Skip to content

chore(evalboard): address npm Dependabot alerts#18

Merged
bai-uipath merged 4 commits into
mainfrom
bai/evalboard-dependabot
Jul 13, 2026
Merged

chore(evalboard): address npm Dependabot alerts#18
bai-uipath merged 4 commits into
mainfrom
bai/evalboard-dependabot

Conversation

@bai-uipath

@bai-uipath bai-uipath commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

What

Clears the open npm Dependabot alerts on the evalboard frontend and stops them from piling up again. All 26 alerts came from this one Next.js app; the Python core has none.

Three parts:

  • Adds an npm version-updates block to dependabot.yml (grouped, monthly) and batches the existing github-actions bumps into one grouped PR too. Until now nothing routinely refreshed the frontend, so it drifted until a CVE fired — this keeps next/React/Azure ahead of most advisories going forward, as a single low-noise PR per ecosystem.

  • Patches the runtime alerts: next to 15.5.20, plus postcss / uuid / fast-xml-builder / @babel/core pulled to their fixed versions.

  • Lazy-loads the Azure SDK and moves @azure/* to optionalDependencies, so local-mode readers (and OSS users who skip optional installs) never pull it. @azure/storage-blob is capped below 12.33.0, which raised its floor to node 22, to stay on the project's node 20 baseline.

Why

Public-repo hygiene on a repo we want to showcase. The frontend runs only as a localhost dev tool or a read-only, SSO-gated internal dashboard, so real exploit risk is low — but keeping the alert list clean and self-maintaining is worth doing.

Testing

  • Local build + tests: pnpm run verify (typecheck + 324 unit tests + next build) passes on Node 20.

  • Azure fetch (remote mode): exercised the app against Blob Storage — it lists and reads runs through the lazy-loaded Azure SDK via DefaultAzureCredential, confirming the async getContainer / dynamic-import refactor still fetches from Azure as before.

  • Deploy: reproduced the hosted deploy's exact install (npm install --omit=dev from package.json, per deploy.sh) and confirmed @azure/* (storage-blob 12.32.0) installs and resolves on the deploy's Node 22 — moving Azure to optionalDependencies does not break the hosted deploy.

Related Dependabot settings (not code in this PR)

The dev-only alerts (~half of the list: vitest, vite, esbuild, ws, form-data) never ship — the output: "standalone" build excludes dev deps. Rather than bump them, a repo Dependabot auto-triage rule ("Dismiss development-scoped npm alerts", indefinitely) now auto-dismisses dev-scoped npm alerts — clearing those (including the two "critical" vitest alerts) and keeping future dev-only alerts out of the queue.

bai-uipath and others added 2 commits July 13, 2026 11:34
Add an npm version-updates block to dependabot.yml so the Next.js frontend no
longer drifts until a CVE fires. Bump the runtime deps that back the open
alerts (next 15.5.20, plus postcss / uuid / fast-xml-builder / @babel/core via
pnpm overrides). Lazy-load the Azure SDK behind optionalDependencies so
local-mode readers never pull @azure/*. storage-blob is capped below 12.33.0 to
stay on the project's node 20 baseline.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@bai-uipath bai-uipath marked this pull request as ready for review July 13, 2026 21:11
@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown

Claude finished @bai-uipath's task in 1m 22s —— View job


Code Review in Progress

Todo List:

  • Read review guidelines from .github/code_review.md
  • Read project conventions from CLAUDE.md
  • Review the full diff (git diff origin/main...HEAD)
  • Read full context of changed files
  • Analyze changes for security and design issues
  • Check cross-file consistency
  • Provide structured review feedback

@akshaylive akshaylive left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚢

@bai-uipath bai-uipath merged commit 3d5e7b7 into main Jul 13, 2026
12 checks passed
@bai-uipath bai-uipath deleted the bai/evalboard-dependabot branch July 13, 2026 23:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants