495337
Commit: 9b72ee1
Cypress dashboard.
Tags: @tag.Sanity
Spec:

---

Wed, 30 Jul 2025 09:16:44 UTC

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• Chores
  • Updated internal package version resolutions to improve dependency management.

[coderabbitai]

Walkthrough

The package.json file in the client application has been updated to include a resolution for the "on-headers" package, specifying version "1.1.0" under the "resolutions" section. No other modifications were made to dependencies, scripts, or configurations.

Changes

Cohort / File(s)	Change Summary
Client package resolution app/client/package.json	Added a "resolutions" entry for "on-headers" version "1.1.0". No other changes made.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A tiny tweak in package land,
"on-headers" now firmly planned.
No scripts disturbed, no configs stirred,
Just a version locked, assurance conferred.
🎵 One line to rule the build anew,
A simple change, review is through!

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

---

📜 Recent review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6f3b09b and 9b72ee1.

⛔ Files ignored due to path filters (1)

• app/client/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• app/client/package.json (1 hunks)

🧰 Additional context used

🧠 Learnings (2)

📓 Common learnings

Learnt from: CR
PR: appsmithorg/appsmith#0
File: .cursor/rules/index.mdc:0-0
Timestamp: 2025-07-21T07:25:40.986Z
Learning: Pull request titles must follow the Conventional Commits specification (e.g., type(scope): description)

Learnt from: CR
PR: appsmithorg/appsmith#0
File: .cursor/rules/README.md:0-0
Timestamp: 2025-07-21T07:25:06.064Z
Learning: Pull request titles must follow semantic conventions as described in 'semantic-pr.md'

Learnt from: Aishwarya-U-R
PR: appsmithorg/appsmith#29405
File: app/client/cypress/e2e/Regression/ClientSide/Binding/TableV2_Widget_API_Pagination_spec.js:37-41
Timestamp: 2024-10-08T15:32:39.374Z
Learning: The pull request titled "test: Cypress | Replace static with Dynamic waits - Part 1" is part of a phased approach where only certain test specifications are targeted for static wait removal in the initial phase. Future phases will address additional specs.

Learnt from: Aishwarya-U-R
PR: appsmithorg/appsmith#29405
File: app/client/cypress/e2e/Regression/ClientSide/Binding/TableV2_Widget_API_Pagination_spec.js:37-41
Timestamp: 2024-07-26T21:12:57.228Z
Learning: The pull request titled "test: Cypress | Replace static with Dynamic waits - Part 1" is part of a phased approach where only certain test specifications are targeted for static wait removal in the initial phase. Future phases will address additional specs.

Learnt from: brayn003
PR: appsmithorg/appsmith#37984
File: app/client/src/git/requests/pullRequest.ts:6-10
Timestamp: 2024-12-05T10:58:36.272Z
Learning: Error handling is not required for the `pullRequest` function in `app/client/src/git/requests/pullRequest.ts`.

Learnt from: sneha122
PR: appsmithorg/appsmith#30012
File: app/client/src/pages/Editor/DataSourceEditor/RestAPIDatasourceForm.tsx:679-682
Timestamp: 2024-10-08T15:32:34.115Z
Learning: The user `sneha122` has confirmed the resolution of the feedback regarding the redundancy of `|| false` in the `_.get` expression within the `RestAPIDatasourceForm.tsx` file.

Learnt from: sneha122
PR: appsmithorg/appsmith#30012
File: app/client/src/pages/Editor/DataSourceEditor/RestAPIDatasourceForm.tsx:679-682
Timestamp: 2024-07-26T21:12:57.228Z
Learning: The user `sneha122` has confirmed the resolution of the feedback regarding the redundancy of `|| false` in the `_.get` expression within the `RestAPIDatasourceForm.tsx` file.

Learnt from: ayushpahwa
PR: appsmithorg/appsmith#37417
File: app/client/package.json:134-134
Timestamp: 2024-11-20T09:27:54.852Z
Learning: In `app/client/package.json`, the `eslint-linter-browserify` package should be listed under `dependencies`, not `devDependencies`, because it is needed by users writing JavaScript inside our apps.

Learnt from: sharat87
PR: appsmithorg/appsmith#37341
File: deploy/docker/base.dockerfile:49-50
Timestamp: 2024-11-12T14:29:18.087Z
Learning: In the Appsmith project, avoid pinning the minor Node.js version in Dockerfiles, aligning with the Node.js engine specified in `src/client/package.json` as `^20.11.1`.

Learnt from: ayushpahwa
PR: appsmithorg/appsmith#29474
File: app/client/packages/rts/build.js:0-0
Timestamp: 2024-07-26T21:12:57.228Z
Learning: The user has acknowledged and applied the suggestion to remove the duplicated `minify` property in the esbuild configuration object within `build.js`.

Learnt from: ayushpahwa
PR: appsmithorg/appsmith#29474
File: app/client/packages/rts/build.js:0-0
Timestamp: 2024-10-08T15:32:34.115Z
Learning: The user has acknowledged and applied the suggestion to remove the duplicated `minify` property in the esbuild configuration object within `build.js`.

Learnt from: sharat87
PR: appsmithorg/appsmith#34116
File: Dockerfile:36-36
Timestamp: 2024-10-08T15:32:34.115Z
Learning: The `--only-prod` is an option for `npm install` that specifies the installation of production dependencies only, and it is not a package that can have a version pinned.

Learnt from: sharat87
PR: appsmithorg/appsmith#34116
File: Dockerfile:36-36
Timestamp: 2024-06-09T05:21:02.538Z
Learning: The `--only-prod` is an option for `npm install` that specifies the installation of production dependencies only, and it is not a package that can have a version pinned.

app/client/package.json (3)

Learnt from: ayushpahwa
PR: #37417
File: app/client/package.json:134-134
Timestamp: 2024-11-20T09:27:54.852Z
Learning: In app/client/package.json, the eslint-linter-browserify package should be listed under dependencies, not devDependencies, because it is needed by users writing JavaScript inside our apps.

Learnt from: sharat87
PR: #37341
File: deploy/docker/base.dockerfile:49-50
Timestamp: 2024-11-12T14:29:18.087Z
Learning: In the Appsmith project, avoid pinning the minor Node.js version in Dockerfiles, aligning with the Node.js engine specified in src/client/package.json as ^20.11.1.

Learnt from: brayn003
PR: #38088
File: app/client/src/git/components/GitContextProvider/hooks/useGitBranches.ts:40-43
Timestamp: 2024-12-11T08:25:39.197Z
Learning: In app/client/src/git/components/GitContextProvider/hooks/useGitBranches.ts, the useMemo hook includes dependencies artifactType and baseArtifactId in its dependency array.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: client-lint / client-lint
• GitHub Check: client-prettier / prettier-check
• GitHub Check: client-unit-tests / client-unit-tests
• GitHub Check: client-build / client-build

🔇 Additional comments (1)

app/client/package.json (1)

420-420: on-headers@1.1.0 is valid – no change required
The npm registry confirms that version 1.1.0 of on-headers is published. You can keep the existing resolution entry; no edits are needed here.

Likely an incorrect or invalid review comment.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch security-425

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.