Warehouse native documentation

[chris-absmartly]

Summary by CodeRabbit

• Documentation

  • Added a new Warehouse Native section with overview and benefits (data residency, auditability) and organised collapsible sidebar categories.
  • New "Get Started" guide and per-warehouse connection guides for BigQuery, Snowflake, ClickHouse, Redshift and Databricks covering credentials, testing, table mapping and refresh scheduling.

• Design

  • Updated site branding: refreshed logo and primary colour palette.

[coderabbitai]

Walkthrough

Adds a new "Warehouse Native" documentation section with overview, a full Get Started guide, and per-warehouse connection pages (BigQuery, Snowflake, ClickHouse, Redshift, Databricks). Introduces category metadata for documentation layout, updates site branding (navbar/footer logos) and primary theme colours, and adjusts package resolutions for cytoscape and webpack.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through docs with a careful nibble,
New pages stacked neat as a carrot-shelf dribble.
Logos gleam, colours refreshed with cheer,
Warehouse guides ready — the path is clear. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and directly describes the main change: adding comprehensive documentation for the Warehouse Native feature, which is the primary focus of all file additions and updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch warehouse-native-documentation

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

docusaurus.config.js (1)

215-217: 💤 Low value

Consider using consistent logo sizing approach.

The footer logo still uses fixed width styling (width: "3rem"), whilst the navbar logo was changed to use responsive height-based sizing (height: "2rem", width: "auto"). For consistency, you might consider applying the same responsive approach to the footer logo.

♻️ Proposed refactor for consistency

        logo: {
          src: "img/absmartly-icon.png",
          alt: "The ABsmartly Logo",
-         style: { width: "3rem" },
+         style: { height: "2rem", width: "auto" },
        },

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docusaurus.config.js` around lines 215 - 217, The footer logo uses a fixed
width style (style: { width: "3rem" }) while the navbar logo was changed to
responsive sizing; update the footer logo's style in the footer logo object to
match the navbar approach (use height-based responsive sizing, e.g., set height
to the same value used for the navbar like "2rem" and width to "auto") so the
footer and navbar logos are consistent (refer to the footer logo config where
src/alt/style are defined and the navbar logo config for the exact sizing used).

docs/web-console-docs/warehouse-native/get-started.mdx (2)

165-165: ⚡ Quick win

Address TODO: screenshot placeholder needs replacement.

The TODO comment indicates an updated screenshot is needed for the goals table mapping. Please ensure this is completed before merging.

Do you want me to open a new issue to track this task?

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/web-console-docs/warehouse-native/get-started.mdx` at line 165, Replace
the screenshot placeholder comment {/* TODO: Replace with updated screenshot */}
in get-started.mdx with the updated image showing the goals table mapping: add
the new image asset to the repository, reference it in the MDX where the TODO
comment lives (using the same JSX/image component pattern used elsewhere in the
doc), ensure alt text describes "Goals table mapping", and verify the image
renders correctly in the built docs.

---

182-182: ⚡ Quick win

Address TODO: screenshot placeholder needs replacement.

The TODO comment indicates an updated screenshot is needed for the attributes table mapping. Please ensure this is completed before merging.

Do you want me to open a new issue to track this task?

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/web-console-docs/warehouse-native/get-started.mdx` at line 182, Replace
the screenshot placeholder comment {/* TODO: Replace with updated screenshot */}
in docs/web-console-docs/warehouse-native/get-started.mdx with the actual image
include for the attributes table mapping (e.g. <img
src=".../attributes-mapping.png" alt="Attributes table mapping" />), add the new
image file to the repo assets, update the relative path in the MDX, provide a
concise alt text/caption, and remove the TODO comment so the doc shows the
updated screenshot and no leftover markers; ensure the image file name and the
src reference match exactly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/web-console-docs/warehouse-native/get-started.mdx`:
- Around line 132-139: Update the "Accepted types" column for the table fields
(unit_uid, unit_type_id, experiment_id, variant, exposed_at, attributes) to use
generic type descriptions or clearly mark them as examples; for example replace
`INT64`/`STRING` with "integer types (e.g., INT64)" and "string/text types
(e.g., STRING)" or add a note above the table stating the listed types are
BigQuery examples and equivalents should be used for
Snowflake/ClickHouse/Redshift/Databricks.

