Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[FIX] Patch frontend Dependabot alerts (axios + transitive deps); drop unused package-lock.json#2038

Merged
jaseemjaskp merged 2 commits into
mainZipstack/unstract:mainfrom
fix/dependabot-frontend-axiosZipstack/unstract:fix/dependabot-frontend-axiosCopy head branch name to clipboard
Jun 18, 2026
Merged

[FIX] Patch frontend Dependabot alerts (axios + transitive deps); drop unused package-lock.json#2038
jaseemjaskp merged 2 commits into
mainZipstack/unstract:mainfrom
fix/dependabot-frontend-axiosZipstack/unstract:fix/dependabot-frontend-axiosCopy head branch name to clipboard

Conversation

@jaseemjaskp

@jaseemjaskp jaseemjaskp commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

What

Patches the frontend critical/high Dependabot alerts and removes the unused frontend/package-lock.json.

  • axios 1.13.5 → 1.16.0 (proxy-auth credential leak, prototype-pollution gadgets, ReDoS)
  • Raise caret floors above the vulnerable versions: handlebars 4.7.9, js-cookie 3.0.8, happy-dom 20.10.2, vite 7.3.5, vitest 3.2.6
  • overrides for transitive deps that didn't dedupe: lodash/lodash-es 4.18.0, immutable 4.3.8, socket.io-parser 4.2.6, and vite ^7.3.5 (forces vite-node's nested copy off the vulnerable 7.3.1)
  • Delete frontend/package-lock.json — the production image builds with bun install --frozen-lockfile from bun.lock; the npm lockfile was installed by nothing and only caused lockfile drift + false Dependabot signals
  • Git-ignore package-lock.json / yarn.lock to prevent accidental re-adds
  • Repoint the docker compose watch rebuild trigger from package-lock.jsonbun.lock

Why

The frontend had the bulk of the open critical/high npm Dependabot alerts (axios ×11, handlebars critical, vitest critical, vite, etc.). Two committed lockfiles (bun.lock + package-lock.json) were drifting and only bun.lock is actually used to build, so the npm one was both useless and misleading.

How

  • bun add/update for the direct bumps, overrides in package.json for transitive ones, then regenerated bun.lock.
  • Verified bun install --frozen-lockfile --ignore-scripts (the prod Dockerfile's exact command) passes, and bun run build succeeds.

Can this PR break any existing features. If yes, please list possible items. If no, please explain why. (PS: Admins do not merge the PR without this section filled)

No expected breakage.

  • Direct bumps are within-range patch/minor updates (axios is the only direct API surface; 1.13→1.16 is backward-compatible).
  • Most updated packages are dev/build-time tooling (vite, vitest, happy-dom, rollup, lodash in tests).
  • package-lock.json removal is safe: no Dockerfile or CI installs from it — the frontend image uses oven/bun + bun install --frozen-lockfile against bun.lock, and frontend CI only runs Biome (no install step).

Database Migrations

None.

Env Config

None.

Relevant Docs

N/A

Related Issues or PRs

GitHub Dependabot alerts (frontend / npm). Follow-up PRs will cover the Python (uv.lock) ecosystems.

Dependencies Versions

axios 1.16.0 · handlebars 4.7.9 · js-cookie 3.0.8 · happy-dom 20.10.2 · vite 7.3.5 · vitest 3.2.6 · lodash/lodash-es 4.18.0 · immutable 4.3.8 · socket.io-parser 4.2.6

Known remaining (deferred, tracked separately)

  • picomatch@2.3.1 (via http-proxy-middleware > micromatch) — bun has no scoped overrides; low risk (dev proxy tooling).
  • tar@6.2.1 (via jsdom > canvas > node-pre-gyp) — needs a major 6→7 bump behind an already-invalid canvas peer; handled separately.

Notes on Testing

  • bun install --frozen-lockfile --ignore-scripts ✓ (no lock drift)
  • bun run build
  • biome ci src/ — pre-existing warnings only, no new issues

Screenshots

N/A — dependency/build-config only.

Checklist

I have read and understood the Contribution Guidelines.

