[comp] Production Deploy

[github-actions]

This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.

[comp-ai-code-review]

🔒 Comp AI - Security Review

🟡 Risk Level: MEDIUM

OSV scan found 3 npm vulnerabilities: xlsx@0.18.5 (GHSA-4r6h-8v6p-xvw6 Prototype Pollution; GHSA-5pgg-2g8v-p4x9 ReDoS) and ai@5.0.0 (GHSA-rwvc-j5jr-mgvh filetype whitelist bypass).

---

📦 Dependency Vulnerabilities

🟠 NPM Packages (HIGH)

Risk Score: 8/10 | Summary: 2 high, 1 low CVEs found

Package	Version	CVE	Severity	CVSS	Summary	Fixed In
xlsx	0.18.5	GHSA-4r6h-8v6p-xvw6	HIGH	N/A	Prototype Pollution in sheetJS	No fix yet
xlsx	0.18.5	GHSA-5pgg-2g8v-p4x9	HIGH	N/A	SheetJS Regular Expression Denial of Service (ReDoS)	No fix yet
ai	5.0.0	GHSA-rwvc-j5jr-mgvh	LOW	N/A	Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files	5.0.52

---

🛡️ Code Security Analysis

View 2 file(s) with issues

🟡 apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireActions.ts (MEDIUM Risk)

#	Issue	Risk Level
1	Using server-supplied downloadUrl and filename directly for download/navigation	MEDIUM
2	No client-side validation of uploaded file type or size before sending	MEDIUM
3	Displaying server error objects directly in UI (toast), possible info leak	MEDIUM
4	Uploading raw base64 file data with no size or streaming limits	MEDIUM

Recommendations:

1. When handling server-provided download URLs, validate the URL before using it: restrict to same-origin or to known trusted signed URLs. Prefer fetching the file via authenticated request on the client (fetch with credentials) and use createObjectURL(blob) for download rather than using a raw href provided by the server.
2. Sanitize and validate the filename returned from the server before assigning to link.download. Strip path characters, control characters and other unexpected characters (use a library such as sanitize-filename or implement a whitelist of allowed characters) and limit filename length.
3. Enforce client-side file type and size restrictions before upload as a UX/early-rejection measure (e.g., react-dropzone accept/maxSize). Also ensure server-side validation/enforcement of file type and size limits regardless of client checks.
4. Avoid sending very large files as a single base64 payload. Use multipart/form-data uploads (FormData streaming) or chunked uploads to prevent blowing memory and to allow resumable uploads. Ensure the server imposes upload size limits and rate limits to mitigate DoS.
5. Do not display raw server error objects/messages to users. Map server errors to sanitized, user-friendly messages for the UI and log full error details server-side or in secure logs. When toasting errors, only show safe, localized error text or codes.
6. If you must use server-provided download URLs, ensure they are signed URLs with short TTL and require server-side authorization checks. Prefer returning file metadata and having the client request an authenticated download endpoint to stream the file.
7. Review the dropzone / upload component configuration used in the app to ensure accept/maxSize/etc. are set. If those configs are present elsewhere, ensure they are enforced consistently and documented; do not rely solely on UI-level rejection for security—enforce on the server.

🟡 apps/app/src/app/(app)/[orgId]/security-questionnaire/hooks/useQuestionnaireParse.ts (MEDIUM Risk)

#	Issue	Risk Level
1	Trigger/read tokens stored and used in client state	MEDIUM
2	Client-side tokens vulnerable to theft via XSS or logs	MEDIUM
3	Unvalidated run.output data consumed directly	MEDIUM
4	Unvalidated upload response (s3Key/fileType) used directly	MEDIUM
5	Error messages shown to users may leak internal info	MEDIUM
6	No sanitization of extractedContent/questions before rendering (XSS risk)	MEDIUM

Recommendations:

1. Avoid storing sensitive tokens in client-accessible state. Issue short-lived, least-privilege tokens server-side and deliver via HttpOnly, Secure cookies or server-side proxies when possible.
2. If tokens must be usable from the client, reduce scope and TTL, rotate tokens regularly, and restrict issuance to specific operations and principals.
3. Validate and assert response schemas before using run.output or upload responses. Use runtime schema validation (e.g., zod/io-ts) to ensure expected shapes and types before setting state.
4. Sanitize any extractedContent, question text, and answers before rendering to the UI. Prefer escaping or using a safe HTML sanitizer for any HTML content.
5. Do not surface raw server error objects to users. Log detailed errors server-side and display a generic, user-friendly message client-side. Avoid including error.serverError or full exception messages in toasts.
6. Add server-side authorization checks for any operations that accept s3Key or other client-supplied identifiers to ensure the client is permitted to reference those resources.
7. Implement Content Security Policy (CSP), secure headers, and review XSS attack surface in the rendering components that consume these states.

---

💡 Recommendations

View 3 recommendation(s)

1. Bump ai in package.json to the patched release (>= 5.0.52 per scan), update the lockfile, reinstall, and run tests to verify no regressions.
2. Upgrade xlsx from 0.18.5 to a release that addresses GHSA-4r6h-8v6p-xvw6 and GHSA-5pgg-2g8v-p4x9 (consult sheetJS/OSV entries for the fixed version), update the lockfile, and run relevant parsing/unit tests.
3. After upgrading, rebuild and run the dependency vulnerability scan (e.g., npm audit/OSV) and full test suite to confirm the CVEs are resolved; if a fixed release is unavailable, remove or replace usage of the affected package in the code paths until patched versions are available.

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 17, 2025

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
app (staging)	Building			Nov 17, 2025 11:50pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
portal (staging)	Skipped			Nov 17, 2025 11:50pm

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[claudfuen]

🎉 This PR is included in version 1.59.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