fix(deps): patch markdown-it ReDoS vulnerability#143
Conversation
- OrchestrationState: use getTask() helper instead of direct taskQueue.find() to correctly detect cancelled deps in completedTasks (CodeRabbit #134) - DiffViewer: combine additions/deletions into single-pass useMemo (Gemini #134) - DiffViewer: export parseDiff for testability - diff-viewer.perf.test: rename to kebab-case, add memoization spy test verifying parseDiff is NOT called on re-render (Amazon Q + Gemini #134) - FileTree: pass selectedPath directly instead of converting undefined to empty string which changes "no selection" semantics (Amazon Q #139) - sonar-project.properties: remove stale app/_layout.tsx comment (CodeRabbit #139) - create-project: add auth error detection with recovery guidance (Amazon Q #132) https://claude.ai/code/session_01PQd4hGQQpmGTgpHc7kGjAE
…ibility - Add missing organic border-radius variants to Tailwind config (hero, cta, modal, toast, code) and replace inline/arbitrary values in NotFound, welcome, complete, and AgentDetail pages (#80) - Add shadow-organic-card to card surfaces across detail pages, onboarding screens, and settings for proper visual hierarchy (#82) - Enhance Skeleton with SkeletonText and SkeletonCard compound components, build Pagination component with organic styling (#83) - Fix accessibility: aria-hidden on decorative dots, aria-live on typing indicator and progress, aria-label on search input and role icon, progressbar role on task progress (#86) https://claude.ai/code/session_01PQd4hGQQpmGTgpHc7kGjAE
Add pnpm override to force markdown-it >=14.1.1, fixing the moderate Regular Expression Denial of Service vulnerability in the transitive dependency (Dependabot alert #11). https://claude.ai/code/session_01PQd4hGQQpmGTgpHc7kGjAE
Summary of ChangesHello @jbdevprimary, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request focuses on enhancing the project's security posture by resolving a moderate ReDoS vulnerability. It achieves this by introducing a pnpm override to ensure that the Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![amazon-q-developer[bot]](https://avatars.githubusercontent.com/in/1220912?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR correctly patches the markdown-it ReDoS vulnerability by adding a pnpm override. The change follows the existing override pattern and maintains valid JSON syntax. The security fix addresses a moderate severity vulnerability in a transitive dependency without introducing any issues.
You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.
|
Caution Review failedThe pull request is closed. 📝 WalkthroughWalkthroughAdded a new pnpm package override for markdown-it version >=14.1.1 in package.json alongside the existing Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request correctly addresses a moderate ReDoS vulnerability in the transitive markdown-it dependency by adding a pnpm override in package.json. The change forces the resolution of markdown-it to version 14.1.1 or higher, which contains the fix. This is a good and standard approach to patching vulnerabilities in transitive dependencies. The change is clear, concise, and effectively resolves the security alert.
2 participants
Summary
markdown-it >= 14.1.1to fix Dependabot alert [Agent] Build multi-agent orchestration system #11markdown-itdependency (used bytypedoc-plugin-markdown)pnpm-lock.yamlto resolvemarkdown-it@14.1.1Test plan
pnpm installresolves cleanlypnpm audit --prod --audit-level=moderateshows no issueshttps://claude.ai/code/session_01PQd4hGQQpmGTgpHc7kGjAE
Summary by CodeRabbit