@jaseemjaskp
[FIX] Patch frontend Dependabot alerts (axios + transitive deps); dro…
e8d0cdb 
…p package-lock.json

- axios 1.13.5 -> 1.16.0 (proxy-auth leak, prototype pollution, ReDoS)
- raise caret floors above vulnerable versions: handlebars 4.7.9,
  js-cookie 3.0.8, happy-dom 20.10.2, vite 7.3.5, vitest 3.2.6
- add overrides for transitive deps: lodash/lodash-es 4.18.0,
  immutable 4.3.8, socket.io-parser 4.2.6, vite ^7.3.5 (dedupe vite-node)
- remove frontend/package-lock.json: the prod image builds with
  'bun install --frozen-lockfile' from bun.lock; the npm lockfile was
  unused and only caused drift + false Dependabot signals
- gitignore package-lock.json/yarn.lock to prevent re-adds
- repoint docker compose watch trigger to bun.lock
@coderabbitai

coderabbitai Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7f10a28a-699a-4a09-a99b-a3780ae60e1a

📥 Commits

Reviewing files that changed from the base of the PR and between e8d0cdb and 16c5b72.

⛔ Files ignored due to path filters (1)
  • frontend/bun.lock is excluded by !**/*.lock
📒 Files selected for processing (1)
  • frontend/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • frontend/package.json

Summary by CodeRabbit

Chores

  • Updated runtime dependencies (axios, handlebars, js-cookie) for improved compatibility.
  • Updated development dependencies (Vite, Vitest, happy-dom) to newer stable versions.
  • Added package manager overrides to pin key libraries to specific versions.

Configuration

  • Updated the development container rebuild trigger to watch bun.lock instead of package-lock.json.
  • Updated frontend/.gitignore to ignore other package manager lockfiles, documenting that bun.lock is the source of truth.

Walkthrough

The PR standardizes the frontend to use Bun as the exclusive package manager. Docker compose watch configuration is updated to monitor bun.lock, .gitignore is configured to exclude npm and yarn lockfiles, and frontend dependencies are bumped across both production and development contexts with explicit version overrides for transitive dependencies.

Changes

Bun package manager standardization and dependency updates

Layer / File(s) Summary
Docker and gitignore Bun configuration
docker/sample.compose.override.yaml, frontend/.gitignore		 Docker compose development watch rule is changed to trigger rebuilds on ../frontend/bun.lock instead of npm's lockfile. .gitignore is updated with entries for package-lock.json and yarn.lock and includes a comment clarifying Bun as the only package manager.
Frontend dependency version updates and transitive overrides
frontend/package.json		 Dependencies axios, handlebars, and js-cookie are bumped to newer versions. DevDependencies happy-dom, vite, and vitest are updated. An overrides section is added to pin lodash, lodash-es, immutable, socket.io-parser, and vite to specific versions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main changes: patching Dependabot alerts (axios + dependencies) and removing the unused package-lock.json file, which aligns with the primary objectives of the PR.
Description check ✅ Passed The description comprehensively covers all required template sections with detailed explanations of what was changed, why it was necessary, how it was implemented, compatibility assessment, and testing verification.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/dependabot-frontend-axios

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@greptile-apps

greptile-apps Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR patches several critical/high frontend Dependabot alerts by bumping direct deps (axios 1.13.5→1.16.0, handlebars, js-cookie, happy-dom, vite, vitest) and adds overrides for transitive packages (lodash, lodash-es, immutable, socket.io-parser, vite). It also removes the unused frontend/package-lock.json, gitignores both npm and yarn lockfiles, and corrects the docker compose watch rebuild trigger to point at bun.lock.

  • Security patches: axios gets the largest bump, fixing a proxy-auth credential leak (CVE-2025-27152) and prototype-pollution gadgets; all other bumps close ReDoS and prototype-pollution issues in build/test tooling.
  • Lockfile hygiene: package-lock.json is deleted since the production image exclusively uses bun install --frozen-lockfile; the gitignore addition prevents drift from re-occurring.
  • Dev tooling: the docker compose watch rebuild path is corrected from the now-deleted package-lock.json to bun.lock, keeping hot-rebuild triggers accurate.

Confidence Score: 5/5

Safe to merge — all changes are dependency version bumps and lockfile hygiene with no application logic touched.

All direct dep bumps are within-range patch/minor upgrades on a backward-compatible API (axios 1.13→1.16) or dev/build tooling. The overrides block uses 4.18.1 for lodash/lodash-es, the regression-free version. The deleted package-lock.json was genuinely unused by the build pipeline, and the compose watch fix correctly aligns with the actual lockfile. No application code, routes, or data paths are modified.

No files require special attention.

