Skip to content

Temporary PR to test the reusable CI workflow#616

Draft
tuomas777 wants to merge 5 commits into
mainfrom
RATY-350-test
Draft

Temporary PR to test the reusable CI workflow#616
tuomas777 wants to merge 5 commits into
mainfrom
RATY-350-test

Conversation

@tuomas777

Copy link
Copy Markdown
Contributor

DO NOT MERGE!

@coderabbitai

coderabbitai Bot commented Jun 12, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9c865f49-3899-4e06-9720-50dd2bb06534

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch RATY-350-test

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sonarqubecloud

Copy link
Copy Markdown

@github-actions

Copy link
Copy Markdown
Contributor

Dependency Review

The following issues were found:
  • ❌ 1 vulnerable package(s)
See the Details below.

Vulnerabilities

pnpm-lock.yaml

OpenSSF Scorecard

Scanned Files

  • .github/workflows/ci.yml
  • pnpm-lock.yaml
NameVersionVulnerabilitySeverityPatched Version
dompurify2.3.10DOMPurify vulnerable to tampering by prototype polutioncritical2.4.2
DOMPurify allows tampering by prototype pollutionhigh2.5.4
DOMpurify has a nesting-based mXSShigh2.5.0
DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)moderate3.4.11
DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside .contentmoderate3.4.7DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`moderate3.4.7DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checksmoderate3.4.6DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOMmoderate3.4.6DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)moderate3.4.0DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM modemoderate3.4.0DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluationmoderate3.4.0DOMPurify ADD_ATTR predicate skips URI validationmoderate3.3.2DOMPurify USE_PROFILES prototype pollution allows event handlersmoderate3.3.2DOMPurify is vulnerable to mutation-XSS via Re-Contextualization moderate3.3.2DOMPurify allows Cross-site Scripting (XSS)moderate3.2.4DOMPurify: `IN_PLACE` mode trusts attacker-controlled `nodeName` on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objectslowN/ADOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` outputlow3.4.9 PackageVersionScoreDetails actions/City-of-Helsinki/.github/.github/workflows/ci-pnpm-node.yml feature/KEH-351-dependency-review-ci UnknownUnknown npm/dompurify 2.3.10 🟢 9.8
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Security-Policy🟢 10security policy file detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Maintained🟢 1030 commit(s) and 19 issue activity found in the last 90 days -- score normalized to 10
Pinned-Dependencies🟢 10all dependencies are pinned
CII-Best-Practices🟢 7badge detected: Silver
SAST🟢 10SAST tool is run on all commits
License🟢 10license file detected
Fuzzing🟢 10project is fuzzed
Signed-Releases🟢 105 out of the last 5 releases have a total of 10 signed artifacts.
Vulnerabilities🟢 100 existing vulnerabilities detected
Branch-Protection🟢 8branch protection is not maximal on development and all release branches
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 40 contributing companies or organizations
npm/react-router 7.18.0 🟢 3.6
Details
CheckScoreReason
Code-Review⚠️ 1Found 5/29 approved changesets -- score normalized to 1
Security-Policy🟢 10security policy file detected
Maintained🟢 1030 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow⚠️ 0dangerous workflow patterns detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Fuzzing⚠️ 0project is not fuzzed
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

@azure-pipelines

Copy link
Copy Markdown

LINKEDCOMPONENTS-UI branch is deployed to platta: https://linkedcomponents-ui-pr616.dev.hel.ninja 🚀🚀🚀

@azure-pipelines

Copy link
Copy Markdown

e2e tests result is failed for https://linkedcomponents-ui-pr616.dev.hel.ninja 😿💢💥💥

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant