fix security issues on studio

[robfrank]

What does this PR do?

A brief description of the change being made with this pull request.

Motivation

What inspired you to submit this pull request?

Related issues

A list of issues either fixed, containing architectural discussions, otherwise relevant
for this Pull Request.

Additional Notes

Anything else we should know when reviewing?

Checklist

• I have run the build using mvn clean package command
• My unit tests cover both failure and success scenarios

[gemini-code-assist]

Summary of Changes

Hello @robfrank, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the security posture and maintainability of the Studio module by systematically addressing identified frontend dependency vulnerabilities. It involves replacing several third-party libraries with either native browser capabilities or more actively maintained and secure alternatives, thereby streamlining the codebase and reducing the attack surface. The changes ensure that core functionalities like copying content, displaying notifications, and rendering graph layouts are handled efficiently and securely.

Highlights

• Dependency Cleanup: Replaced several outdated and unmaintained frontend dependencies (clipboard, notyf, cytoscape-cola, webcola) with modern alternatives or native browser APIs to improve security and maintainability.
• Security Vulnerability Reduction: Significantly reduced the number of reported security vulnerabilities in the Studio module: 3 MEDIUM, 1 LOW, and approximately 17 informational vulnerabilities were eliminated.
• Native Clipboard API Integration: Migrated clipboard functionality from the clipboard.js library to the native navigator.clipboard.writeText() API, enhancing security and reducing external dependencies.
• SweetAlert2 Toast for Notifications: Replaced the Notyf notification library with a SweetAlert2 Toast mixin, leveraging an existing project dependency for a consistent and maintained notification system.
• Cytoscape Layout Migration: Switched the graph layout engine from cytoscape-cola to cytoscape-fcose, which is the officially recommended force-directed layout, offering better performance and a cleaner dependency tree.
• E2E Test Updates: Updated end-to-end tests to reflect the changes in notification selectors, graph layout extensions, and added a new test for native clipboard functionality.
• Documentation Added: Included detailed design and implementation plan documents outlining the problem statement, decisions, changes, security impact, and testing strategy for the dependency cleanup.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• docs/plans/2026-02-05-studio-security-dependencies-design.md
  • Added a new design document detailing the problem, decision, changes, implementation, security impact, testing plan, and risk assessment for the Studio frontend security dependencies cleanup.
• docs/plans/2026-02-05-studio-security-dependencies-implementation.md
  • Added a new implementation plan document providing a step-by-step guide for executing the dependency cleanup, including specific code modifications and git commands.
• e2e-studio/global-setup.ts
  • Modified the global setup to allow specifying the ArcadeDB Docker image via an environment variable (ARCADEDB_DOCKER_IMAGE), improving flexibility for local testing and CI/CD.
• e2e-studio/tests/cytoscape-validation.spec.ts
  • Updated the e2e test to validate the presence and functionality of the fcose layout extension instead of the cola layout.
• e2e-studio/tests/graph-export.spec.ts
  • Added a new e2e test to verify the functionality of the native Clipboard API when copying graph export content.
• e2e-studio/tests/notification-test.spec.ts
  • Updated e2e tests to use the new .swal2-toast selector for SweetAlert2 notifications, replacing the old .notyf__toast selector.
  • Adjusted error message checks to align with the SweetAlert2 Toast implementation.
• studio/package-lock.json
  • Removed entries for clipboard, cytoscape-cola, notyf, and webcola.
  • Added entries for cytoscape-fcose and its transitive dependencies (cose-base, layout-base).
• studio/package.json
  • Removed clipboard, cytoscape-cola, notyf, and webcola from dependencies.
  • Added cytoscape-fcose to dependencies.
• studio/src/main/js/studio-main.js
  • Updated Cytoscape extension registration to use cytoscape-fcose instead of cytoscape-cola.
• studio/src/main/resources/static/index.html
  • Removed CSS and JavaScript imports for notyf and clipboard.
  • Removed JavaScript imports for cola and cytoscape-cola.
  • Added JavaScript imports for layout-base, cose-base, and cytoscape-fcose to support the new graph layout.
  • Replaced the Notyf initialization and showNotification logic with a SweetAlert2 Toast mixin implementation.
• studio/src/main/resources/static/js/studio-graph-widget.js
  • Updated the globalLayout configuration to use fcose as the layout name and adjusted its parameters (animationDuration, nodeSeparation, quality, randomize, fit, padding) to match the new layout engine.
• studio/src/main/resources/static/js/studio-graph.js
  • Replaced the ClipboardJS library usage with the native navigator.clipboard.writeText() API for copying graph export content, including error handling and user notification.
  • Updated the GraphML export configuration to use fcose as the layoutBy option.
• studio/src/main/resources/static/query.html
  • Replaced the ClipboardJS library usage with the native navigator.clipboard.writeText() API for copying query results to the clipboard, adding error handling.
• studio/webpack.config.js
  • Removed CopyWebpackPlugin rules for notyf (JS and CSS), cytoscape-cola, webcola, and clipboard.
  • Added CopyWebpackPlugin rules for layout-base, cose-base, and cytoscape-fcose to ensure they are bundled correctly.

Activity

• No human activity (comments, reviews, etc.) has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[mergify]

🧪 CI Insights

Here's what we observed from your CI run for beecfa3.

🟢 All jobs passed!

But CI Insights is watching 👀

[gemini-code-assist]

Code Review

This pull request effectively addresses security vulnerabilities by replacing several outdated frontend dependencies (clipboard, notyf, cytoscape-cola) with modern, secure alternatives. The changes are well-executed, using the native Clipboard API and SweetAlert2 for notifications, which are great improvements. The E2E tests have been correctly updated to reflect these changes. I've found one issue related to leftover imports from the removed packages in a file that might break the build, which I've detailed in a specific comment. Otherwise, this is a solid and well-documented contribution to improving the project's security posture.

[gemini-code-assist]

While removing the clipboard dependency is correct, there's a leftover import in studio/src/main/js/studio-main.js that could cause a build failure if this file is processed. The notyf dependency, also removed in this PR, has a similar leftover import in the same file. Please ensure all references to the removed packages are cleaned up. Specifically, the imports for clipboard and notyf (and their CSS) should be removed from studio/src/main/js/studio-main.js.

[claude]

Code Review: Studio Security Dependencies Cleanup

Thank you for this comprehensive security improvement PR! Here is my detailed review:

Strengths

1. Excellent Documentation - Design and implementation plans are thorough
2. Security Improvements - Removes 4 MEDIUM + 1 LOW severity vulnerabilities and ~17 unmaintained transitive dependencies
3. Modern API Adoption - Native Clipboard API with proper error handling
4. Layout Migration - cytoscape-fcose is the officially recommended layout engine
5. Test Coverage - E2E tests properly updated with new clipboard test

Critical Issues (BLOCKING)

1. Incomplete Removal in studio-main.js

File: studio/src/main/js/studio-main.js

The file still imports removed dependencies at lines 32, 52-56. This will cause build failures.

Fix Required - Remove these lines:

• Line 32: import 'notyf/notyf.min.css';
• Lines 52-53: import { Notyf } from 'notyf'; window.Notyf = Notyf;
• Lines 55-56: import ClipboardJS from 'clipboard'; window.ClipboardJS = ClipboardJS;

Potential Issues

2. Multiple Event Handler Bindings

Files: studio-graph.js:218, query.html:493

Clipboard handlers use .on('click') inside functions called multiple times, causing handler accumulation. Use .off('click').on('click') or event delegation.

3. fcose Dependencies Loading Order

Hybrid webpack bundling + script tags could cause timing issues. Verify graph rendering works on initial page load.

4. E2E Docker Image

Ensure CI uses Docker image with these changes. Document local testing with SNAPSHOT image.

Minor Suggestions

5. Toast types - Add support for 'warning' and 'info' (currently only error/success)
6. GraphML export - Verify cytoscape-graphml recognizes 'fcose' layout
7. fcose config - Consider adding idealEdgeLength, edgeElasticity for optimization

Required Actions Before Merge

1. MUST FIX: Remove notyf/ClipboardJS imports from studio-main.js
2. SHOULD FIX: Add .off('click') before .on('click') for clipboard handlers
3. SHOULD VERIFY: Test fcose graph rendering timing
4. SHOULD COMPLETE: Fill out PR description (currently empty template)

Overall Assessment

This is high-quality work with excellent planning. The security improvements are significant and the technical approach is sound. The critical blocker is a simple oversight that is easy to fix.

Recommendation: Request changes for studio-main.js fix, then approve after verification.

Per CLAUDE.md: Security ✅, Performance ✅, Code quality ✅, Testing ⚠️ (needs build verification), Documentation ✅

Great work overall!

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ -10.99%	✅ ∅

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (5144fcc)	84354	58499	69.35%
Head commit (fd19646)	113912 (+29558)	66484 (+7985)	58.36% (-10.99%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#3356)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.48%. Comparing base (c3d17a5) to head (beecfa3).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3356      +/-   ##
==========================================
+ Coverage   62.44%   62.48%   +0.03%     
==========================================
  Files        1251     1251              
  Lines       83627    83627              
  Branches    17118    17118              
==========================================
+ Hits        52223    52252      +29     
+ Misses      24075    24041      -34     
- Partials     7329     7334       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

Pull Request Review: Security Dependencies Cleanup

Overview

This PR addresses security vulnerabilities in the Studio frontend by removing unmaintained dependencies and replacing them with modern alternatives. The changes are well-documented with comprehensive design and implementation plans.

---

✅ Strengths

1. Excellent Documentation

• Comprehensive design document explaining rationale for each change
• Detailed implementation plan with step-by-step instructions
• Clear security impact metrics showing improvement from 4 MEDIUM → 1 MEDIUM vulnerabilities

2. Good Dependency Choices

• Native Clipboard API: Modern, well-supported replacement for ClipboardJS library
• SweetAlert2 Toast: Reuses existing dependency, reducing overall footprint
• cytoscape-fcose: Official recommended layout with cleaner dependency tree

3. Test Coverage

• Updated e2e tests to match new implementations
• Added new clipboard functionality test
• Updated selectors and assertions appropriately

4. Code Quality

• Clean migration with proper error handling
• Maintains backward compatibility via globalNotify API
• Proper use of .off() to prevent multiple event bindings

---

⚠️ Issues & Recommendations

1. Missing Build Verification (Required)

According to CLAUDE.md project instructions:

"after every change in the backend (Java), compile the project and fix all the issues until the compilation passes"
"test all the new and old components you have modified before considering the job finished"

Action Required:

# Build and verify
mvn clean install -DskipTests
cd studio && npm run build
cd ../e2e-studio && npm test

Please confirm these commands completed successfully.

2. Incomplete PR Description (Required)

The PR body still contains template placeholders:

• "A brief description of the change being made..."
• "What inspired you to submit this pull request?"
• Unchecked checkboxes

Action Required: Complete the PR description with:

• Summary of what this PR does (security dependency cleanup)
• Reference to Meterian security report that motivated this
• Check the boxes if build and tests passed

3. Webpack Configuration Issue (Medium Priority)

In webpack.config.js, the new fcose dependencies require loading in specific order:

// fcose layout and its dependencies (must load in order: layout-base -> cose-base -> fcose)

Concern: Webpack CopyPlugin does not guarantee load order - that is determined by the <script> tags in index.html. The comment is accurate for the HTML but misleading in webpack config.

Recommendation: Remove or clarify the comment in webpack.config.js to avoid confusion.

4. Global Setup Image Configuration (Low Priority)

e2e-studio/global-setup.ts:890:

const dockerImage = process.env.ARCADEDB_DOCKER_IMAGE || 'arcadedata/arcadedb:latest';

Good addition for testing unreleased changes, but:

• This change is not mentioned in the design/implementation docs
• Consider documenting this in e2e test README

5. Error Handling Enhancement (Low Priority)

In studio-graph.js:1489 and query.html:1521:

} catch (err) {
  console.error("Failed to copy to clipboard:", err);
  globalNotify("Error", "Failed to copy to clipboard", "danger");
}

Enhancement: Consider checking navigator.clipboard availability before use:

if (\!navigator.clipboard) {
  globalNotify("Error", "Clipboard API not supported in this browser", "danger");
  return;
}

6. Layout Configuration Differences

Cola layout configuration:

nodeSpacing: function (node) {
  return globalGraphSettings.graphSpacing;
},
spacingFactor: 1.75,

Fcose layout:

nodeSeparation: globalGraphSettings.graphSpacing * 1.75,

Question: Has visual testing confirmed that nodeSeparation produces similar spacing to the old nodeSpacing * spacingFactor? The design doc mentions "layout may differ slightly" but this should be verified.

7. Event Handler Memory Leaks (Low Priority)

In query.html:1514:

$("#jsonToClipboard").off("click").on("click", async function(e) {

Good use of .off() to prevent multiple bindings. However, the comment says "if initQuery is called multiple times" - should verify this function cleanup happens in page teardown.

---

🔒 Security Assessment

Positive Changes:

• ✅ Removes 4 MEDIUM severity vulnerabilities
• ✅ Removes 1 LOW severity vulnerability
• ✅ Eliminates ~15 unmaintained transitive dependencies
• ✅ Native Clipboard API requires HTTPS (already required by ArcadeDB)

Remaining Concerns:

• ⚠️ jszip (1 MEDIUM + 4 LOW) - Accepted risk, required for DataTables Excel export
• ⚠️ cytoscape-graphml (1 LOW) - Accepted risk, no alternative

Recommendation: These are acceptable trade-offs, but should be tracked for future updates.

---

🎯 Performance Considerations

Positive:

• Fewer dependencies = smaller bundle size
• fcose algorithm is reportedly faster than cola
• Native APIs are more performant than polyfills

To Verify:

• Bundle size before/after (check webpack build output)
• Graph rendering performance with large datasets

---

📋 Code Style & CLAUDE.md Compliance

✅ Compliant:

• Reuses existing components (SweetAlert2)
• Limits to jQuery and Bootstrap 5
• Uses MIT/Apache licensed dependencies
• No new Java code, so no test cases required

❌ Issues:

• CLAUDE.md requires: "do not commit on git, I will do it after a review"
  • But this is already a PR, so this rule does not apply here

---

🧪 Testing Checklist

Based on CLAUDE.md requirements, please confirm:

• mvn clean install succeeds (build without tests)
• cd studio && npm run build succeeds
• cd e2e-studio && npm test passes all tests
• Manual verification:
  • Graph renders with proper fcose layout
  • Toast notifications appear correctly
  • Copy to clipboard works in export modal
  • All export formats work (JSON, PNG, JPEG, GraphML)
• cd studio && npm audit shows reduced vulnerabilities

---

📝 Summary

Overall Assessment: This is a high-quality PR that addresses real security concerns with well-thought-out replacements. The documentation is excellent, and the code changes are clean.

Blockers:

1. Complete PR description (remove template text)
2. Confirm build and tests pass

Recommendations:

1. Verify visual layout appearance matches expectations
2. Add clipboard API feature detection
3. Document the ARCADEDB_DOCKER_IMAGE env var usage

Approval Status: ⏸️ Pending confirmation of build/test success and PR description completion.

---

Great work on the comprehensive planning and clean implementation! The security improvements are substantial and the approach is sound.

[claude]

Code Review - Studio Security Dependencies Cleanup

Thank you for this comprehensive security improvement PR! The approach is well-thought-out and the documentation is excellent. However, I've identified several critical issues that need to be addressed before merging.

---

🔴 Critical Issues (MUST FIX)

1. Missing package.json Changes

Location: studio/package.json

The implementation plan documents state that package.json should be updated to:

• Remove: clipboard, cytoscape-cola, notyf, webcola
• Add: cytoscape-fcose

However, the current package.json still contains all the old dependencies (lines 27, 30, 44, 48). Without this change:

• The old vulnerable packages will still be installed via npm install
• The security improvements claimed in the PR description won't be realized
• Build will include unnecessary/unused dependencies

Required Action:

// Remove these from dependencies:
"clipboard": "^2.0.11",
"cytoscape-cola": "^2.5.1", 
"notyf": "^3.10.0",
"webcola": "^3.4.0"

// Add this after cytoscape-cxtmenu:
"cytoscape-fcose": "^2.2.0",
"cose-base": "^2.2.0",
"layout-base": "^2.0.1"

Then run npm install and commit the updated package-lock.json.

2. Frontend Security Audit Failure

CI Check: "Frontend Security Audit" - FAILURE

The CI is failing on the dependency review check. This is likely due to:

• Missing fcose dependencies in package.json
• Presence of old vulnerable dependencies still declared

This must pass before merge.

---

⚠️ High Priority Issues

3. Missing fcose Dependencies

Files: studio/webpack.config.js, index.html

The code references layout-base and cose-base libraries which are dependencies of cytoscape-fcose:

// webpack.config.js:1288-1295
from: 'node_modules/layout-base/layout-base.js'
from: 'node_modules/cose-base/cose-base.js'

// index.html:1057-1059  
<script src="dist/js/layout-base.js"></script>
<script src="dist/js/cose-base.js"></script>

These libraries need to be explicitly added to package.json as dependencies or the webpack copy will fail if they're not in node_modules.

