Skip to content

[dev] [Itsnotaka] daniel/trust-page-improvements #1768

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 18, 2025
Merged

[dev] [Itsnotaka] daniel/trust-page-improvements #1768

merged 2 commits into from
Nov 18, 2025
+169 −104

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Nov 18, 2025

This is an automated pull request to merge daniel/trust-page-improvements into dev.
It was created by the [Auto Pull Request] action.

@vercel
Copy link

vercel bot commented Nov 18, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
app Ready Ready Preview Comment Nov 18, 2025 11:12pm
portal Ready Ready Preview Comment Nov 18, 2025 11:12pm

@comp-ai-code-review
Copy link

comp-ai-code-review bot commented Nov 18, 2025
edited
Loading

🔒 Comp AI - Security Review

🟡 Risk Level: MEDIUM

OSV scan: 2 high CVEs in xlsx@0.18.5 (Prototype Pollution, ReDoS) and 1 low CVE in ai@5.0.0 (filetype whitelist bypass).

📦 Dependency Vulnerabilities

🟠 NPM Packages (HIGH)

Risk Score: 8/10 | Summary: 2 high, 1 low CVEs found

Package Version CVE Severity CVSS Summary Fixed In
xlsx 0.18.5 GHSA-4r6h-8v6p-xvw6 HIGH N/A Prototype Pollution in sheetJS No fix yet
xlsx 0.18.5 GHSA-5pgg-2g8v-p4x9 HIGH N/A SheetJS Regular Expression Denial of Service (ReDoS) No fix yet
ai 5.0.0 GHSA-rwvc-j5jr-mgvh LOW N/A Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files 5.0.52

🛡️ Code Security Analysis

View 1 file(s) with issues

🟡 apps/app/src/app/(app)/[orgId]/trust/components/request-tab.tsx (MEDIUM Risk)

# Issue Risk Level
1 Unvalidated pdfDownloadUrl opened via window.open (possible malicious URL) MEDIUM
2 No validation of requestId before calling mutateAsync MEDIUM
3 No check that preview result contains pdfDownloadUrl before opening MEDIUM

Recommendations:

  1. Allowlist and validate pdfDownloadUrl scheme and host before opening
  2. Ensure result.pdfDownloadUrl exists and is a valid URL before window.open
  3. Open external links safely (set window.opener = null or use rel='noopener noreferrer')
  4. Validate requestId format (e.g., UUID) before passing to mutateAsync
  5. Sanitize/escape any user-originated HTML before rendering

💡 Recommendations

View 3 recommendation(s)
  1. Upgrade xlsx (v0.18.5) to a version that fixes GHSA-4r6h-8v6p-xvw6 and GHSA-5pgg-2g8v-p4x9; update package.json and lockfile and run tests.
  2. Upgrade ai from 5.0.0 to >=5.0.52 (GHSA-rwvc-j5jr-mgvh fixedIn: 5.0.52) and update lockfile.
  3. When accepting/processing uploaded spreadsheets, validate file type and size before parsing and perform parsing in a restricted context (or use a streaming/safe parser) to mitigate Prototype Pollution and ReDoS risks.

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 18, 2025

@CLAassistant
Copy link

CLAassistant commented Nov 18, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@Marfuen Marfuen merged commit fed0f41 into main Nov 18, 2025
4 of 5 checks passed
@Marfuen Marfuen deleted the daniel/trust-page-improvements branch November 18, 2025 23:09
claudfuen pushed a commit that referenced this pull request Nov 19, 2025
@semantic-release-bot
chore(release): 1.60.0 [skip ci]
bd8bd53 
# [1.60.0](v1.59.3...v1.60.0) (2025-11-19)

### Features

* **api:** update dependencies and refactor email service imports ([#1782](#1782)) ([5afd2dc](5afd2dc))
* **trust:** add loading skeletons for grants and requests tabs ([#1768](#1768)) ([fed0f41](fed0f41))
@claudfuen
Copy link
Contributor

claudfuen commented Nov 19, 2025

🎉 This PR is included in version 1.60.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated-pr released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@CLAassistant @claudfuen @Marfuen @Itsnotaka