Important Files Changed
Filename Overview
frontend/package.json Bumps direct security-relevant deps and adds well-formed overrides block; lodash/lodash-es correctly pinned at 4.18.1 (regression-free version).
docker/sample.compose.override.yaml Corrects the docker compose watch rebuild trigger from the deleted package-lock.json to bun.lock, keeping dev hot-rebuild accurate.
frontend/.gitignore Adds package-lock.json and yarn.lock to gitignore with an explanatory comment, preventing lockfile drift from re-occurring.
frontend/bun.lock Regenerated lockfile reflecting all version bumps and overrides; verified clean with bun install --frozen-lockfile.
frontend/package-lock.json Deleted entirely — this lockfile was unused (production builds via bun) and was the source of false Dependabot signals and lockfile drift.

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[bun install --frozen-lockfile] --> B[bun.lock]
    B --> C[Production Docker image]

    D[package.json overrides] --> E[lodash/lodash-es 4.18.1]
    D --> F[immutable 4.3.8]
    D --> G[socket.io-parser 4.2.6]
    D --> H[vite ^7.3.5]

    I[Direct dep bumps] --> J[axios 1.16.0]
    I --> K[handlebars ^4.7.9]
    I --> L[js-cookie ^3.0.8]
    I --> M[vite ^7.3.5 / vitest ^3.2.6]
    I --> N[happy-dom ^20.10.2]

    O[docker compose watch] -->|rebuild trigger| B
    O -->|rebuild trigger| P[package.json]

    Q[frontend/.gitignore] -->|ignores| R[package-lock.json / yarn.lock]
Loading 
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[bun install --frozen-lockfile] --> B[bun.lock]
    B --> C[Production Docker image]

    D[package.json overrides] --> E[lodash/lodash-es 4.18.1]
    D --> F[immutable 4.3.8]
    D --> G[socket.io-parser 4.2.6]
    D --> H[vite ^7.3.5]

    I[Direct dep bumps] --> J[axios 1.16.0]
    I --> K[handlebars ^4.7.9]
    I --> L[js-cookie ^3.0.8]
    I --> M[vite ^7.3.5 / vitest ^3.2.6]
    I --> N[happy-dom ^20.10.2]

    O[docker compose watch] -->|rebuild trigger| B
    O -->|rebuild trigger| P[package.json]

    Q[frontend/.gitignore] -->|ignores| R[package-lock.json / yarn.lock]
Loading

Reviews (2): Last reviewed commit: "[FIX] Bump lodash override 4.18.0 -> 4.1..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Jun 11, 2026
View reviewed changes
Comment thread frontend/package.json Outdated
This was referenced Jun 11, 2026
Merged
Merged
Merged
Merged
jaseemjaskp
jaseemjaskp commented Jun 12, 2026
View reviewed changes

@jaseemjaskp jaseemjaskp left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated review (PR Review Toolkit). Scope is a focused frontend dependency patch (5 files). Verified: bun install --frozen-lockfile is the only install path (frontend.Dockerfile + CI all use bun), there are zero remaining references to package-lock.json or npm ci in the repo, and bun.lock carries a matching overrides block — so deleting the lockfile and adding it to .gitignore is safe. One forward-looking note below; the lodash@4.18.0 regression is already covered by greptile's thread, so not reposting it.

Comment thread frontend/package.json
@jaseemjaskp
[FIX] Bump lodash override 4.18.0 -> 4.18.1 (4.18.0 is a deprecated/b…
16c5b72 
…roken release)

lodash@4.18.0 / lodash-es@4.18.0 are deprecated on npm ("Bad release")
and ship a regression (lodash#6167: template.js throws
"ReferenceError: assignWith is not defined"; fromPairs breaks in modular
builds), which @react-awesome-query-builder/core imports. 4.18.1 is the
fixed, non-deprecated latest.

Pinning the exact override (vs removing it) is required because bun does
not re-resolve already-satisfied lock entries: dropping the override
alone would leave 4.18.0 frozen in bun.lock. The explicit 4.18.1 pin
guarantees the broken release can't survive a future lock regen.

Verified: bun install --frozen-lockfile --ignore-scripts reports no changes.
@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Frontend Lint Report (Biome)

All checks passed! No linting or formatting issues found.

@sonarqubecloud

sonarqubecloud Bot commented Jun 18, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jaseemjaskp jaseemjaskp merged commit f575730 into main Jun 18, 2026
9 checks passed
@jaseemjaskp jaseemjaskp deleted the fix/dependabot-frontend-axios branch June 18, 2026 11:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments
@vishnuszipstack vishnuszipstack vishnuszipstack approved these changes
@athul-rs athul-rs Awaiting requested review from athul-rs

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jaseemjaskp @vishnuszipstack
Morty Proxy This is a proxified and sanitized view of the page, visit original site.