chore: refresh dependency and upstream docs#24
Conversation
|
Warning Review limit reached
More reviews will be available in 56 minutes and 45 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughExtracts the ChangesSecurity Audit Extraction and CI/Tooling Updates
Gravatar Documentation Updates
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/ci.yml (1)
102-124:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRestrict
securityjob token permissionsThe
securityjob relies on defaultGITHUB_TOKENpermissions. Add a minimalpermissionsblock (contents: read) to reduce unnecessary token scope.Suggested change
security: name: Security Scan runs-on: ubuntu-latest + permissions: + contents: read steps:🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml around lines 102 - 124, Add a `permissions` block to the `security` job to restrict the `GITHUB_TOKEN` scope to only what is necessary. The `security` job currently relies on default token permissions, but should explicitly declare a minimal `permissions` block with only `contents: read` (required for the checkout action). Place this `permissions` block after the `runs-on` property of the security job to follow the principle of least privilege.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/ci.yml:
- Line 71: The codecov/codecov-action reference uses a mutable tag `@v7` which
presents a supply chain risk since the tag can be reassigned to different
commits. Replace the `@v7` tag with the full immutable commit SHA for version
7.0.0 in the uses statement to ensure the workflow always uses the exact same
version and cannot be affected by tag reassignment.
---
Outside diff comments:
In @.github/workflows/ci.yml:
- Around line 102-124: Add a `permissions` block to the `security` job to
restrict the `GITHUB_TOKEN` scope to only what is necessary. The `security` job
currently relies on default token permissions, but should explicitly declare a
minimal `permissions` block with only `contents: read` (required for the
checkout action). Place this `permissions` block after the `runs-on` property of
the security job to follow the principle of least privilege.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 2d1d8568-bb79-44c4-b41b-a847a3c4f3f5
⛔ Files ignored due to path filters (1)
bun.lockis excluded by!**/*.lock
📒 Files selected for processing (9)
.github/workflows/ci.ymlapps/astro-gravatar.and.guide/package.jsonapps/astro-gravatar.and.guide/src/content/docs/guides/authentication.mdxapps/astro-gravatar.and.guide/src/content/docs/guides/error-handling.mdxapps/astro-gravatar.and.guide/src/content/docs/guides/troubleshooting.mdxapps/astro-gravatar.and.guide/src/content/docs/reference/api-endpoints.mdxapps/astro-gravatar.and.guide/src/content/docs/reference/gravatar-qr.mdxpackage.jsonscripts/security-audit.ts
|
Addressed the review feedback in 2b6bf90:
@coderabbitai review |
|
✅ Action performedReview finished.
|
|
Follow-up correction in 2815285:
@coderabbitai review |
|
✅ Action performedReview finished.
|
Summary
security:checkuse the same narrow policy.Key Changes
codecov/codecov-action@v7.^6.4.7, docs app Starlight to^0.40.0, Sharp to^0.35.1, and tooling including Wrangler to^4.101.0.bun.lockwith Bun.bun audit.scripts/security-audit.ts, currently ignoring only the unpatched highpicomatchadvisoryGHSA-c2c7-rcm5-vvqjfromastro -> unstorage -> anymatch./oembed, QRsize/salias behavior, and0.gravatar.com/avatarexamples.Notes
bun run security:check:strictstill fails by design on residualpicomatch@2.3.1advisories only;bun pm why picomatchconfirms the vulnerable 2.x instance is fromastro -> unstorage -> anymatch.Test Plan
bun run lintbun run format:checkbun run typecheckbun run testbun run test:coveragebun run build:packagecd apps/astro-gravatar.and.guide && bun run buildbun run pages:checkbun run security:checkbun run security:check:strict(expected failure: residualpicomatchonly)cd packages/astro-gravatar && bun pm pack --dry-runCloses #21.
Closes #22.
Closes #23.
Refs #17.
Summary by CodeRabbit
sas an alias forsizein QR code URL parameters.