In `@package.json`:
- Line 26: Update package.json to remove the version mismatch between the
"cytoscape" dependency and the "resolutions" entry: either change the
"cytoscape" dependency version from "^3.23.0" to "^3.28.0" so it matches the
pinned "3.28.1" resolution, or delete the "resolutions" override if pinning is
no longer required, or add a short comment explaining why the "resolutions"
entry must force 3.28.1; target the "cytoscape" dependency line and the
"resolutions" block to make the change.

---

Nitpick comments:
In `@docs/web-console-docs/warehouse-native/get-started.mdx`:
- Line 165: Replace the screenshot placeholder comment {/* TODO: Replace with
updated screenshot */} in get-started.mdx with the updated image showing the
goals table mapping: add the new image asset to the repository, reference it in
the MDX where the TODO comment lives (using the same JSX/image component pattern
used elsewhere in the doc), ensure alt text describes "Goals table mapping", and
verify the image renders correctly in the built docs.
- Line 182: Replace the screenshot placeholder comment {/* TODO: Replace with
updated screenshot */} in docs/web-console-docs/warehouse-native/get-started.mdx
with the actual image include for the attributes table mapping (e.g. <img
src=".../attributes-mapping.png" alt="Attributes table mapping" />), add the new
image file to the repo assets, update the relative path in the MDX, provide a
concise alt text/caption, and remove the TODO comment so the doc shows the
updated screenshot and no leftover markers; ensure the image file name and the
src reference match exactly.

In `@docusaurus.config.js`:
- Around line 215-217: The footer logo uses a fixed width style (style: { width:
"3rem" }) while the navbar logo was changed to responsive sizing; update the
footer logo's style in the footer logo object to match the navbar approach (use
height-based responsive sizing, e.g., set height to the same value used for the
navbar like "2rem" and width to "auto") so the footer and navbar logos are
consistent (refer to the footer logo config where src/alt/style are defined and
the navbar logo config for the exact sizing used).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a26a4556-e59f-46af-82e7-420d77855b4e

📥 Commits

Reviewing files that changed from the base of the PR and between bc414a9 and 6175dfc.

⛔ Files ignored due to path filters (17)

• package-lock.json is excluded by !**/package-lock.json
• static/img/absmartly-icon.png is excluded by !**/*.png
• static/img/warehouse-native/attributes-table-mapping.png is excluded by !**/*.png
• static/img/warehouse-native/data-freshness.png is excluded by !**/*.png
• static/img/warehouse-native/datasource-bigquery-connected.png is excluded by !**/*.png
• static/img/warehouse-native/datasource-bigquery.png is excluded by !**/*.png
• static/img/warehouse-native/datasource-clickhouse.png is excluded by !**/*.png
• static/img/warehouse-native/datasource-databricks.png is excluded by !**/*.png
• static/img/warehouse-native/datasource-redshift.png is excluded by !**/*.png
• static/img/warehouse-native/datasource-snowflake.png is excluded by !**/*.png
• static/img/warehouse-native/exposure-mapping-complete.png is excluded by !**/*.png
• static/img/warehouse-native/exposure-mapping-dropdown.png is excluded by !**/*.png
• static/img/warehouse-native/exposure-table-mapping.png is excluded by !**/*.png
• static/img/warehouse-native/exposure-table-test-results.png is excluded by !**/*.png
• static/img/warehouse-native/goals-table-mapping.png is excluded by !**/*.png
• static/img/warehouse-native/json-layouts-table.png is excluded by !**/*.png
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (6)

• docs/web-console-docs/warehouse-native/_category_.json
• docs/web-console-docs/warehouse-native/get-started.mdx
• docs/web-console-docs/warehouse-native/overview.mdx
• docusaurus.config.js
• package.json
• src/scss/custom.scss

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clarify that data types are examples or use generic descriptions.

