[fix] Resolve all open vulnerabilities#4283
Merged
junaway merged 21 commits intorelease/v0.99.2from May 6, 2026
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
dosubot
Bot
added
the
size:S
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
junaway
changed the title
ardaerzin
approved these changes
May 6, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR focuses on addressing reported vulnerabilities by updating dependency constraints and lockfiles across the web (pnpm) and Python (uv) parts of the repo, plus tightening a few npm/pnpm override rules.
Changes:
- Updated web dependencies/overrides (notably
axios,next,postcss,uuid) and regeneratedweb/pnpm-lock.yaml. - Updated Python dependency pins/locks (notably
agenta,daytona,pytest,pytest-asyncio, OTel libs) acrossapi/,services/, andsdk/. - Removed some legacy test requirements files and example lockfiles, and adjusted GitHub Actions cache keys accordingly.
Reviewed changes
Copilot reviewed 19 out of 28 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| web/pnpm-lock.yaml | Regenerated pnpm lockfile with updated overrides and resolved versions (axios/next/postcss/uuid, etc.). |
| web/packages/agenta-ui/package.json | Tightened uuid dependency range to ^11.1.1. |
| web/packages/agenta-shared/package.json | Bumped uuid to ^11.1.1. |
| web/packages/agenta-playground/package.json | Bumped uuid to ^11.1.1. |
| web/packages/agenta-playground-ui/package.json | Bumped uuid to ^11.1.1. |
| web/packages/agenta-entity-ui/package.json | Tightened uuid dependency range to ^11.1.1. |
| web/packages/agenta-entities/package.json | Tightened uuid dependency range to ^11.1.1. |
| web/package.json | Added overrides for postcss and next, bumped axios override. |
| web/oss/package.json | Bumped next and uuid versions for OSS web app. |
| web/ee/package.json | Bumped uuid for EE web app. |
| services/uv.lock | Updated Python lockfile with newer agenta and related deps. |
| services/pyproject.toml | Bumped agenta, pytest, pytest-asyncio version ranges. |
| sdk/uv.lock | Updated SDK Python lockfile; bumped daytona, pytest, pytest-asyncio. |
| sdk/pyproject.toml | Bumped daytona, pytest, pytest-asyncio version ranges. |
| sdk/oss/tests/requirements.txt | Removed legacy test requirements file. |
| sdk/oss/tests/legacy/new_tests/requirements.test.txt | Updated legacy test requirements (pytest-asyncio, python-dotenv). |
| examples/node/observability-vercel-ai/package-lock.json | Removed example npm lockfile. |
| examples/node/observability-opentelemetry/pnpm-lock.yaml | Removed example pnpm lockfile. |
| docs/package.json | Added deps/overrides for vulnerable transitive packages (lodash/postcss/follow-redirects). |
| api/uv.lock | Updated API Python lockfile (agenta/pytest/pytest-asyncio/otel, etc.). |
| api/pyproject.toml | Bumped agenta, pytest, pytest-asyncio version ranges. |
| api/oss/tests/requirements.txt | Removed legacy test requirements file. |
| api/oss/tests/legacy/requirements.test.txt | Updated legacy test requirements (pytest-asyncio, python-dotenv). |
| .github/workflows/44-railway-tests.yml | Updated uv cache keys (but workflow still references removed requirements files). |
| .github/workflows/12-check-unit-tests.yml | Updated uv cache keys to stop hashing removed requirements files. |
Files not reviewed (4)
- docs/pnpm-lock.yaml: Language not supported
- examples/node/observability-opentelemetry/pnpm-lock.yaml: Language not supported
- examples/node/observability-vercel-ai/package-lock.json: Language not supported
- web/pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
web/packages/agenta-entity-ui/package.json (1)
32-32: 💤 Low valueUpdate
@types/uuidfrom ^9.0.8 to ^11.0.0.The uuid dependency at line 32 is now at ^11.1.1, but
@types/uuidat line 55 remains at ^9.0.8. Version 11.0.0 of@types/uuidis now available and should be updated to keep type definitions aligned with the runtime library version.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 5a02c3f2-534c-47ca-86bb-1e113beddeda
⛔ Files ignored due to path filters (9)
api/uv.lockis excluded by!**/*.lockdocs/package-lock.jsonis excluded by!**/package-lock.jsondocs/pnpm-lock.yamlis excluded by!**/pnpm-lock.yamlexamples/node/observability-opentelemetry/pnpm-lock.yamlis excluded by!**/pnpm-lock.yamlexamples/node/observability-vercel-ai/package-lock.jsonis excluded by!**/package-lock.jsonexamples/python/RAG_QA_chatbot/frontend/pnpm-lock.yamlis excluded by!**/pnpm-lock.yamlsdk/uv.lockis excluded by!**/*.lockservices/uv.lockis excluded by!**/*.lockweb/pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (19)
.github/workflows/12-check-unit-tests.yml.github/workflows/44-railway-tests.ymlapi/oss/tests/legacy/requirements.test.txtapi/oss/tests/requirements.txtapi/pyproject.tomldocs/package.jsonsdk/oss/tests/legacy/new_tests/requirements.test.txtsdk/oss/tests/requirements.txtsdk/pyproject.tomlservices/pyproject.tomlweb/ee/package.jsonweb/oss/package.jsonweb/package.jsonweb/packages/agenta-entities/package.jsonweb/packages/agenta-entity-ui/package.jsonweb/packages/agenta-playground-ui/package.jsonweb/packages/agenta-playground/package.jsonweb/packages/agenta-shared/package.jsonweb/packages/agenta-ui/package.json
💤 Files with no reviewable changes (2)
- api/oss/tests/requirements.txt
- sdk/oss/tests/requirements.txt
Contributor
Railway Preview Environment
Updated at 2026-05-06T14:41:42.255Z |
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 19 out of 28 changed files in this pull request and generated 1 comment.
Files not reviewed (4)
- docs/pnpm-lock.yaml: Language not supported
- examples/node/observability-opentelemetry/pnpm-lock.yaml: Language not supported
- examples/node/observability-vercel-ai/package-lock.json: Language not supported
- web/pnpm-lock.yaml: Language not supported
Comments suppressed due to low confidence (2)
sdk/pyproject.toml:58
sdk/run-tests.pyimportsfrom dotenv import load_dotenv, butpython-dotenvis not declared in this project's dependency-groups. The test runner currently relies on a transitive install (e.g., viadaytona), which is fragile and can break if upstream deps change. Addpython-dotenv>=1,<2to thedevdependency group (or todependenciesif required at runtime) souv syncinstalls it explicitly.
[dependency-groups]
dev = [
"posthog>=7,<8",
"questionary>=2,<3",
"setuptools>=80,<81",
"uvicorn>=0.38,<0.39",
"requests>=2,<3",
"pexpect>=4,<5",
"boto3>=1,<2",
"click>=8,<9",
"pytest>=9,<10",
"pytest-asyncio>=1,<2",
"pytest-xdist>=3,<4",
"pytest-mock>=3,<4",
"pytest-html>=4,<5",
]
services/pyproject.toml:31
services/run-tests.pyimportsfrom dotenv import load_dotenv, butpython-dotenvis not declared in thedevdependency group. CI currently works only becausepython-dotenvhappens to be pulled in transitively; please addpython-dotenv>=1,<2to thedevgroup to make the test runner's dependencies explicit.
[dependency-groups]
dev = [
"watchdog[watchmedo]>=3,<4",
"requests>=2,<3",
"click>=8,<9",
"pytest>=9,<10",
"pytest-asyncio>=1,<2",
"pytest-xdist>=3,<4",
"pytest-mock>=3,<4",
"pytest-html>=4,<5",
]
Comment on lines
351
to
355
| pip install "uv==0.11.9" | ||
| cd api | ||
| uv sync --locked --python 3.11 | ||
| uv pip install --python .venv/bin/python -r oss/tests/requirements.txt --editable ../sdk/ | ||
| uv pip install --python .venv/bin/python --editable ../sdk/ | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.