fix: restore issue templates visibility by removing empty title fields#34688
fix: restore issue templates visibility by removing empty title fields#34688
Conversation
Remove `title: ""` from all issue form templates. GitHub's form parser silently drops templates with an empty string title, causing none of them to appear in the issue chooser UI. Also fix spike.yaml's `labels: [""]` (invalid empty-string label) to `labels: []`. Fixes regression introduced in #34678. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Semgrep found 1 Risk: Affected versions of next are vulnerable to Dependency on Vulnerable Third-Party Component / Deserialization of Untrusted Data / Uncontrolled Resource Consumption. A flaw in Next.js's App Router deserialization allows an attacker to send a specially crafted HTTP request body that, when parsed by the server, triggers excessive CPU work or an infinite loop. By targeting any App Router endpoint with this malicious payload, the server process can hang and become unresponsive, resulting in a denial-of-service. Fix: Upgrade this library to at least version 14.2.34 at core/starter/nextjs/package-lock.json:3428. Reference(s): GHSA-mwv6-3258-q52c If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 1 Risk: Affected versions of next are vulnerable to Dependency on Vulnerable Third-Party Component / Deserialization of Untrusted Data / Uncontrolled Resource Consumption. An attacker can send a specially crafted HTTP request to any Server Function endpoint (as used by Next.js' App Router) that, when deserialized by the React Server Components runtime, enters an infinite loop—hanging the server process, exhausting CPU, and resulting in a denial-of-service. Fix: Upgrade this library to at least version 14.2.35 at core/starter/nextjs/package-lock.json:3428. Reference(s): GHSA-5j59-xgg2-r9c4, CVE-2025-67779 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 1 Risk: Affected versions of storybook are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor / Inclusion of Sensitive Information in an Include File / Insertion of Sensitive Information into Externally-Accessible File or Directory. A bug in Storybook's build process causes any environment variables defined in a Fix: Upgrade this library to at least version 9.1.17 at core/core-web/yarn.lock:23529. Reference(s): GHSA-8452-54wp-rmv6, CVE-2025-68429 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 2
Risk: Affected versions of playwright are vulnerable to Improper Verification of Cryptographic Signature. The macOS browser reinstall scripts in Playwright use Fix: Upgrade this library to at least version 1.55.1 at core/e2e/dotcms-e2e-node/frontend/yarn.lock:904. Reference(s): GHSA-7mvr-c777-76hp, CVE-2025-59288 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 1 Risk: Affected versions of next are vulnerable to Deserialization of Untrusted Data / Uncontrolled Resource Consumption. A flaw in React Server Components' deserialization allows an attacker to send a specially crafted HTTP request to any App Router Server Function endpoint in Next.js, triggering excessive CPU usage, out-of-memory conditions, or a server crash and resulting in a denial of service. Fix: Upgrade this library to at least version 15.0.8 at core/starter/nextjs/package-lock.json:3428. Reference(s): GHSA-h25m-26qc-wcjf, CVE-2026-23864 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. Semgrep found 1 Risk: Affected versions of axios are vulnerable to Improper Check for Unusual or Exceptional Conditions. It fails to correctly validate configuration keys during merging. This allows a crafted proto property to trigger an internal TypeError, causing the application to crash. Fix: Upgrade this library to at least version 1.13.5 at core/core-web/yarn.lock:9717. Reference(s): GHSA-43fc-jf86-j433, CVE-2026-25639 If this is a critical or high severity finding, please also link this issue in the #security channel in Slack. |
|
@fmontes This PR was not labeled by the new auto labelling as the filters currently exclude issue templates from being labelled as CICD. Let me know if you think we should have a specific label for these, whether we are ok with no label, or you want to just label these as CICD changes. I did create an issue to refactor a bit the filters and labeling, the current structure and filters are here https://github.com/dotCMS/core/blob/main/.github/filters.yaml. I think there is a clear distinction between classifying based upon the impact a change has on the build, which parts need building vs which tests need to be done because of it, and knowing that some changes like these have zero impact on the delivered docker image. These functional distinctions can be slightly different also from what a developer may otherwise classify the PR. e.g. is every change in core-web a frontend chance, but some impact the pipeline or build like pom.xml. and should these files that are located in core be classified as a frontend change, backend, or both. dotCMS/src/main/webapp/html/**/*.{css,js} This Issue I think would make it easier to configure the pipeline and what actually runs and gets labeled #34673 |
#34688) ## Summary - Remove `title: ""` from all 6 issue form templates — GitHub's form parser silently drops templates with an empty string `title`, causing none to appear in the issue chooser UI - Fix `spike.yaml`'s `labels: [""]` (invalid empty-string label) to `labels: []` ## Root Cause PR #34678 changed `title: "[LABEL] "` to `title: ""` across all templates. While the intent was to remove the bracket prefixes, setting the field to an empty string causes GitHub to silently reject those templates instead of just leaving the title blank. The fix is to omit the `title` key entirely. ## Test plan - [ ] Go to https://github.com/dotCMS/core/issues/new/choose and verify all templates (Task, Defect, Feature, Spike, EPIC, Pillar) appear in the chooser - [ ] Open each template and confirm the title field starts empty 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
#34688) ## Summary - Remove `title: ""` from all 6 issue form templates — GitHub's form parser silently drops templates with an empty string `title`, causing none to appear in the issue chooser UI - Fix `spike.yaml`'s `labels: [""]` (invalid empty-string label) to `labels: []` ## Root Cause PR #34678 changed `title: "[LABEL] "` to `title: ""` across all templates. While the intent was to remove the bracket prefixes, setting the field to an empty string causes GitHub to silently reject those templates instead of just leaving the title blank. The fix is to omit the `title` key entirely. ## Test plan - [ ] Go to https://github.com/dotCMS/core/issues/new/choose and verify all templates (Task, Defect, Feature, Spike, EPIC, Pillar) appear in the chooser - [ ] Open each template and confirm the title field starts empty 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
3 participants
Summary
title: ""from all 6 issue form templates — GitHub's form parser silently drops templates with an empty stringtitle, causing none to appear in the issue chooser UIspike.yaml'slabels: [""](invalid empty-string label) tolabels: []Root Cause
PR #34678 changed
title: "[LABEL] "totitle: ""across all templates. While the intent was to remove the bracket prefixes, setting the field to an empty string causes GitHub to silently reject those templates instead of just leaving the title blank. The fix is to omit thetitlekey entirely.Test plan
🤖 Generated with Claude Code
This PR fixes: #34678