Update dependencies (client pnpm, server Gradle, Docker/CI) and resolve Dependabot alerts#1120
Conversation
…ve Dependabot alerts Consolidates the outstanding dependency updates into a single PR and resolves all open Dependabot security alerts. Security fixes (Dependabot alerts, all client/npm): - dompurify 3.4.10 -> 3.4.11 (direct dependency) - undici -> 7.28.0 via pnpm override (transitive, via jsdom) - http-proxy-middleware -> 3.0.6 via pnpm override (transitive, via webpack-dev-server) Client routine updates: - @mantine/* 9.3.1 -> 9.3.2 - @tiptap/* 3.26.1 -> 3.27.1 - react-router 7.17.0 -> 7.18.0 - serialize-javascript override 7.0.5 -> 7.0.6 Server: - Gradle wrapper 9.5.1 -> 9.6.0 (server + keycloak provider-deps) - checkstyle 13.4.2 -> 13.6.0 Docker / CI: - client Node image 24.16.0 -> 24.17.0 - CI Node 24.16.0 -> 24.17.0 (run_tests, e2e_tests, refresh_sbom) SBOMs regenerated for client and server. Intentionally excluded: - react-router v8 (major, breaking, not security-relevant) - belongs in its own PR - @eslint-react/eslint-plugin 5.9.1 and mantine-datatable 9.3.1 - still within the pnpm minimumReleaseAge supply-chain cooldown (Renovate is holding them too) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 20 minutes and 55 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (7)
WalkthroughNode.js is bumped from 24.16.0 to 24.17.0 across three CI workflows and the client Dockerfile. Gradle wrapper is updated to 9.6.0 for both the server and Keycloak modules. Checkstyle is upgraded to 13.6.0. Frontend dependencies ( ChangesToolchain & Dependency Bumps
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related PRs
Suggested labels
Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@client.Dockerfile`:
- Line 1: The Dockerfile currently runs all commands as the root user, which is
a security vulnerability flagged by Trivy DS-0002. Add a USER directive before
the command execution steps in the final stage of the Dockerfile to specify a
non-root user (such as node or a custom user). Create the user if necessary
using a RUN directive with appropriate system commands, then add the USER
directive to switch to that user before any app/build commands are executed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 36d13768-e0eb-4851-ae6b-4eee7fc45c53
⛔ Files ignored due to path filters (1)
client/pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (13)
.github/workflows/e2e_tests.yml.github/workflows/refresh_sbom.yml.github/workflows/run_tests.ymlclient.Dockerfileclient/package.jsonclient/pnpm-workspace.yamlclient/sbom/.lock-hashclient/sbom/bom.jsonkeycloak/provider-deps/gradle/wrapper/gradle-wrapper.propertiesserver/build.gradleserver/gradle/wrapper/gradle-wrapper.propertiesserver/sbom/.input-hashserver/sbom/bom.json
…pdates-2026-06 # Conflicts: # client/sbom/.lock-hash # client/sbom/bom.json
…pdates-2026-06 # Conflicts: # client/package.json # client/pnpm-lock.yaml # client/sbom/.lock-hash # client/sbom/bom.json
Gradle 9.6.0 changed the default Copy task file permissions from 0644 to 0600. The keycloak/provider-deps `copyProviders` task then produced an owner-only-readable provider jar, which `kc.sh build` (running as a different user in the Keycloak image) could not read — failing the e2e "Start Keycloak" step with "Failed to create a new filesystem for keycloak-redirectless-passkey-1.4.0.jar". Set explicit world-readable file permissions on the copied providers so the build is deterministic across Gradle versions. Verified by building the Keycloak image locally with the 9.6.0 wrapper (kc.sh build succeeds). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Summary
Consolidates the outstanding dependency updates (client pnpm, server Gradle, and Docker/CI images) into one PR and resolves all 9 open Dependabot security alerts.
Security fixes (Dependabot alerts — all client/npm)
dompurifyundicijsdom)http-proxy-middlewarewebpack-dev-server)The two transitive fixes are added to
client/pnpm-workspace.yamloverrides(the repo's existing mechanism for pinning vulnerable transitive deps).webpack-dev-serveris configured without aproxy, sohttp-proxy-middlewareis never instantiated at runtime — the v3 override only satisfies the alert.Client routine updates
@mantine/*9.3.1 → 9.3.2 (Update mantine monorepo to v9.3.2 - abandoned #1107)@tiptap/*3.26.1 → 3.27.1 (Update tiptap monorepo to v3.27.0 - abandoned #1110)react-router7.17.0 → 7.18.0 (Update react-router monorepo to v7.18.0 - abandoned #1109)serialize-javascriptoverride 7.0.5 → 7.0.6 (Update dependency serialize-javascript to v7.0.6 - abandoned #1111)Server
provider-deps(Update Gradle to v9.6.0 #1119)checkstyle13.4.2 → 13.6.0 (Update dependency checkstyle to v13.6.0 - abandoned #1108)Docker / CI
run_tests,e2e_tests,refresh_sbom)SBOMs (
client/sbom/,server/sbom/) regenerated so the "Verify SBOM is up-to-date" checks pass.Intentionally excluded
@eslint-react/eslint-plugin5.9.1 andmantine-datatable9.3.1 — still within the pnpmminimumReleaseAgesupply-chain cooldown (this is exactly why Renovate lists them under "Pending Status Checks" rather than as open PRs). They'll land automatically once the cooldown elapses.gradle:9.5.1-jdk25— nogradle:9.6.0-jdk25image is published yet, and that stage builds via./gradlew(the wrapper, now 9.6.0), so the base tag doesn't affect the Gradle version used.Verification
pnpm build✓,tsc --noEmit✓ (no errors),eslint src/✓ (0 errors),pnpm test✓ (26 pass)./gradlew testwith Gradle 9.6.0 + checkstyle 13.6.0 ✓ (864 pass, 0 fail),spotlessCheck✓Closes
Supersedes the individual bot PRs #1107, #1108, #1109, #1110, #1111, #1113, #1116, #1118, #1119 (and the abandoned #1060); they should auto-close once these versions land on
develop. #1093 (react-router) is already resolved ondevelop.🤖 Generated with Claude Code
Summary by CodeRabbit