TUSC-485 Resolve dependency vulnerabilities

[lukegrn]

This updates our dependencies to address security concerns flagged by dependabot. It also makes a couple small changes based on issues that arose from these dependency updates.

Summary by Sourcery

Refactor user authentication and permission utilities to accept a Chrome API instance instead of using the useChrome hook, and update the user hook, tests, and build dependencies accordingly.

Enhancements:

• Refactor platform service helpers to take a ChromeAPI instance for authentication and RBAC permissions instead of relying on useChrome internally.
• Update the useUser hook to obtain the Chrome instance itself and call the refactored authentication and permissions helpers.

Build:

• Remove the node-sass dependency from the project.

Tests:

• Adjust platform services and user hook tests to work with the refactored authentication and RBAC permission helpers and mock the Chrome hook explicitly.

Chores:

• Clean up an unused PatternFly Sass utilities import from the subscriptions widget styles.
• Regenerate the package lockfile to reflect updated dependencies.

[sourcery-ai]

Reviewer's Guide

Refactors platform service helpers to accept a Chrome API instance instead of using the useChrome hook directly, updates the useUser hook and its tests accordingly, and removes an obsolete SCSS import along with the node-sass dependency as part of dependency security updates.

Sequence diagram for updated useUser hook interactions

sequenceDiagram
  actor UserComponent
  participant useUser
  participant useChrome
  participant useQuery
  participant authenticateUser
  participant getUserRbacPermissions
  participant chrome

  UserComponent->>useUser: call useUser()
  useUser->>useChrome: useChrome()
  useChrome-->>useUser: ChromeAPI instance
  useUser->>useQuery: useQuery({ queryKey: ['user'], queryFn })
  activate useQuery
  useQuery->>authenticateUser: authenticateUser(chrome)
  authenticateUser->>chrome: chrome.auth.getUser()
  chrome-->>authenticateUser: user
  useQuery->>getUserRbacPermissions: getUserRbacPermissions(chrome)
  getUserRbacPermissions->>chrome: chrome.getUserPermissions('subscriptions')
  chrome-->>getUserRbacPermissions: RbacPermission[]
  useQuery-->>UserComponent: User data with permissions
  deactivate useQuery

Loading

File-Level Changes

Change	Details	Files
Refactor platform service helpers to take an explicit ChromeAPI parameter instead of relying on the useChrome hook internally.	Introduced the ChromeAPI type from @redhat-cloud-services/types for stronger typing of Chrome usage. Replaced the async useAuthenticateUser function with authenticateUser(chrome) that receives a ChromeAPI instance and uses chrome.auth.getUser(). Replaced useUserRbacPermissions with getUserRbacPermissions(chrome) that calls chrome.getUserPermissions('subscriptions'). Updated exported symbols from platformServices to reflect the new authenticateUser and getUserRbacPermissions function names.	src/utilities/platformServices.ts
Update the useUser hook to work with the refactored platform service functions and the useChrome hook.	Imported useChrome directly in the useUser hook instead of relying on platformServices to obtain Chrome. Initialized a local chrome instance via useChrome(). Updated the queryFn to call authenticateUser(chrome) and getUserRbacPermissions(chrome) instead of awaiting precomputed promises from hook-like helpers.	src/hooks/useUser.ts
Adapt tests to the renamed platform service functions and to the new chrome usage pattern.	Updated Jest mocks in useUser tests to mock authenticateUser and getUserRbacPermissions instead of the old useAuthenticateUser and useUserRbacPermissions helpers. Added a Jest mock for @redhat-cloud-services/frontend-components/useChrome to provide a stubbed chrome object in tests. Adjusted test expectations and mock setup to work with the new function signatures and invocation style. Prepared (or to-be-updated) platformServices tests to cover the new authenticateUser and getUserRbacPermissions behavior.	src/hooks/__tests__/useUser.test.tsx src/utilities/__tests__/platformServices.test.ts
Remove obsolete Sass import and node-sass dependency aligned with dependency/security upgrades.	Removed the global PatternFly Sass utilities import from the SubscriptionsWidget stylesheet, relying on existing CSS instead. Removed node-sass from devDependencies to align with the tooling stack and reduce vulnerable dependency surface. Updated package-lock.json to reflect dependency changes from security-related upgrades.	src/components/Widgets/SubscriptionsWidget.scss package.json package-lock.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 2 issues, and left some high level feedback:

• In platformServices.ts, useChrome is now unused after switching to authenticateUser(chrome) and getUserRbacPermissions(chrome) and can be removed to avoid dead imports.
• src/utilities/__tests__/platformServices.test.ts likely needs to be updated to call authenticateUser/getUserRbacPermissions with a mocked ChromeAPI instead of assuming those functions obtain chrome internally, otherwise the tests will no longer align with the new API.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- In `platformServices.ts`, `useChrome` is now unused after switching to `authenticateUser(chrome)` and `getUserRbacPermissions(chrome)` and can be removed to avoid dead imports.
- `src/utilities/__tests__/platformServices.test.ts` likely needs to be updated to call `authenticateUser`/`getUserRbacPermissions` with a mocked `ChromeAPI` instead of assuming those functions obtain `chrome` internally, otherwise the tests will no longer align with the new API.

## Individual Comments

### Comment 1
<location path="src/hooks/useUser.ts" line_range="17-18" />
<code_context>
     queryFn: async () => {
-      const userStatus = await authenticateUser;
-      const rawRbacPermissions = await userRbacPermissions;
+      const userStatus = await authenticateUser(chrome);
+      const rawRbacPermissions = await getUserRbacPermissions(chrome);
       const rbacPermissions = rawRbacPermissions.map((rawPermission) => rawPermission.permission);
       const user: User = {
</code_context>
<issue_to_address>
**suggestion (performance):** Run authentication and RBAC permission fetching in parallel to reduce latency.

These two awaits are independent, so they’re now adding their latencies (`auth + rbac`). Consider running them in parallel to reduce query time:

```ts
const [userStatus, rawRbacPermissions] = await Promise.all([
  authenticateUser(chrome),
  getUserRbacPermissions(chrome),
]);
```
This preserves behavior while improving responsiveness.
</issue_to_address>

### Comment 2
<location path="src/hooks/__tests__/useUser.test.tsx" line_range="19-21" />
<code_context>
+  getUserRbacPermissions: jest.fn()
+}));
+
+jest.mock('@redhat-cloud-services/frontend-components/useChrome', () => ({
+  __esModule: true,
+  default: () => ({})
 }));

</code_context>
<issue_to_address>
**suggestion (testing):** Strengthen the useChrome mock by asserting the hook passes the chrome instance into authenticateUser/getUserRbacPermissions

Since `useUser` now creates a `chrome` instance via `useChrome` and passes it into `authenticateUser` / `getUserRbacPermissions`, the test should verify that wiring. For example, have the mock return a stable object (e.g. `const mockChrome = { ... }`) and assert:

- `expect(authenticateUser).toHaveBeenCalledWith(mockChrome)`
- `expect(getUserRbacPermissions).toHaveBeenCalledWith(mockChrome)`

This will cover the new parameterization and catch regressions if `chrome` stops being passed through correctly.

Suggested implementation:

```typescript
const mockChrome = { isBeta: false };

jest.mock('../../utilities/platformServices', () => ({
  ...(jest.requireActual('../../utilities/platformServices') as Record<string, unknown>),
  authenticateUser: jest.fn(),
  getUserRbacPermissions: jest.fn()
}));

jest.mock('../../utilities/platformServices', () => ({

```

```typescript
jest.mock('@redhat-cloud-services/frontend-components/useChrome', () => ({
  __esModule: true,
  default: () => mockChrome
}));

```

To fully implement your suggestion, you also need to update the test assertions (inside the relevant `it`/`test` blocks that exercise `useUser`) to verify that the chrome instance from the hook is passed into `authenticateUser` and `getUserRbacPermissions`.

After the code path that triggers those calls (e.g. after rendering the hook and awaiting any async effects), add assertions like:

```ts
import { authenticateUser, getUserRbacPermissions } from '../../utilities/platformServices';
// ...

expect(authenticateUser).toHaveBeenCalledWith(mockChrome);
expect(getUserRbacPermissions).toHaveBeenCalledWith(mockChrome);
```

If `authenticateUser` or `getUserRbacPermissions` accept additional parameters in your codebase, adjust the expectations accordingly, for example using `toHaveBeenCalledWith(mockChrome, expectedArg2, ...)` or `toHaveBeenCalledWith(expect.objectContaining(mockChrome), ...)`.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}