Security sweep + Scholar UX: clear all 7 Dependabot alerts (supersedes 9 bot PRs), Tiptap v3, Scholar upgrade#433
Security sweep + Scholar UX: clear all 7 Dependabot alerts (supersedes 9 bot PRs), Tiptap v3, Scholar upgrade#433Apexone11 wants to merge 2 commits into
Conversation
…tap v3 migration Supersedes Dependabot PRs #416, #417, #423-#429 in one lockfile-safe pass: - backend group (14): @anthropic-ai/sdk 0.110, @aws-sdk 3.1079, @sentry/node 10.63, google-auth-library 10.9, nodemailer 9.0.3, posthog-node 5.39.4, sharp 0.35.3, stripe 22.3, svix 1.96.1, eslint 10.6, globals 17.7, vitest 4.1.10 - frontend group (9): @capgo/capacitor-social-login 8.3.33, @sentry/react 10.63, @tanstack/react-virtual 3.14.5, posthog-js 1.396.8, react-router(-dom) 7.18.1, video.js 8.23.9, @axe-core/playwright 4.12.1, @playwright/test 1.61.1, vitest 4.1.10 - Tiptap v2 -> v3.27: StarterKit now hosts Link/Underline (undoRedo config key, isAllowedUri), Placeholder from @tiptap/extensions, consolidated table package, setContent options-object; 13 packages -> 8 - jscrambler/code-integrity-actions 8.11.3 -> 8.13.0 (SHA pin) - security: form-data 4.0.6, ws 8.21.0 (+ workspace override), js-yaml 4.2+, @babel/core 7.29.7, brace-expansion 5.0.7; markdown-it/linkify-it leave the tree entirely with @tiptap/pm v3 - root + backend + frontend lockfiles regenerated together (root npm install) Verified: backend lint/build/tests (3524 passed), frontend lint/build/unit (876 passed).
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Reviewer's GuideConsolidated dependency upgrade sweep across backend, frontend, and CI, plus a Tiptap v2→v3 editor migration and lockfile regeneration to resolve all current security alerts and align workspace installs. Sequence diagram for Tiptap v3 link validation and undo/redo configurationsequenceDiagram
actor User
participant RichTextEditor
participant useEditor
participant StarterKit
participant LinkExtension
participant ctx
User->>RichTextEditor: typeOrPasteLink
RichTextEditor->>useEditor: useEditor({ extensions, content, onUpdate })
useEditor->>StarterKit: StarterKit.configure({ undoRedo, link })
User->>LinkExtension: createOrUpdateLink(href)
LinkExtension->>LinkExtension: isAllowedUri(url, ctx)
LinkExtension->>ctx: defaultValidate(url)
ctx-->>LinkExtension: validationResult
LinkExtension-->>User: acceptOrRejectLink
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
Deploying studyhub with
|
| Latest commit: |
bd96867
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://5c596419.studyhub-2wc.pages.dev |
| Branch Preview URL: | https://chore-dependabot-sweep-2026.studyhub-2wc.pages.dev |
There was a problem hiding this comment.
Hey - I've found 1 issue, and left some high level feedback:
Fixed security issues:
-
The Tiptap v3 configuration (StarterKit options, link
isAllowedUri, undoRedo depth, placeholder behavior, etc.) is duplicated betweenRichTextEditorandNoteRichEditor; consider extracting a shared editor config/module to keep the behavior consistent and make future upgrades simpler. -
The
wsworkspace override is currently scoped tofrontend/studyhub-app; if any other workspace or the backend transitively pulls inws, it may be worth centralizing this override (e.g., at the repo root) to ensure the patched version is enforced everywhere.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The Tiptap v3 configuration (StarterKit options, link `isAllowedUri`, undoRedo depth, placeholder behavior, etc.) is duplicated between `RichTextEditor` and `NoteRichEditor`; consider extracting a shared editor config/module to keep the behavior consistent and make future upgrades simpler.
- The `ws` workspace override is currently scoped to `frontend/studyhub-app`; if any other workspace or the backend transitively pulls in `ws`, it may be worth centralizing this override (e.g., at the repo root) to ensure the patched version is enforced everywhere.
## Individual Comments
### Comment 1
<location path="frontend/studyhub-app/src/components/editor/RichTextEditor.jsx" line_range="57-61" />
<code_context>
- rel: 'noopener noreferrer nofollow',
- target: '_blank',
- class: 'sh-editor-link',
+ // v3: History was renamed UndoRedo; Underline + Link now ship
+ // inside StarterKit, so they are configured here instead of as
+ // standalone packages.
+ undoRedo: { depth: 100 },
+ link: {
+ openOnClick: false,
+ HTMLAttributes: {
</code_context>
<issue_to_address>
**issue (bug_risk):** Double-check the assumption that Underline and Link are included in `StarterKit` v3.
This change assumes Underline and Link are bundled in StarterKit v3 and configured via the `link` option, but historically StarterKit has not included all optional marks. If v3 does not actually include these, underline/link support will silently disappear while the build still passes. Please verify the StarterKit v3 extensions list; if Underline/Link aren’t included, keep importing and configuring them as separate extensions.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
| // v3: History was renamed UndoRedo; Underline + Link now ship | ||
| // inside StarterKit, so they are configured here instead of as | ||
| // standalone packages. | ||
| undoRedo: { depth: 100 }, | ||
| link: { |
There was a problem hiding this comment.
issue (bug_risk): Double-check the assumption that Underline and Link are included in StarterKit v3.
This change assumes Underline and Link are bundled in StarterKit v3 and configured via the link option, but historically StarterKit has not included all optional marks. If v3 does not actually include these, underline/link support will silently disappear while the build still passes. Please verify the StarterKit v3 extensions list; if Underline/Link aren’t included, keep importing and configuring them as separate extensions.
…coverage strip, hero chips + live stats Research-driven UX pass over the Scholar surface (12-pattern category study of Semantic Scholar / Elicit / Consensus / scite / Connected Papers / ResearchRabbit / Undermind + NN/g, plan: docs/internal/plans/scholar-ux-polish-2026-07.md): - useSavedPapers hook: Save/Cite now live on every PaperCard call site (search, landing discover grids, topic lists). Server-confirmed state (A4, no optimistic flip), shared scholar-saved:shelves SWR entry with the Saved page, prefix invalidation of scholar-saved:* on toggle. - Compare side-by-side: previously a no-op button; now opens ScholarCompareSheet — a 2-4 paper matrix (year/venue/citations/OA/ source/summary) built from loaded results, deep-link auto-open, stub column for ids that fell out of the result list. - SourceStatusStrip: per-source coverage chips (throttled = amber via --sh-warning-*) replace the bare 'X throttled' string — honest federated-search feedback. - Landing hero: wires the previously-dead TRY_CHIPS example queries and a live /api/scholar/stats corpus line (hidden on error/zeros). - PaperCard: green PDF read-now action for open-access papers (--sh-success-* tokens), cleanAbstract() strips CrossRef/OpenAlex 'ABSTRACT' lead-ins. - ScholarPaperPage: ?tab=citations|references deep links (already emitted by PaperCard) now initialize the tab instead of being dropped. Tokens only, no new hex; modals via FocusTrappedDialog. Tests +6 (cleanAbstract, PDF affordance rule, compare-sheet contract). Frontend: lint 0 errors, build clean, 882 unit tests passed.
Summary
One consolidated PR, per founder request: all dependency/security work + the Scholar UX upgrade. Supersedes and closes Dependabot PRs #416, #417, #423, #424, #425, #426, #427, #428, #429.
Part 1 — Security: all 7 open Dependabot alerts cleared
Why one PR instead of merging the 9 bot PRs: they all edit the same lockfiles and conflict, and per-workspace merges leave the root
package-lock.jsondrifting — the exactnpm ci EUSAGEfailure that broke Cloudflare deploys before. Root + backend + frontend lockfiles were regenerated together from a rootnpm install(CLAUDE.md workspace-lockfile rule).Also included: backend minor-patch group (14 = #426), frontend minor-patch group (9 = #427), jscrambler action 8.13.0 SHA pin (= #425), and the full Tiptap v2 → v3.27 editor migration (= #423/#424): StarterKit-hosted Link/Underline (
undoRedo,isAllowedUri), Placeholder from@tiptap/extensions, consolidated table package,setContent(html, { emitUpdate: false }), MathExtension imports from@tiptap/core. 13 tiptap packages → 8, single deduped v3.27.4 tree.Remaining security items (repo-wide status after this PR):
Part 2 — Scholar UX upgrade (research-driven)
Based on a 12-pattern study of Semantic Scholar, Elicit, Consensus, scite, Connected Papers, ResearchRabbit, Undermind + NN/g guidance:
useSavedPapershook — server-confirmed state (CLAUDE.md A4, no optimistic flip), sharedscholar-saved:shelvesSWR entry with the Saved page, prefix invalidation on toggle.?compare=deep links, stub column for papers that fell out of the results.TRY_CHIPS) + live corpus stats from/api/scholar/stats(hidden on error/zeros).?tab=citations|referencesdeep links now initialize the paper-page tab (they were silently dropped).--sh-success-*",--sh-warning-*), dark mode inherits, modals viaFocusTrappedDialog`, all new controls labeled.Validation
Known-red check:
playwright-smokefails on this PR with the identical signature it has had on everymainrun since 2026-06-02 (verified: last 5 main runs all failed; same spec files). Pre-existing baseline, not introduced here — worth a separate fix pass.🤖 Generated with Claude Code