Skip to content

Security sweep + Scholar UX: clear all 7 Dependabot alerts (supersedes 9 bot PRs), Tiptap v3, Scholar upgrade#433

Open
Apexone11 wants to merge 2 commits into
mainfrom
chore/dependabot-sweep-2026-07
Open

Security sweep + Scholar UX: clear all 7 Dependabot alerts (supersedes 9 bot PRs), Tiptap v3, Scholar upgrade#433
Apexone11 wants to merge 2 commits into
mainfrom
chore/dependabot-sweep-2026-07

Conversation

@Apexone11

@Apexone11 Apexone11 commented Jul 13, 2026

Copy link
Copy Markdown
Owner

Summary

One consolidated PR, per founder request: all dependency/security work + the Scholar UX upgrade. Supersedes and closes Dependabot PRs #416, #417, #423, #424, #425, #426, #427, #428, #429.

Part 1 — Security: all 7 open Dependabot alerts cleared

Alert Package Fixed at
#155 High form-data (backend, dev) 4.0.6
#157 High ws (frontend) 8.21.0 + workspace override restored
#161 High linkify-it removed from tree (tiptap v3 dropped prosemirror-markdown)
#134 Med markdown-it removed from tree (same)
#110 Med brace-expansion 5.0.7
#162 Med js-yaml (dev) 4.3.0
#158 Low @babel/core (dev) 7.29.7

Why one PR instead of merging the 9 bot PRs: they all edit the same lockfiles and conflict, and per-workspace merges leave the root package-lock.json drifting — the exact npm ci EUSAGE failure that broke Cloudflare deploys before. Root + backend + frontend lockfiles were regenerated together from a root npm install (CLAUDE.md workspace-lockfile rule).

Also included: backend minor-patch group (14 = #426), frontend minor-patch group (9 = #427), jscrambler action 8.13.0 SHA pin (= #425), and the full Tiptap v2 → v3.27 editor migration (= #423/#424): StarterKit-hosted Link/Underline (undoRedo, isAllowedUri), Placeholder from @tiptap/extensions, consolidated table package, setContent(html, { emitUpdate: false }), MathExtension imports from @tiptap/core. 13 tiptap packages → 8, single deduped v3.27.4 tree.

Remaining security items (repo-wide status after this PR):

  • Code scanning (CodeQL): 0 open alerts
  • Dependabot: 0 open alerts once this merges and the dependency graph rescans
  • Secret scanning: 1 open alert — a Google (Tenor) API key in git history (commits from April; current code reads it from env, verified no occurrence in HEAD). Code cannot fix this: the key must be rotated/restricted in Google Cloud Console (owner action), then the alert closed as revoked.

Part 2 — Scholar UX upgrade (research-driven)

Based on a 12-pattern study of Semantic Scholar, Elicit, Consensus, scite, Connected Papers, ResearchRabbit, Undermind + NN/g guidance:

  • Inline Save + Cite on every paper card (search, landing discover grids, topic lists) via new useSavedPapers hook — server-confirmed state (CLAUDE.md A4, no optimistic flip), shared scholar-saved:shelves SWR entry with the Saved page, prefix invalidation on toggle.
  • Compare side-by-side now works — the button used to be a no-op; it opens a 2–4-paper matrix (year / venue / citations / OA / source / summary), auto-opens on ?compare= deep links, stub column for papers that fell out of the results.
  • Per-source coverage strip — chips for Semantic Scholar / OpenAlex / CrossRef / arXiv with amber throttled states, replacing the bare "X throttled" text (honest federated-search UX).
  • Landing hero: example-query chips (wires the previously dead TRY_CHIPS) + live corpus stats from /api/scholar/stats (hidden on error/zeros).
  • Open-access papers get a green PDF read-now action on cards (Unpaywall convention).
  • ?tab=citations|references deep links now initialize the paper-page tab (they were silently dropped).
  • Abstract lead-in cleanup ("ABSTRACT Considering…" → "Considering…") on card bodies.
  • Tokens only (--sh-success-*", --sh-warning-*), dark mode inherits, modals via FocusTrappedDialog`, all new controls labeled.

Validation

  • Backend: lint ✅ · build ✅ · tests ✅ 3524 passed (226 files)
  • Frontend: lint ✅ 0 errors · build ✅ · unit ✅ 882 passed (+6 new Scholar tests)
  • Lockfile greps confirm every alerted package at/above its patched version
  • Release-log entries added under v2.3.0 (CI gate)

Known-red check: playwright-smoke fails on this PR with the identical signature it has had on every main run since 2026-06-02 (verified: last 5 main runs all failed; same spec files). Pre-existing baseline, not introduced here — worth a separate fix pass.

🤖 Generated with Claude Code

…tap v3 migration

Supersedes Dependabot PRs #416, #417, #423-#429 in one lockfile-safe pass:

- backend group (14): @anthropic-ai/sdk 0.110, @aws-sdk 3.1079, @sentry/node
  10.63, google-auth-library 10.9, nodemailer 9.0.3, posthog-node 5.39.4,
  sharp 0.35.3, stripe 22.3, svix 1.96.1, eslint 10.6, globals 17.7, vitest 4.1.10
- frontend group (9): @capgo/capacitor-social-login 8.3.33, @sentry/react 10.63,
  @tanstack/react-virtual 3.14.5, posthog-js 1.396.8, react-router(-dom) 7.18.1,
  video.js 8.23.9, @axe-core/playwright 4.12.1, @playwright/test 1.61.1, vitest 4.1.10
- Tiptap v2 -> v3.27: StarterKit now hosts Link/Underline (undoRedo config key,
  isAllowedUri), Placeholder from @tiptap/extensions, consolidated table package,
  setContent options-object; 13 packages -> 8
- jscrambler/code-integrity-actions 8.11.3 -> 8.13.0 (SHA pin)
- security: form-data 4.0.6, ws 8.21.0 (+ workspace override), js-yaml 4.2+,
  @babel/core 7.29.7, brace-expansion 5.0.7; markdown-it/linkify-it leave the
  tree entirely with @tiptap/pm v3
- root + backend + frontend lockfiles regenerated together (root npm install)

Verified: backend lint/build/tests (3524 passed), frontend lint/build/unit (876 passed).
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@sourcery-ai

sourcery-ai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Reviewer's Guide

Consolidated dependency upgrade sweep across backend, frontend, and CI, plus a Tiptap v2→v3 editor migration and lockfile regeneration to resolve all current security alerts and align workspace installs.

Sequence diagram for Tiptap v3 link validation and undo/redo configuration

sequenceDiagram
  actor User
  participant RichTextEditor
  participant useEditor
  participant StarterKit
  participant LinkExtension
  participant ctx

  User->>RichTextEditor: typeOrPasteLink
  RichTextEditor->>useEditor: useEditor({ extensions, content, onUpdate })
  useEditor->>StarterKit: StarterKit.configure({ undoRedo, link })

  User->>LinkExtension: createOrUpdateLink(href)
  LinkExtension->>LinkExtension: isAllowedUri(url, ctx)
  LinkExtension->>ctx: defaultValidate(url)
  ctx-->>LinkExtension: validationResult
  LinkExtension-->>User: acceptOrRejectLink
Loading

File-Level Changes

Change Details Files
Frontend dependency bumps and security override additions, including Tiptap v3 migration in the Studyhub app.
  • Upgrade core frontend runtime deps (Sentry React, TanStack React Virtual, Posthog JS, React Router, Video.js, Playwright, Vitest) to newer minor/patch versions.
  • Add a workspace-level override for ws 8.21.0 to satisfy a security alert.
  • Replace Tiptap v2 packages with the consolidated v3 set (@tiptap/core/react/pm/starter-kit/extensions/extension-table) at matching versions.
  • Refactor RichTextEditor and NoteEditor to use v3 StarterKit configuration (undoRedo, link options, Placeholder from @tiptap/extensions, consolidated table exports) and new link validation API.
  • Adjust editor content resets to call setContent with an options object ({ emitUpdate: false }) to avoid update loops under v3.
frontend/studyhub-app/package.json
frontend/studyhub-app/src/components/editor/RichTextEditor.jsx
frontend/studyhub-app/src/pages/notes/NoteEditor.jsx
Backend dependency updates and dev tooling bumps to clear security alerts and align with regenerated lockfiles.
  • Upgrade Anthropic SDK, AWS SDK clients, Sentry Node, Google Auth Library, Nodemailer, Posthog Node, Sharp, Stripe, and Svix to newer minor/patch versions.
  • Update dev tools (eslint, globals, Vitest) to latest compatible versions.
  • Leave override block intact while relying on regenerated lockfiles to bring transitive security fixes (form-data, brace-expansion, js-yaml, @babel/core) to patched levels.
backend/package.json
Tiptap math extension refactor to use v3 core imports.
  • Change MathExtension to import Node and mergeAttributes from @tiptap/core instead of @tiptap/react to align with v3 API expectations.
frontend/studyhub-app/src/components/editor/MathExtension.js
CI workflow update to pin Jscrambler GitHub Action to a newer release SHA.
  • Update jscrambler/code-integrity-actions/protect action reference to a new commit SHA corresponding to version 8.13.0 in the code-integrity workflow.
.github/workflows/jscrambler-code-integrity.yml
Release-log documentation update to record the consolidated Dependabot sweep and Tiptap migration.
  • Extend the v2.3.0 release-log entry with a summary of the consolidated dependency sweep, Tiptap v3 migration, Jscrambler upgrade, and lockfile regeneration so future reviewers understand the change context.
docs/release-log.md
Lockfile regeneration across root, backend, and frontend workspaces to synchronize dependency trees and resolve alerts.
  • Regenerate root package-lock.json via a root npm install to produce a coherent dependency graph across all workspaces.
  • Regenerate backend and frontend/studyhub-app package-lock.json files to align with the updated package.json manifests and ensure npm ci consistency.
  • Verify that alerted packages are at or above patched versions throughout the dependency tree, implicitly reflected in the new lockfiles.
package-lock.json
backend/package-lock.json
frontend/studyhub-app/package-lock.json

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 13, 2026

Copy link
Copy Markdown

Deploying studyhub with  Cloudflare Pages  Cloudflare Pages

Latest commit: bd96867
Status: ✅  Deploy successful!
Preview URL: https://5c596419.studyhub-2wc.pages.dev
Branch Preview URL: https://chore-dependabot-sweep-2026.studyhub-2wc.pages.dev

View logs

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've found 1 issue, and left some high level feedback:

Fixed security issues:

  • linkify-it (link) · Dashboard

  • frontend/studyhub-app/package-lock.json (link) · Dashboard

  • package-lock.json (link) · Dashboard

  • The Tiptap v3 configuration (StarterKit options, link isAllowedUri, undoRedo depth, placeholder behavior, etc.) is duplicated between RichTextEditor and NoteRichEditor; consider extracting a shared editor config/module to keep the behavior consistent and make future upgrades simpler.

  • The ws workspace override is currently scoped to frontend/studyhub-app; if any other workspace or the backend transitively pulls in ws, it may be worth centralizing this override (e.g., at the repo root) to ensure the patched version is enforced everywhere.

Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The Tiptap v3 configuration (StarterKit options, link `isAllowedUri`, undoRedo depth, placeholder behavior, etc.) is duplicated between `RichTextEditor` and `NoteRichEditor`; consider extracting a shared editor config/module to keep the behavior consistent and make future upgrades simpler.
- The `ws` workspace override is currently scoped to `frontend/studyhub-app`; if any other workspace or the backend transitively pulls in `ws`, it may be worth centralizing this override (e.g., at the repo root) to ensure the patched version is enforced everywhere.

## Individual Comments

### Comment 1
<location path="frontend/studyhub-app/src/components/editor/RichTextEditor.jsx" line_range="57-61" />
<code_context>
-          rel: 'noopener noreferrer nofollow',
-          target: '_blank',
-          class: 'sh-editor-link',
+        // v3: History was renamed UndoRedo; Underline + Link now ship
+        // inside StarterKit, so they are configured here instead of as
+        // standalone packages.
+        undoRedo: { depth: 100 },
+        link: {
+          openOnClick: false,
+          HTMLAttributes: {
</code_context>
<issue_to_address>
**issue (bug_risk):** Double-check the assumption that Underline and Link are included in `StarterKit` v3.

This change assumes Underline and Link are bundled in StarterKit v3 and configured via the `link` option, but historically StarterKit has not included all optional marks. If v3 does not actually include these, underline/link support will silently disappear while the build still passes. Please verify the StarterKit v3 extensions list; if Underline/Link aren’t included, keep importing and configuring them as separate extensions.
</issue_to_address>

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Comment on lines +57 to +61
// v3: History was renamed UndoRedo; Underline + Link now ship
// inside StarterKit, so they are configured here instead of as
// standalone packages.
undoRedo: { depth: 100 },
link: {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

issue (bug_risk): Double-check the assumption that Underline and Link are included in StarterKit v3.

This change assumes Underline and Link are bundled in StarterKit v3 and configured via the link option, but historically StarterKit has not included all optional marks. If v3 does not actually include these, underline/link support will silently disappear while the build still passes. Please verify the StarterKit v3 extensions list; if Underline/Link aren’t included, keep importing and configuring them as separate extensions.

…coverage strip, hero chips + live stats

Research-driven UX pass over the Scholar surface (12-pattern category study
of Semantic Scholar / Elicit / Consensus / scite / Connected Papers /
ResearchRabbit / Undermind + NN/g, plan: docs/internal/plans/scholar-ux-polish-2026-07.md):

- useSavedPapers hook: Save/Cite now live on every PaperCard call site
  (search, landing discover grids, topic lists). Server-confirmed state
  (A4, no optimistic flip), shared scholar-saved:shelves SWR entry with
  the Saved page, prefix invalidation of scholar-saved:* on toggle.
- Compare side-by-side: previously a no-op button; now opens
  ScholarCompareSheet — a 2-4 paper matrix (year/venue/citations/OA/
  source/summary) built from loaded results, deep-link auto-open,
  stub column for ids that fell out of the result list.
- SourceStatusStrip: per-source coverage chips (throttled = amber via
  --sh-warning-*) replace the bare 'X throttled' string — honest
  federated-search feedback.
- Landing hero: wires the previously-dead TRY_CHIPS example queries and
  a live /api/scholar/stats corpus line (hidden on error/zeros).
- PaperCard: green PDF read-now action for open-access papers
  (--sh-success-* tokens), cleanAbstract() strips CrossRef/OpenAlex
  'ABSTRACT' lead-ins.
- ScholarPaperPage: ?tab=citations|references deep links (already
  emitted by PaperCard) now initialize the tab instead of being dropped.

Tokens only, no new hex; modals via FocusTrappedDialog. Tests +6
(cleanAbstract, PDF affordance rule, compare-sheet contract).
Frontend: lint 0 errors, build clean, 882 unit tests passed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant