Skip to content

fix: resolve docs Dependabot advisories#519

Merged
adityathebe merged 4 commits into
mainfrom
dependabot-alerts-fix
Jul 3, 2026
Merged

fix: resolve docs Dependabot advisories#519
adityathebe merged 4 commits into
mainfrom
dependabot-alerts-fix

Conversation

@adityathebe

@adityathebe adityathebe commented Jul 3, 2026

Copy link
Copy Markdown
Member

Dependabot reported critical, high, and medium dependency advisories across the docs sites.

Refresh vulnerable npm/Pipfile locks, upgrade Docusaurus/webpack-related dependencies, remove vulnerable image/browser fs dependency chains, and pin patched transitive packages where needed.

The Docusaurus upgrade also updates the local swizzled components that referenced moved internal theme APIs. The formatting task now pins Prettier to avoid CI drifting to newer formatter output and forcing unrelated markdown changes.

Summary by CodeRabbit

  • New Features

    • Improved copy-to-clipboard behavior in terminal output, with clearer “Copy”/“Copied” states and a more reliable clipboard fallback.
  • Bug Fixes

    • Updated the docs build pipeline to simplify image asset handling for more predictable processing.
    • Adjusted browser bundling for Node fs usage by disabling the previous client-side polyfill.
  • Chores

    • Upgraded Docusaurus dependencies, added version pins, and raised the minimum Node.js version for docs tooling.
    • Pinned Prettier execution in formatting tasks to a specific version.

@vercel

vercel Bot commented Jul 3, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview Jul 3, 2026 4:56pm

Request Review

@netlify

netlify Bot commented Jul 3, 2026

Copy link
Copy Markdown

Deploy Preview for canarychecker failed. Why did it fail? →

Name Link
🔨 Latest commit ebe458d
🔍 Latest deploy log https://app.netlify.com/projects/canarychecker/deploys/6a47e9717104e700098fc66c

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fd2d7b3a-20ff-4c71-a562-c612a5493cfc

📥 Commits

Reviewing files that changed from the base of the PR and between 4c37921 and ebe458d.

⛔ Files ignored due to path filters (1)
  • canary-checker/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (2)
  • canary-checker/package.json
  • common/src/theme/Layout/index.tsx
🚧 Files skipped from review as they are similar to previous changes (2)
  • canary-checker/package.json
  • common/src/theme/Layout/index.tsx

Walkthrough

This PR upgrades Docusaurus dependencies to 3.10.1 in canary-checker and mission-control, removes image-webpack-loader and browserify-fs from webpack-related setup, pins the Prettier version in Taskfile, inlines a CopyButton component with clipboard fallback logic, and adjusts the shared Layout theme component.

Changes

Dependency upgrade and build configuration

Layer / File(s) Summary
Docusaurus package version bumps and overrides
canary-checker/package.json, mission-control/package.json
Docusaurus dependencies and devDependencies bump from 3.7.0 to 3.10.1, image-webpack-loader/browserify-fs are removed, overrides add serialize-javascript and uuid, and engines.node is set in canary-checker.
Webpack loader and fs fallback changes
canary-checker/plugins/my-loaders/index.js, mission-control/src/plugins/my-loaders/index.js, mission-control/docusaurus.config.ts
Image loader rules are simplified to use only file-loader, and the webpack fs fallback switches from a browserify-fs polyfill to false.
Pinned Prettier invocation in Taskfile
Taskfile.yml
fmt and fmt:check now run Prettier via npx --yes prettier@3.8.1 instead of an unpinned npx prettier call.

CopyButton inlining and Layout theme adjustments

Layer / File(s) Summary
Inline CopyButton with clipboard copy logic
common/src/components/TerminalOutput.jsx
Replaces the imported CopyButton with a local implementation managing copied state, timeout cleanup, and clipboard copy via navigator.clipboard.writeText with an execCommand('copy') fallback.
Layout container class and keyboard navigation removal
common/src/theme/Layout/index.tsx
Removes the useKeyboardNavigation import and call, and adds ThemeClassNames.layout.main.container to the main container's clsx class list.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant CopyButton
  participant ClipboardAPI
  User->>CopyButton: click copy
  CopyButton->>ClipboardAPI: navigator.clipboard.writeText(code)
  ClipboardAPI-->>CopyButton: success or failure
  CopyButton->>CopyButton: fallback execCommand('copy') if needed
  CopyButton->>CopyButton: set copied state, schedule reset timeout
Loading

Possibly related PRs

  • flanksource/docs#486: Also changes mission-control/docusaurus.config.ts around fs handling in the webpack/configuration path.

Suggested labels: dependencies, build

Suggested reviewers: None identified.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the PR’s main goal: fixing docs-site Dependabot advisories.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot-alerts-fix
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch dependabot-alerts-fix

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@canary-checker/docs/scripting/_functions.md`:
- Around line 3-12: The table in _functions.md has a column layout mismatch: the
header/body are using three columns, but the separator row still reflects the
old wider schema. Update the markdown table definition for the function list so
the separator row matches the actual columns used by the rows, keeping the
formatting consistent with the entries like len, index, and print.

In `@common/src/components/TerminalOutput.jsx`:
- Around line 28-29: The copied-state timeout in TerminalOutput is being
replaced without cancelling any previously scheduled timeout, so rapid clicks
can let an older timer clear copied too early. Update the click handling around
the copied state and timeoutRef.current to clear any existing timeout before
scheduling a new one, and make sure the timer is consistently managed in the
same component logic that sets copied true and false.
- Around line 11-30: The copyToClipboard function in TerminalOutput.jsx awaits
navigator.clipboard.writeText without handling rejection, so a failed clipboard
write can escape as an unhandled promise and skip the copied state update. Wrap
the async clipboard write in copyToClipboard with error handling, and if the
navigator.clipboard path fails, fall back to the existing
textarea/document.execCommand copy logic before setting copied state and
scheduling the timeout.

In `@mission-control/docs/guide/config-db/scrapers/azure.md`:
- Around line 67-86: Fix the Markdown table formatting in the resource types
section by removing the unintended extra separator column and the stray trailing
“+” cell in the final row. Update the table rows around the resource type
mappings so they all follow the same two-column structure as the other entries,
keeping the alignment consistent for the Azure docs table.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 774ec39c-4159-4aef-9443-5ccae86683c2

📥 Commits

Reviewing files that changed from the base of the PR and between 428def9 and 6599382.

⛔ Files ignored due to path filters (4)
  • Pipfile.lock is excluded by !**/*.lock
  • canary-checker/package-lock.json is excluded by !**/package-lock.json
  • mission-control/package-lock.json is excluded by !**/package-lock.json
  • scripts/mdx-renderer/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (16)
  • canary-checker/docs/concepts/secret-management.md
  • canary-checker/docs/scripting/_functions.md
  • canary-checker/netlify.toml
  • canary-checker/package.json
  • canary-checker/plugins/my-loaders/index.js
  • common/src/components/TerminalOutput.jsx
  • mission-control/docs/guide/config-db/scrapers/azure.md
  • mission-control/docs/guide/notifications/channels/index.md
  • mission-control/docs/guide/views/concepts/templating.md
  • mission-control/docs/guide/views/queries/changes.md
  • mission-control/docs/integrations/kubernetes/playbooks.md
  • mission-control/docusaurus.config.ts
  • mission-control/netlify.toml
  • mission-control/package.json
  • mission-control/src/plugins/my-loaders/index.js
  • netlify.toml
💤 Files with no reviewable changes (3)
  • canary-checker/netlify.toml
  • mission-control/netlify.toml
  • netlify.toml

Comment thread canary-checker/docs/scripting/_functions.md Outdated
Comment thread common/src/components/TerminalOutput.jsx
Comment thread common/src/components/TerminalOutput.jsx
Comment thread mission-control/docs/guide/config-db/scrapers/azure.md Outdated
Refresh the docs lockfiles so fast-xml-parser and shell-quote resolve to patched releases for the critical Dependabot reports in canary-checker and mission-control.
Upgrade Docusaurus and webpack, pin serialize-javascript to a patched release, and drop the vulnerable image-webpack-loader/browserify-fs dependency chains. Update the swizzled Docusaurus components for the 3.10 theme internals.
Pin uuid to a patched release, refresh js-yaml in the MDX renderer lockfile, and update the Pipfile lock to Jinja2 3.1.6. npm audit now reports zero vulnerabilities for canary-checker, mission-control, and scripts/mdx-renderer.

Pin the Prettier version used by the formatting task so CI does not drift to newer formatter output and require unrelated markdown changes.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
Taskfile.yml (1)

81-86: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Consider pinning Prettier as a devDependency instead of via npx.

Pinning the version in the npx command fixes CI drift, but each invocation still resolves/downloads prettier@3.8.1 from the registry (unless already cached) rather than using a lockfile-pinned local install. Prettier's own docs recommend installing an exact version locally for consistency and speed rather than relying on npx to fetch the version.

♻️ Suggested alternative: add prettier as a pinned devDependency
   fmt:
     desc: Format all markdown files with prettier
     cmds:
-      - npx --yes prettier@3.8.1 --write "**/*.md" --ignore-path .prettierignore
+      - npx prettier --write "**/*.md" --ignore-path .prettierignore

   fmt:check:
     desc: Check markdown formatting without making changes
     cmds:
-      - npx --yes prettier@3.8.1 --check --log-level=debug "**/*.md" --ignore-path .prettierignore
+      - npx prettier --check --log-level=debug "**/*.md" --ignore-path .prettierignore

Then add "prettier": "3.8.1" to a package.json/lockfile that's installed before these tasks run.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Taskfile.yml` around lines 81 - 86, The markdown formatting tasks still
invoke Prettier through npx in Taskfile.yml, which bypasses a lockfile-pinned
local install. Update the fmt/fmt:check commands to use a locally installed
exact Prettier version by adding prettier@3.8.1 as a devDependency and then
calling the project-local binary from the Taskfile commands. Use the existing
fmt and fmt:check task names as the anchor when updating these commands.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@Taskfile.yml`:
- Around line 81-86: The markdown formatting tasks still invoke Prettier through
npx in Taskfile.yml, which bypasses a lockfile-pinned local install. Update the
fmt/fmt:check commands to use a locally installed exact Prettier version by
adding prettier@3.8.1 as a devDependency and then calling the project-local
binary from the Taskfile commands. Use the existing fmt and fmt:check task names
as the anchor when updating these commands.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fae8edcf-5a75-4f26-90de-4d83c9b190a7

📥 Commits

Reviewing files that changed from the base of the PR and between 6599382 and 4c37921.

⛔ Files ignored due to path filters (4)
  • Pipfile.lock is excluded by !**/*.lock
  • canary-checker/package-lock.json is excluded by !**/package-lock.json
  • mission-control/package-lock.json is excluded by !**/package-lock.json
  • scripts/mdx-renderer/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (8)
  • Taskfile.yml
  • canary-checker/package.json
  • canary-checker/plugins/my-loaders/index.js
  • common/src/components/TerminalOutput.jsx
  • common/src/theme/Layout/index.tsx
  • mission-control/docusaurus.config.ts
  • mission-control/package.json
  • mission-control/src/plugins/my-loaders/index.js
✅ Files skipped from review due to trivial changes (1)
  • mission-control/src/plugins/my-loaders/index.js
🚧 Files skipped from review as they are similar to previous changes (4)
  • canary-checker/plugins/my-loaders/index.js
  • mission-control/docusaurus.config.ts
  • canary-checker/package.json
  • mission-control/package.json

Docusaurus 3.10 packages require Node >=20, but the canary-checker site did not publish an engine constraint. Add the engine metadata to package.json and lockfile so unsupported Node 18 builds are rejected early.

Also sync the swizzled Layout wrapper with the 3.10 theme class names by restoring the new theme-layout-main class.
@adityathebe adityathebe force-pushed the dependabot-alerts-fix branch from 4c37921 to ebe458d Compare July 3, 2026 16:55
@adityathebe adityathebe enabled auto-merge (squash) July 3, 2026 16:55
@adityathebe adityathebe merged commit f1d86c7 into main Jul 3, 2026
11 of 15 checks passed
@adityathebe adityathebe deleted the dependabot-alerts-fix branch July 3, 2026 16:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant