Mariano/fix trigger 3

[Marfuen]

What does this PR do?

• Fixes #XXXX (GitHub issue number)
• Fixes COMP-XXXX (Linear issue number - should be visible at the bottom of the GitHub issue description)

Visual Demo (For contributors especially)

A visual demonstration is strongly recommended, for both the original and new change (video / image - any one).

Video Demo (if applicable):

• Show screen recordings of the issue or feature.
• Demonstrate how to reproduce the issue, the behavior before and after the change.

Image Demo (if applicable):

• Add side-by-side screenshots of the original and updated change.
• Highlight any significant change(s).

Mandatory Tasks (DO NOT REMOVE)

• I have self-reviewed the code (A decent size PR without self-review might be rejected).
• I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. If N/A, write N/A here and check the checkbox.
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

• Are there environment variables that should be set?
• What are the minimal test data to have?
• What is expected (happy path) to have (input and output)?
• Any other important info that could help to test that PR

Checklist

• I haven't read the contributing guide
• My code doesn't follow the style guidelines of this project
• I haven't commented my code, particularly in hard-to-understand areas
• I haven't checked if my changes generate no new warnings

[comp-ai-code-review]

🔒 Comp AI - Security Review

🔴 Risk Level: HIGH

OSV scan found xlsx@0.18.5 with two HIGH GHSA issues (Prototype Pollution, ReDoS) and ai@5.0.0 with a LOW GHSA (filetype whitelist bypass).

---

📦 Dependency Vulnerabilities

🟠 NPM Packages (HIGH)

Risk Score: 8/10 | Summary: 2 high, 1 low CVEs found

Package	Version	CVE	Severity	CVSS	Summary	Fixed In
xlsx	0.18.5	GHSA-4r6h-8v6p-xvw6	HIGH	N/A	Prototype Pollution in sheetJS	No fix yet
xlsx	0.18.5	GHSA-5pgg-2g8v-p4x9	HIGH	N/A	SheetJS Regular Expression Denial of Service (ReDoS)	No fix yet
ai	5.0.0	GHSA-rwvc-j5jr-mgvh	LOW	N/A	Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files	5.0.52

---

🛡️ Code Security Analysis

View 1 file(s) with issues

🔴 .github/workflows/trigger-tasks-deploy-main.yml (HIGH Risk)

#	Issue	Risk Level
1	Secrets exposed to bunx trigger.dev deploy (env available to third-party code)	HIGH
2	Secrets accessible on runner (custom/self-hosted runner label), exfiltration risk	HIGH
3	bun install can execute package install scripts, enabling supply-chain RCE	HIGH
4	Debug log-level may cause secrets to be printed in logs	HIGH
5	Workflow uses loose action tags (major versions), increasing supply-chain risk	HIGH

Recommendations:

1. Do not pass long-lived secrets directly into third-party CLIs run via bunx. Prefer using GitHub OIDC where possible, short-lived tokens, or a pinned/trusted runner action that performs the deploy and is pinned to an immutable SHA.
2. Use GitHub-hosted ephemeral runners (e.g., runs-on: ubuntu-latest) or ensure strong isolation/hardening of self-hosted runners (ephemeral runner images, strict network egress restrictions, least privilege, automatic reprovisioning) so build-time secrets cannot be exfiltrated.
3. Always avoid running package managers in a mode that allows install scripts to run unless necessary. Change the install fallback to keep --ignore-scripts consistently (e.g., remove the non-ignored fallback) or audit all postinstall/install scripts in dependencies and lockfile before allowing script execution.
4. Remove or reduce debug/log-level in CI deploy commands (avoid --log-level debug) and ensure secrets are masked. Review CLI logging behavior of trigger.dev to confirm sensitive env vars are not emitted; if they are, remove them or use different authentication flows.
5. Pin actions and third-party packages to immutable references (commit SHAs or fully-qualified version shas) rather than floating major tags, and pin the bunx package or run a vetted binary. Example: use actions/checkout@ and oven-sh/setup-bun@ or pinned release artifacts.
6. Limit the scope of tokens passed (principle of least privilege), rotate tokens frequently, and audit access (who/what can read the secrets). Consider moving sensitive operations to a minimal, audited action or remote deploy environment that does not run arbitrary repository code with secrets.

---

💡 Recommendations

View 3 recommendation(s)

1. Bump ai in package.json to a fixed release (>= 5.0.52 per the advisory) and regenerate your lockfile so the patched version is installed.
2. Upgrade xlsx from 0.18.5 to a patched release that addresses GHSA-4r6h-8v6p-xvw6 and GHSA-5pgg-2g8v-p4x9; update package.json/lockfile and run a full reinstall to ensure the fixed version is used.
3. Harden code that parses user-supplied Excel files: enforce file size/type limits before parsing, parse asynchronously with timeouts or worker isolation, and validate/sanitize workbook contents to reduce impact of ReDoS and prototype-pollution vectors.

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 20, 2025

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
app	Skipped			Nov 20, 2025 7:39pm
portal	Skipped			Nov 20, 2025 7:39pm

[claudfuen]

🎉 This PR is included in version 1.60.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