4. Empty PR Description

The PR description still contains the template placeholders. Per CLAUDE.md guidelines, this should be completed with:

• What this PR does (security vulnerability remediation)
• Motivation (Meterian security report findings)
• Related issues (if any)
• Checklist items should be checked if completed

---

💡 Code Quality Observations

5. Good: Event Handler Cleanup

studio-graph.js:1207, query.html:1514

Excellent use of .off('click').on('click') to prevent multiple event handler bindings. This is the correct pattern.

6. Good: Error Handling

The clipboard implementation includes proper try/catch with user-friendly error messages. Well done.

7. Good: E2E Test Coverage

The test updates are comprehensive:

• Notification selectors updated to SweetAlert2
• Layout tests changed from cola to fcose
• New clipboard API test added

8. Suggestion: Feature Detection

studio-graph.js:1210, query.html:1517

Consider adding Clipboard API availability check before attempting to use it:

if (!navigator.clipboard) {
  globalNotify("Error", "Clipboard not supported in this browser", "danger");
  return;
}
try {
  await navigator.clipboard.writeText(text);
  // ...
}

9. Question: Layout Visual Differences

The migration from cola to fcose changes the spacing algorithm from:

nodeSpacing: function(node) { return globalGraphSettings.graphSpacing; },
spacingFactor: 1.75

To:

nodeSeparation: globalGraphSettings.graphSpacing * 1.75

Have you visually verified that graph layouts render similarly? The design doc mentions "layout may differ slightly" but this should be validated with real data.

---

📋 Security Assessment

Positive Changes:

• ✅ Removes unmaintained dependencies (clipboard, notyf, cola/webcola)
• ✅ Reduces attack surface by using native APIs
• ✅ Leverages existing SweetAlert2 dependency (no new dependencies added)
• ✅ Modern fcose layout is actively maintained

Once package.json is fixed, this PR will:

• Eliminate 3 MEDIUM severity vulnerabilities
• Eliminate 1 LOW severity vulnerability
• Remove ~15 unmaintained transitive dependencies

Accepted Risks (documented in design):

• jszip vulnerabilities remain (required for Excel export)
• cytoscape-graphml remains (no alternative for GraphML support)

---

🧪 Testing Requirements (per CLAUDE.md)

Before merge, please confirm:

• mvn clean install succeeds
• cd studio && npm install && npm run build succeeds
• cd e2e-studio && npm test passes all tests
• cd studio && npm audit shows reduced vulnerabilities
• Manual verification:
  • Graph renders with fcose layout
  • Toast notifications display correctly
  • Clipboard copy works in export modal
  • All export formats work (JSON, PNG, JPEG, GraphML)

---

📝 Summary

Overall Assessment: This is well-researched work with excellent documentation. The technical approach is sound, but the PR is incomplete - the package.json changes were planned but not committed.

Blocking Issues:

1. ❌ Update studio/package.json to remove old deps and add fcose/cose-base/layout-base
2. ❌ Fix Frontend Security Audit CI failure
3. ❌ Complete PR description (remove template)

Recommendation: Request Changes - Once package.json is updated and CI passes, this will be ready to merge.

The code changes themselves are high quality. The migration strategy is solid. Just need to complete the dependency updates that were planned but not executed.

---

Note: Per CLAUDE.md project guidelines, I verified:

• ✅ Reuses existing components (SweetAlert2)
• ✅ Limited to jQuery and Bootstrap 5
• ✅ All licenses are Apache 2.0 compatible
• ✅ No new backend code (no Java test cases required)
• ✅ Follows existing code style

[claude]

PR Review: Fix Security Issues on Studio

I've reviewed PR #3356 and here's my comprehensive feedback:

✅ Strengths

1. Security Improvements

• Successfully removes 4 unmaintained dependencies with known security issues (clipboard, notyf, cytoscape-cola, webcola)
• Reduces attack surface by eliminating ~15 transitive dependencies
• Addresses MEDIUM and LOW severity vulnerabilities from the Meterian security report

2. Code Quality

• Excellent documentation with detailed design and implementation plans
• Comprehensive e2e test updates to match new implementations
• Proper use of native Web APIs (Clipboard API) instead of external libraries
• Good error handling in clipboard implementation

3. Test Coverage

• Updated existing e2e tests (notification-test, cytoscape-validation)
• Added new clipboard functionality test in graph-export.spec.ts
• Tests properly grant clipboard permissions for browser API testing

🔍 Issues & Recommendations

1. CRITICAL: Missing Dependency Files in webpack.config.js

// Lines 189-196 in webpack.config.js
{
  from: 'node_modules/layout-base/layout-base.js',
  to: 'js/layout-base.js',
},
{
  from: 'node_modules/cose-base/cose-base.js',
  to: 'js/cose-base.js',
},

Problem: The layout-base and cose-base packages are transitive dependencies of cytoscape-fcose, not direct dependencies in package.json. Webpack's CopyWebpackPlugin cannot copy files from transitive dependencies this way.

Impact: Build will fail or files won't be copied, breaking the graph layout functionality.

Solution: Either:

1. Add these as direct dependencies in package.json, OR
2. Remove these copy rules and import fcose via the webpack bundle (preferred approach using studio-main.js imports)

Recommendation: Since you're already importing fcose in studio-main.js line 1311, you should remove the manual copy rules for layout-base, cose-base, and cytoscape-fcose from webpack.config.js AND remove the script tags from index.html. Let webpack bundle them properly.

2. Code Quality Issue: Event Handler Memory Leaks

In studio-graph.js lines 218-234 and query.html lines 1513-1524, using .off().on() pattern.

Problem: While using .off() before .on() is good practice to prevent multiple bindings, this pattern in modal/popup contexts can still cause issues if the elements are dynamically recreated.

Recommendation: Consider using event delegation for better memory management.

3. Browser Compatibility Consideration

The Clipboard API requires HTTPS or localhost. The design doc mentions this, but there's no fallback for HTTP environments.

Recommendation: Add a graceful degradation fallback or at minimum, show a helpful error message.

4. Layout Configuration Change

The migration from cola to fcose changes layout parameters significantly:

• Old: nodeSpacing (function-based)
• New: nodeSeparation (static value)

Concern: This may change the visual appearance of existing graphs. Have you verified this doesn't negatively impact UX?

5. PR Description Missing

The PR body still contains template placeholders. Please fill in:

• Summary of security improvements
• Reference to Meterian security report findings
• List of removed vulnerabilities
• Testing performed

📋 Minor Issues

1. studio-main.js line 1295: Comment says "Import JavaScript dependencies" - verify the comment placement still makes sense after removing notyf CSS import.

2. index.html lines 56-58: The comment about fcose dependencies loading order is helpful, but technically webpack should handle this if properly bundled.

3. e2e-studio/global-setup.ts: Good addition of ARCADEDB_DOCKER_IMAGE environment variable, but this seems unrelated to the security fix. Consider separating this change.

✅ Test Plan Verification

Before merging:

1. Build the project: mvn clean install -DskipTests -Pdocker
2. Run e2e tests: cd e2e-studio && npm test
3. Manual testing of graph rendering, notifications, clipboard, and exports
4. Security audit: cd studio && npm audit

🎯 Action Items

Must Fix Before Merge:

1. Fix webpack.config.js dependency copy issue (layout-base, cose-base)
2. Update PR description with proper documentation
3. Verify build succeeds with correct file generation

Should Fix:
4. Add browser compatibility check for Clipboard API
5. Consider event delegation for dynamic elements
6. Document any visual layout changes from cola→fcose migration

Nice to Have:
7. Separate the e2e global-setup.ts change into a different commit/PR

📊 Overall Assessment

This PR addresses important security concerns and follows good practices with comprehensive testing and documentation. However, the webpack configuration issue is critical and will likely cause build failures. Once fixed, this will be a solid improvement to the codebase.

Recommendation: Request changes to fix the webpack dependency issue before merging.

---

Review generated using ArcadeDB CLAUDE.md guidelines focusing on security, performance, and code quality standards.

[claude]

Code Review - PR #3356: Fix Security Issues on Studio

Summary

This PR addresses security vulnerabilities in the Studio frontend by removing unmaintained dependencies (clipboard, notyf, cytoscape-cola, webcola) and replacing them with modern alternatives (native Clipboard API, SweetAlert2 Toast, cytoscape-fcose). The changes are well-documented with comprehensive design and implementation plans.

✅ Strengths

1. Excellent Documentation

• Comprehensive design document with clear rationale for each change
• Detailed implementation plan with step-by-step instructions
• Clear security impact analysis (MEDIUM: 4→1, LOW: 6→5)

2. Thoughtful Replacements

• Native Clipboard API is a modern, standards-based approach
• Reusing existing SweetAlert2 for notifications is smart (no new dependency)
• fcose layout is officially recommended by Cytoscape team

3. Test Coverage

• Updated e2e tests for new selectors (.notyf__toast → .swal2-toast)
• Updated layout tests (cola → fcose)
• Added new clipboard functionality test in graph-export.spec.ts
• Enhanced global-setup.ts to support local Docker images via ARCADEDB_DOCKER_IMAGE env var

4. Code Quality

• Proper error handling in clipboard operations
• Event handler cleanup with .off() to prevent multiple bindings
• Maintains backward compatibility for globalNotify() API

⚠️ Issues & Recommendations

1. Webpack Configuration - Missing Dependencies

Issue: The webpack config adds fcose dependencies but may not work as expected.

Location: studio/webpack.config.js:189-201

Problem:
The dependencies layout-base and cose-base are transitive dependencies of cytoscape-fcose, not direct dependencies in package.json. Webpack CopyWebpackPlugin may fail to find these paths.

Recommendation:

1. Verify the build succeeds: cd studio && npm run build
2. Check that files are copied correctly
3. Consider using webpack module bundling instead of file copying (preferred)

2. HTML Script Loading Order

Issue: The comment says dependencies must load in order, but this needs verification.

Location: studio/src/main/resources/static/index.html:54-59

Regular script tags do load in order, BUT if files do not exist, the browser will fail silently. Better to use webpack bundling which guarantees dependency resolution.

Recommendation:

• Test thoroughly in the browser console after loading
• Check for errors like layoutBase is not defined

3. Testing Instructions Incomplete

Issue: The PR checklist is not filled out, and testing status is unclear.

Recommendation per CLAUDE.md:

"test all the new and old components you have modified before considering the job finished. Please do not provide something untested"

Before merging, please confirm:

1. cd studio && npm run build succeeds without errors
2. cd e2e-studio && npm test passes all tests
3. Manual verification in browser (graph renders, clipboard works, toast notifications, exports work)

4. Security Consideration

Clipboard API Requirements:

• Requires HTTPS or localhost (already satisfied)
• May not work in all browsers/contexts

Missing: Graceful degradation for browsers without Clipboard API support.

Recommendation: Add feature detection to check for navigator.clipboard support before use.

📋 Verification Checklist

Before merging, please verify:

• Build succeeds: cd studio && npm run build
• Files exist: Check that layout-base.js, cose-base.js, cytoscape-fcose.js are in dist/js/
• E2E tests pass: cd e2e-studio && npm test
• Manual testing: Graph renders, clipboard works, toast notifications, exports work
• Security audit: cd studio && npm audit shows reduced vulnerabilities

🎯 Performance & Security

Performance:

• Removing 4 unmaintained dependencies reduces bundle size
• Native Clipboard API has zero overhead vs library
• fcose layout is reportedly more performant than cola

Security:

• Removes 37 flagged dependencies (4 MEDIUM, 6 LOW, 27 informational)
• Native APIs are maintained by browser vendors
• Reduces attack surface

Accepted risks:

• jszip (1 MEDIUM + 4 LOW) - required for Excel export
• cytoscape-graphml (1 LOW) - no alternative

This is a reasonable trade-off for functionality.

🎓 Overall Assessment

Rating: Approve with Minor Revisions

This is a well-planned and executed security improvement. The documentation is exemplary, and the approach is sound. However, there are technical concerns about the webpack configuration that need verification before merge.

Key action items:

1. ✅ Verify webpack build succeeds and files are copied
2. ✅ Run e2e tests and confirm they pass
3. ✅ Add feature detection for Clipboard API
4. ✅ Fill out PR checklist

Once verified, this PR is ready to merge. Great work on improving the security posture of Studio!

---

Reviewed according to ArcadeDB CLAUDE.md guidelines

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ -11.36%	✅ ∅

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (c3d17a5)	83627	59578	71.24%
Head commit (beecfa3)	113185 (+29558)	67778 (+8200)	59.88% (-11.36%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#3356)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences