Skip to content

[comp] Production Deploy #1721

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Marfuen merged 2 commits into from
Nov 7, 2025
Merged

[comp] Production Deploy #1721

Marfuen merged 2 commits into from
Nov 7, 2025

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Nov 7, 2025

This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.

github-actions bot and others added 2 commits November 7, 2025 17:23
@github-actions
chore: merge release v1.56.7 back to main [skip ci]
af48b46
@github-actions @chasprowebdev
Update link to each cloud test (#1720)
5a6720b 
* fix(app): update cloud test docs links

* fix(integrations): update link to each cloud test

* fix(docs): update link to cloud test docs

---------

Co-authored-by: chasprowebdev <chasgarciaprowebdev@gmail.com>
@vercel
Copy link

vercel bot commented Nov 7, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
app (staging) Building Building Nov 7, 2025 10:24pm
portal (staging) Ready Ready Preview Comment Nov 7, 2025 10:24pm

@CLAassistant
Copy link

CLAassistant commented Nov 7, 2025

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@comp-ai-code-review
Copy link

comp-ai-code-review bot commented Nov 7, 2025
edited
Loading

🔒 Comp AI - Security Review

🟡 Risk Level: MEDIUM

1 low-severity npm issue (ai@5.0.0) plus hardcoded API token and secret-handling issues found in EmptyState.tsx.

📦 Dependency Vulnerabilities

🟢 NPM Packages (LOW)

Risk Score: 2/10 | Summary: 1 low CVE found

Package Version CVE Severity CVSS Summary Fixed In
ai 5.0.0 GHSA-rwvc-j5jr-mgvh LOW N/A Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files 5.0.52

🛡️ Code Security Analysis

View 1 file(s) with issues

🟡 apps/app/src/app/(app)/[orgId]/cloud-tests/components/EmptyState.tsx (MEDIUM Risk)

# Issue Risk Level
1 Hardcoded API token in logo URLs MEDIUM
2 Exposed token in client bundle (public) MEDIUM
3 Credentials stored in client state (in-memory) MEDIUM
4 Console.error may log sensitive info MEDIUM
5 Server error payloads shown via toast (info leak) MEDIUM
6 External image requests can leak token via Referer MEDIUM
7 No format validation for pasted service account JSON MEDIUM
8 Secret inputs sent directly from client network calls MEDIUM

Recommendations:

  1. Remove hardcoded tokens from client-side assets. Do not embed tokens in image URLs. Serve these assets from your own backend or use truly public (non-secret) keys only.
  2. Avoid embedding any secret or private token in client bundles. Move sensitive tokens to server-side configuration and proxy asset requests through your backend where possible.
  3. Do not persist secrets longer than necessary in UI state. Minimize the lifetime in memory (e.g., clear credentials immediately after use or success) and avoid storing in persistent client storage (localStorage/sessionStorage).
  4. Avoid logging raw error objects or server responses with console.error. Log only necessary, non-sensitive information in client logs; send detailed logs to server-side telemetry with appropriate access controls and redaction.
  5. Do not show raw server error payloads to users. Instead display generic user-friendly messages (e.g., 'Unable to validate credentials') and surface detailed errors only in server-side logs for debugging.
  6. Remove tokens from query parameters on external resources. Token-bearing URLs are exposed in network logs, browser history, and referer headers. If a third-party asset requires a token, host the asset yourself or proxy the request through your backend.
  7. Validate pasted service-account JSON client-side before sending: check it is valid JSON and optionally validate required fields/schema and length. Also perform server-side schema validation and enforce strict limits on size and content.
  8. Ensure secrets are transmitted to your backend over TLS to an authenticated endpoint and avoid direct client-to-third-party transmission of credentials. Prefer a server-side flow for credential validation/connection that exchanges short-lived tokens and does not expose secrets to third parties.

💡 Recommendations

View 3 recommendation(s)
  1. Upgrade package ai from 5.0.0 to >= 5.0.52 in package.json/lockfile to address GHSA-rwvc-j5jr-mgvh.
  2. Remove hardcoded API token(s) from apps/app/src/app/(app)/[orgId]/cloud-tests/components/EmptyState.tsx — do not embed secrets in image URLs or JSX; replace with non-secret asset URLs and ensure tokens are never included in client-visible strings.
  3. Validate and sanitize pasted service-account JSON in the component (try JSON.parse, enforce required fields and max size), avoid persisting credentials in component state (clear immediately after use: set to null/undefined) and stop sending raw secret inputs directly in client-originating third‑party requests.

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 7, 2025

@Marfuen Marfuen merged commit 5bc8818 into release Nov 7, 2025
9 of 11 checks passed
@claudfuen
Copy link
Contributor

claudfuen commented Nov 11, 2025

🎉 This PR is included in version 1.57.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated-pr prod-deploy released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@CLAassistant @claudfuen @Marfuen