The "Accepted types" column lists INT64 and STRING, which are BigQuery-specific type names. Since this guide covers multiple warehouse platforms (Snowflake, ClickHouse, Redshift, Databricks), users of other warehouses might be confused about whether their equivalent types are supported. Consider either using generic descriptions (e.g., "integer types", "string/text types") or noting that these are examples.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/web-console-docs/warehouse-native/get-started.mdx` around lines 132 -
139, Update the "Accepted types" column for the table fields (unit_uid,
unit_type_id, experiment_id, variant, exposed_at, attributes) to use generic
type descriptions or clearly mark them as examples; for example replace
`INT64`/`STRING` with "integer types (e.g., INT64)" and "string/text types
(e.g., STRING)" or add a note above the table stating the listed types are
BigQuery examples and equivalents should be used for
Snowflake/ClickHouse/Redshift/Databricks.

[netlify]

✅ Deploy Preview for absmartly-docs ready!

Name	Link
🔨 Latest commit	6af743d
🔍 Latest deploy log	https://app.netlify.com/projects/absmartly-docs/deploys/6a0edce0ace3ec0008828b72
😎 Deploy Preview	https://deploy-preview-266--absmartly-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

docs/web-console-docs/warehouse-native/get-started.mdx (1)

63-70: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

The data type issue from previous review remains unaddressed.

The "Accepted types" columns across all mapping tables still list BigQuery-specific type names (INT64, STRING) without qualification. Since this guide covers five different warehouse platforms (Snowflake, ClickHouse, Redshift, Databricks, BigQuery), users of non-BigQuery warehouses may be uncertain whether their equivalent types (e.g., Snowflake's NUMBER, VARCHAR) are supported.

Consider either using generic type descriptions (e.g., "integer types", "string/text types") or adding a note that the listed types are BigQuery examples and platform equivalents should be used.

This issue appears in:

• Exposure table (lines 63-70)
• Goals table (lines 88-94)
• Attributes table (lines 106-111)
• JSON layouts table (lines 134-141)

Also applies to: 88-94, 106-111, 134-141

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/web-console-docs/warehouse-native/get-started.mdx` around lines 63 - 70,
The tables (Exposure, Goals, Attributes, JSON layouts) currently list
BigQuery-specific types (e.g., INT64, STRING) for fields like unit_uid,
unit_type_id, experiment_id, variant, exposed_at, attributes; update these rows
to either use generic type descriptions (e.g., "integer types", "string/text
types", "timestamp (ms)") or add a short per-table note stating "Types shown are
BigQuery examples — use your warehouse's equivalent (e.g., Snowflake
VARCHAR/NUMBER, Redshift BIGINT/VARCHAR, ClickHouse Int64/String)." Make this
change consistently for the Exposure table (fields above), Goals table,
Attributes table, and JSON layouts table so readers on
Snowflake/ClickHouse/Redshift/Databricks know to map to their platform
equivalents.

🧹 Nitpick comments (1)

package.json (1)

57-60: ⚡ Quick win

Document the rationale for version resolutions.

The resolutions block lacks explanatory comments. Future maintainers will not understand why these specific versions are pinned or whether the pins are still necessary.

