CONSOLE-5415: Bump react-router to 7.15#16726
Conversation
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Enterprise Run ID: ⛔ Files ignored due to path filters (2)
📒 Files selected for processing (12)
💤 Files with no reviewable changes (8)
✅ Files skipped from review due to trivial changes (3)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughReact Router was updated to ChangesReact Router alignment
Estimated code review effort: 2 (Simple) | ~10 minutes Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 15✅ Passed checks (15 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
eb0d108 to
c8440da
Compare
c8440da to
b6a15ad
Compare
|
@vojtechszocs: This pull request references CONSOLE-5415 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
b6a15ad to
317087a
Compare
317087a to
98ee2f9
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
dynamic-demo-plugin/package.json (1)
34-34: 🔒 Security & Privacy | 🔵 Trivial | 💤 Low valueTilde range instead of exact pin.
The dependency uses a
~7.15.1semver range rather than an exact pinned version. Path instructions for manifest files call for pinning exact versions for supply-chain security. This matches the pre-existing convention in this file/repo, so it's not a regression introduced by this change, but worth noting.As per path instructions,
**/{requirements*.txt,Pipfile*,pyproject.toml,package*.json,...}: "Pin exact versions; verify hashes where supported".🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@dynamic-demo-plugin/package.json` at line 34, The dependency entry for react-router in the package manifest is using a tilde semver range instead of a fully pinned version. Update the manifest to pin react-router to an exact version, following the repo’s package.json convention for supply-chain safety; keep the change localized to the react-router entry in the package.json dependency list.Source: Path instructions
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@dynamic-demo-plugin/package.json`:
- Line 34: The dependency entry for react-router in the package manifest is
using a tilde semver range instead of a fully pinned version. Update the
manifest to pin react-router to an exact version, following the repo’s
package.json convention for supply-chain safety; keep the change localized to
the react-router entry in the package.json dependency list.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: ae625c6c-1c48-4122-8575-16aba1a7b21b
⛔ Files ignored due to path filters (2)
dynamic-demo-plugin/yarn.lockis excluded by!**/yarn.lock,!**/*.lockfrontend/yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (12)
dynamic-demo-plugin/package.jsonfrontend/package.jsonfrontend/packages/console-dynamic-plugin-sdk/CHANGELOG-core.mdfrontend/packages/dev-console/src/components/import/__tests__/DeployImage.spec.tsxfrontend/packages/dev-console/src/components/import/jar/__tests__/UploadJarPage.spec.tsxfrontend/packages/knative-plugin/src/components/add/__tests__/EventSinkPage.spec.tsxfrontend/packages/knative-plugin/src/components/knatify/__tests__/CreateKnatifyPage.spec.tsxfrontend/packages/operator-lifecycle-manager/src/components/__tests__/catalog-source.spec.tsxfrontend/packages/operator-lifecycle-manager/src/components/operand/__tests__/index.spec.tsxfrontend/public/components/app.tsxfrontend/public/components/utils/__tests__/telemetry.spec.tsfrontend/public/components/utils/telemetry.ts
💤 Files with no reviewable changes (8)
- frontend/packages/operator-lifecycle-manager/src/components/tests/catalog-source.spec.tsx
- frontend/packages/dev-console/src/components/import/tests/DeployImage.spec.tsx
- frontend/packages/knative-plugin/src/components/knatify/tests/CreateKnatifyPage.spec.tsx
- frontend/public/components/utils/tests/telemetry.spec.ts
- frontend/packages/knative-plugin/src/components/add/tests/EventSinkPage.spec.tsx
- frontend/packages/dev-console/src/components/import/jar/tests/UploadJarPage.spec.tsx
- frontend/packages/operator-lifecycle-manager/src/components/operand/tests/index.spec.tsx
- frontend/public/components/utils/telemetry.ts
✅ Files skipped from review due to trivial changes (1)
- frontend/packages/console-dynamic-plugin-sdk/CHANGELOG-core.md
🚧 Files skipped from review as they are similar to previous changes (2)
- frontend/public/components/app.tsx
- frontend/package.json
|
/retest |
|
/test backend |
1 similar comment
|
/test backend |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: spadgett, vojtechszocs The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Scheduling tests matching the |
98ee2f9 to
2ec0e1d
Compare
|
New changes are detected. LGTM label has been removed. |
|
@vojtechszocs: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Analysis / Root cause
Related CVE in react-router package - DoS via unbounded path expansion in __manifest endpoint
Note - Console does not use
@remix-run/server-runtimepackage - this CVE is not effective on Console project.Analysis by Claude Code
Solution description
Bump
react-routerpackage to version7.15.1along with related semver range in Consolepackage.jsonfile.Test cases
Update Console dependencies and rebuild Console plugin SDK packages, then check for
react-routerpeer dependency in the generated package manifest.Summary by CodeRabbit
~7.15.1in the main frontend and the dynamic demo plugin.unstable_maskwhere applicable.