Skip to content

refactor(api): remove unused email templates and update buildspec #1784

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 19, 2025
Merged

refactor(api): remove unused email templates and update buildspec #1784

merged 1 commit into from
Nov 19, 2025
+0 −325

Conversation

@Itsnotaka
Copy link
Contributor

@Itsnotaka Itsnotaka commented Nov 19, 2025

No description provided.

@Itsnotaka Itsnotaka requested a review from Marfuen November 19, 2025 16:57
@comp-ai-code-review
Copy link

comp-ai-code-review bot commented Nov 19, 2025
edited
Loading

🔒 Comp AI - Security Review

🟡 Risk Level: MEDIUM

OSV/npm scan found xlsx@0.18.5 with two HIGH advisories (Prototype Pollution; ReDoS) and ai@5.0.0 with a LOW advisory (filetype whitelist bypass, fixed in 5.0.52).

📦 Dependency Vulnerabilities

🟠 NPM Packages (HIGH)

Risk Score: 8/10 | Summary: 2 high, 1 low CVEs found

Package Version CVE Severity CVSS Summary Fixed In
xlsx 0.18.5 GHSA-4r6h-8v6p-xvw6 HIGH N/A Prototype Pollution in sheetJS No fix yet
xlsx 0.18.5 GHSA-5pgg-2g8v-p4x9 HIGH N/A SheetJS Regular Expression Denial of Service (ReDoS) No fix yet
ai 5.0.0 GHSA-rwvc-j5jr-mgvh LOW N/A Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files 5.0.52

🛡️ Code Security Analysis

View 1 file(s) with issues

🟡 apps/api/buildspec.yml (MEDIUM Risk)

# Issue Risk Level
1 curl bash installer (bun) — remote code execution / supply-chain risk
2 Copying host node_modules into image — may include secrets or unwanted files MEDIUM
3 Copying prisma/.prisma into image may leak DB artifacts or credentials MEDIUM
4 Verbose ls/echo of directories may expose sensitive filenames in build logs MEDIUM
5 CI cache includes /root/.bun and node_modules — may persist sensitive artifacts MEDIUM
6 Environment variables used directly in shell commands — injection risk if untrusted MEDIUM
7 AWS ECR/ECS operations rely on CI creds; no IAM least-privilege shown MEDIUM

Recommendations:

  1. Replace piping a remote installer to bash with a verified install: fetch the installer, verify checksums/signatures, or use a pinned version from a trusted package repository. Prefer vendor-supplied binaries from a package manager or pre-baked build image.
  2. Avoid copying host node_modules into the Docker build context. Use a multi-stage Dockerfile that installs production dependencies inside the build container, and add a .dockerignore to exclude host node_modules and sensitive files.
  3. Only include Prisma artifacts that are strictly required. Don’t copy entire .prisma directories from the host; generate Prisma client inside the build context or in a controlled step. Ensure no credentials or local artifacts are baked into the image.
  4. Remove or redact verbose ls/echo statements that print directory listings or environment values in CI logs. Mask sensitive environment variables in the CI system and avoid printing values like APP_NAME, database/URL-like strings, or directory contents containing secrets.
  5. Narrow CI cache paths to only what’s necessary and avoid caching system-wide or root-scoped caches that may persist sensitive artifacts. Consider per-project cache directories and set retention/expiration policies.
  6. Treat environment variables used in shell commands as sensitive inputs: validate their expected format, and ensure CI variable sources are trusted. Use GitHub/OIDC short-lived credentials, parameter store/Secrets Manager, or encrypted CI variables rather than raw plaintext where possible.
  7. Scope AWS permissions used by CI to least privilege. Use short-lived credentials or OIDC/IAM roles for CI rather than long-lived keys. Limit ECR/ECS privileges to only what the build needs (e.g., push to specific repo, update specific service). Rotate credentials and audit CI role usage.

💡 Recommendations

View 3 recommendation(s)
  1. Upgrade ai to >= 5.0.52 (scan notes fixedIn: 5.0.52).
  2. Upgrade xlsx from 0.18.5 to a patched release; if you cannot upgrade immediately, identify and isolate all code paths that call xlsx parsing to apply mitigations.
  3. In code that accepts/parses XLSX or other uploaded files, add strict input validation and limits (explicit file-type checks, size limits, and avoid merging parsed objects into application prototypes) to reduce Prototype Pollution and ReDoS impact.

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 19, 2025

@vercel
Copy link

vercel bot commented Nov 19, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
app Ready Ready Preview Comment Nov 19, 2025 5:00pm
portal Ready Ready Preview Comment Nov 19, 2025 5:00pm

@Marfuen Marfuen merged commit cbd33e8 into main Nov 19, 2025
9 checks passed
@Marfuen Marfuen deleted the daniel/api-deploy-fix branch November 19, 2025 17:02
@Itsnotaka Itsnotaka restored the daniel/api-deploy-fix branch November 19, 2025 17:08
@claudfuen
Copy link
Contributor

claudfuen commented Nov 19, 2025

🎉 This PR is included in version 1.60.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Marfuen Marfuen Awaiting requested review from Marfuen

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Itsnotaka @claudfuen @Marfuen