📝 Suggested documentation approach

  "resolutions": {
+   // Pinned to 3.23.0 to resolve [specific issue/compatibility concern]
    "cytoscape": "3.23.0",
+   // Pinned to 5.76.1 to fix [security vulnerability/build issue]
    "webpack": "5.76.1"
  }

Replace the placeholders with the actual reasons for these pins (e.g., "CVE-XXXX-YYYY fix", "compatibility with Docusaurus 2.4.3", etc.).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` around lines 57 - 60, The package.json "resolutions" block pins
"cytoscape" and "webpack" but lacks rationale; update the repo by adding concise
documentation explaining why these specific versions are pinned (e.g.,
"cytoscape: 3.23.0 — fixes CVE-XXXX-YYYY / breaking API change in v3.24",
"webpack: 5.76.1 — required for compatibility with Docusaurus 2.4.3 / avoids
regression in plugin X"), and either add inline comments near the "resolutions"
block or a short entry in the README/CHANGELOG that names the symbols
"resolutions", "cytoscape", and "webpack", cites the upstream issue/CVE or
dependency conflict, and notes criteria for unpinning or bumping.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Around line 58-59: Update the pinned dependency resolution for "webpack" in
package.json to at least 5.104.0 to address CVE-2024-43788 and CVE-2025-68157,
and optionally bump "cytoscape" (currently 3.23.0) to a more recent release
(e.g., 3.33.4) for general currency; also add a short comment in the
package.json near the "resolutions" block explaining why webpack is pinned to
that minimum (security fixes for the CVEs) and note any webpack-dev-server
versions to be checked. Locate the "webpack" and "cytoscape" entries under the
resolutions/dependencies section and modify the version strings accordingly,
then add a one-line rationale comment above the resolutions explaining the
security-driven pin and reference the CVE numbers.

---

Duplicate comments:
In `@docs/web-console-docs/warehouse-native/get-started.mdx`:
- Around line 63-70: The tables (Exposure, Goals, Attributes, JSON layouts)
currently list BigQuery-specific types (e.g., INT64, STRING) for fields like
unit_uid, unit_type_id, experiment_id, variant, exposed_at, attributes; update
these rows to either use generic type descriptions (e.g., "integer types",
"string/text types", "timestamp (ms)") or add a short per-table note stating
"Types shown are BigQuery examples — use your warehouse's equivalent (e.g.,
Snowflake VARCHAR/NUMBER, Redshift BIGINT/VARCHAR, ClickHouse Int64/String)."
Make this change consistently for the Exposure table (fields above), Goals
table, Attributes table, and JSON layouts table so readers on
Snowflake/ClickHouse/Redshift/Databricks know to map to their platform
equivalents.

---

Nitpick comments:
In `@package.json`:
- Around line 57-60: The package.json "resolutions" block pins "cytoscape" and
"webpack" but lacks rationale; update the repo by adding concise documentation
explaining why these specific versions are pinned (e.g., "cytoscape: 3.23.0 —
fixes CVE-XXXX-YYYY / breaking API change in v3.24", "webpack: 5.76.1 — required
for compatibility with Docusaurus 2.4.3 / avoids regression in plugin X"), and
either add inline comments near the "resolutions" block or a short entry in the
README/CHANGELOG that names the symbols "resolutions", "cytoscape", and
"webpack", cites the upstream issue/CVE or dependency conflict, and notes
criteria for unpinning or bumping.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bdaad34b-debb-4bab-bfd0-4a276f80732c

📥 Commits

Reviewing files that changed from the base of the PR and between 6175dfc and 6af743d.

⛔ Files ignored due to path filters (6)

• package-lock.json is excluded by !**/package-lock.json
• static/img/warehouse-native/attributes-mapping-complete.png is excluded by !**/*.png
• static/img/warehouse-native/goals-mapping-complete.png is excluded by !**/*.png
• static/img/warehouse-native/json-layouts-detected.png is excluded by !**/*.png
• static/img/warehouse-native/json-layouts-mapping.png is excluded by !**/*.png
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (8)

• docs/web-console-docs/warehouse-native/connect/_category_.json
• docs/web-console-docs/warehouse-native/connect/bigquery.mdx
• docs/web-console-docs/warehouse-native/connect/clickhouse.mdx
• docs/web-console-docs/warehouse-native/connect/databricks.mdx
• docs/web-console-docs/warehouse-native/connect/redshift.mdx
• docs/web-console-docs/warehouse-native/connect/snowflake.mdx
• docs/web-console-docs/warehouse-native/get-started.mdx
• package.json

✅ Files skipped from review due to trivial changes (6)

• docs/web-console-docs/warehouse-native/connect/category.json
• docs/web-console-docs/warehouse-native/connect/clickhouse.mdx
• docs/web-console-docs/warehouse-native/connect/redshift.mdx
• docs/web-console-docs/warehouse-native/connect/bigquery.mdx
• docs/web-console-docs/warehouse-native/connect/snowflake.mdx
• docs/web-console-docs/warehouse-native/connect/databricks.mdx

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

🧩 Analysis chain

🌐 Web query:

webpack 5.76.1 known vulnerabilities CVEs 2024 2025 2026

💡 Result:

For webpack 5.76.1 (released before the patches below), the relevant known CVEs published/updated during 2024–2026 include: 1) CVE-2023-28154 (cross-realm object access; magic comment mishandling) - Impact summary: Webpack 5 before 5.76.0 can expose the real global object via a cross-realm object access issue in ImportParserPlugin.js. [1] - Relevance to 5.76.1: 5.76.1 is not in the vulnerable range stated by NVD (it’s “before 5.76.0”), so this CVE should be considered fixed in your version. [1] 2) CVE-2024-43788 (DOM clobbering gadget leading to XSS) - Impact summary: DOM Clobbering in Webpack’s AutoPublicPathRuntimeModule can lead to cross-site scripting (XSS) when attacker-controlled “scriptless” HTML elements shadow document.currentScript; fixed in Webpack 5.94.0. [2][3] - Affected/fixed relation: NVD states the issue is addressed in release version 5.94.0; therefore webpack 5.76.1 is expected to be vulnerable if the vulnerable code path is reachable (e.g., publicPath “auto” / not set). [2] 3) CVE-2025-68157 (buildHttp allowedUris allow-list bypass leading to build-time SSRF) - Impact summary: When experiments.buildHttp is enabled, Webpack’s HttpUriPlugin can fail to re-validate allowedUris after HTTP 30x redirects, enabling an allow-list bypass and build-time SSRF / untrusted content inclusion; patched in 5.104.0. [4] - Affected/fixed relation: NVD states the vulnerable range is “from 5.49.0 to before 5.104.0”, so webpack 5.76.1 falls in the vulnerable range. [4] 4) (Also observed in third-party tracking) CVE-2025-68458 - Note: Repology lists CVE-2025-68458 for a range overlapping webpack 5.76.x ([5]), but the search results I have here do not include an authoritative CVE record/patch details for 5.76.1 specifically. Treat as “possible” until confirmed from an official advisory/CVE page. 5) CVE-2025-30360 (webpack-dev-server source code exposure via Origin validation gaps) - Impact summary: Prior to 5.2.1, webpack-dev-server could allow source theft when accessed from malicious web pages due to Origin header handling with IP-address origins; patched in 5.2.1. [6] - Relevance to webpack 5.76.1: This CVE is about webpack-dev-server and its versioning, not webpack core. If you only have webpack 5.76.1 (and not an older webpack-dev-server), it may not apply. [6] Bottom line for webpack 5.76.1 on 2026-05-21 - Likely vulnerable: CVE-2024-43788 and CVE-2025-68157 (based on “fixed in 5.94.0” and “patched in 5.104.0” statements, respectively). [2][4] - Likely fixed already: CVE-2023-28154 (NVD’s affected range ends before 5.76.0). [1] - Confirm separately for your stack: any webpack-dev-server version you use (for CVE-2025-30360), and any additional CVEs you might have in your exact dependency graph (and whether experiments.buildHttp is enabled for CVE-2025-68157). [6][4] Suggested remediation - Upgrade webpack to at least 5.104.0 (to address CVE-2025-68157) and at least 5.94.0 (to address CVE-2024-43788). [4][2] - If you rely on experiments.buildHttp, treat it as a high-risk surface until upgraded. [4][7]

Citations:

• 1: https://nvd.nist.gov/vuln/detail/cve-2023-28154
• 2: https://nvd.nist.gov/vuln/detail/CVE-2024-43788
• 3: GHSA-4vvj-4cpr-p986
• 4: https://nvd.nist.gov/vuln/detail/CVE-2025-68157
• 5: https://repology.org/project/node%3Awebpack/cves?version=4.30.0
• 6: https://nvd.nist.gov/vuln/detail/CVE-2025-30360
• 7: GHSA-8fgc-7cc6-rx7x

---

🌐 Web query:

cytoscape npm 3.23.0 security vulnerabilities latest version 2026

💡 Result:

Latest Cytoscape.js npm version (as of 2026-05-21): 3.33.4 is published on npm; the package also shows 3.33.1 as the latest version in Snyk’s “latest” view. [1] cytoscape npm 3.23.0 security vulnerabilities (status): I did not find any published security advisories on the official cytoscape/cytoscape.js GitHub security advisories page, and Snyk reports “No direct vulnerabilities have been found” for the cytoscape npm package (Snyk’s latest-version view). [2][3] However, there is evidence of historical/issue-level security concerns in the project tracker (not the same as an official, published advisory): a closed issue describes prototype pollution behavior in cytoscape.js version 3.18.1. [4] For version-specific assurance about 3.23.0 specifically, none of the authoritative sources found in this research explicitly list concrete CVEs/GSAs/security advisories affecting cytoscape@3.23.0. (The official security advisories page says there aren’t any published security advisories.) [2] Practical recommendation: for “latest version 2026” risk reduction, prefer upgrading from 3.23.0 to the latest npm release (3.33.4 per npm). [1] Note: there are unrelated reports of broad npm ecosystem supply-chain compromise events in 2026 (e.g., @antv packages), which are not specific to cytoscape@3.23.0 but are relevant to general npm hygiene (pin/lockfile, verify provenance, monitor advisories). [5]

Citations:

• 1: https://registry.npmjs.org/cytoscape
• 2: https://github.com/cytoscape/cytoscape.js/security/advisories
• 3: https://security.snyk.io/package/npm/cytoscape
• 4: Prototype Pollution in cytoscape.js cytoscape/cytoscape.js#2846
• 5: https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/

---

Security: upgrade the pinned webpack (and add rationale for resolutions)

With resolutions pinning webpack to 5.76.1:

"cytoscape": "3.23.0",
"webpack": "5.76.1"

• webpack@5.76.1 is within vulnerable ranges for CVE-2024-43788 (fixed in 5.94.0) and CVE-2025-68157 (fixed in 5.104.0). Upgrade the webpack resolution to at least 5.104.0 (and check any webpack-dev-server version you use, since some advisories target that package rather than webpack core).
• cytoscape@3.23.0: no specific published advisory/CVE found for that exact version in the research; still, it’s behind the latest npm release (3.33.4), so consider bumping for general currency.
• Add a short comment/rationale for why these exact resolutions are pinned (especially the webpack downgrade/hold), so future maintenance is safe.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` around lines 58 - 59, Update the pinned dependency resolution
for "webpack" in package.json to at least 5.104.0 to address CVE-2024-43788 and
CVE-2025-68157, and optionally bump "cytoscape" (currently 3.23.0) to a more
recent release (e.g., 3.33.4) for general currency; also add a short comment in
the package.json near the "resolutions" block explaining why webpack is pinned
to that minimum (security fixes for the CVEs) and note any webpack-dev-server
versions to be checked. Locate the "webpack" and "cytoscape" entries under the
resolutions/dependencies section and modify the version strings accordingly,
then add a one-line rationale comment above the resolutions explaining the
security-driven pin and reference the CVE numbers.