Skip to content

sec(frontend): pin npm dependencies to exact versions (closes #425)#872

Open
cristim wants to merge 1 commit into
mainfrom
fix/425-wave19
Open

sec(frontend): pin npm dependencies to exact versions (closes #425)#872
cristim wants to merge 1 commit into
mainfrom
fix/425-wave19

Conversation

@cristim

@cristim cristim commented May 30, 2026

Copy link
Copy Markdown
Member

Summary

  • Replaces all 29 caret (^) version ranges in frontend/package.json with the exact versions already recorded in package-lock.json.
  • Eliminates the attack surface where npm install (rather than npm ci) resolves a newer minor/patch release that may carry unaudited CVEs.
  • No functional change: every pinned version is the version currently installed; the lockfile is unchanged.

Test plan

  • All 29 dependencies + devDependencies entries verified to match package-lock.json exactly (node script).
  • npx tsc --noEmit -- no errors.
  • npm test --coverage -- 65 suites, 2142 tests passed, 1 skipped.
  • npm ci in a clean environment (disk full locally; CI will exercise this).

Summary by CodeRabbit

  • Chores
    • Updated frontend tooling and library versions, including build, testing, linting, and TypeScript-related packages.
    • Upgraded the charting library to a newer release.
    • Locked package versions to exact values for more predictable installs and builds.

@cristim cristim added triaged Item has been triaged priority/p3 Polish / idea / may never ship severity/low Minor harm urgency/eventually No deadline impact/internal Team-internal only effort/s Hours type/security Security finding labels May 30, 2026
@cristim

cristim commented May 30, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented May 30, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f3ebd3cc-c5bf-49d4-b502-349f15e2b4ef

📥 Commits

Reviewing files that changed from the base of the PR and between 60526ce and 6f2d921.

📒 Files selected for processing (1)
  • frontend/package.json

📝 Walkthrough

Walkthrough

This change updates frontend/package.json, bumping multiple devDependencies (Babel, TypeScript tooling, Jest, ESLint, Webpack stack, loaders/plugins, jsdom) and pinning them to exact version specifiers instead of caret ranges. The chart.js dependency version is also bumped.

Changes

Frontend dependency version updates

Layer / File(s) Summary
Pin devDependencies and bump chart.js version
frontend/package.json
DevDependencies are bumped and pinned to exact versions (removed caret ranges), and chart.js is bumped while qrcode is left unchanged.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Related issues: None specified

Related PRs: None specified

Suggested labels: dependencies, frontend

Suggested reviewers: None specified

🐰 A carrot-crunch, a version bump,
No caret left, just numbers plump,
Chart.js grows a whisker more,
Frontend deps now locked and sure.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely matches the main change: pinning frontend npm dependencies to exact versions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/425-wave19

Comment @coderabbitai help to get the list of available commands.

@coderabbitai

coderabbitai Bot commented May 30, 2026

Copy link
Copy Markdown
Contributor
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@cristim

cristim commented Jun 4, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 4, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@cristim

cristim commented Jun 8, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Full review finished.

@cristim

cristim commented Jun 19, 2026

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Replace all 29 caret ranges (^) in package.json with the exact versions
already recorded in package-lock.json. Exact pins eliminate the window
where `npm install` (vs `npm ci`) resolves a newer minor/patch that may
carry unaudited CVEs, and make supply-chain review straightforward.

No functional change: every pinned version is the version currently
installed, so the lockfile is unchanged.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

effort/s Hours impact/internal Team-internal only priority/p3 Polish / idea / may never ship severity/low Minor harm triaged Item has been triaged type/security Security finding urgency/eventually No deadline

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant