Warehouse native documentation#266
Conversation
- Overview page explaining what Warehouse Native is, why to use it, and cloud vs warehouse comparison - Get Started guide covering: connect to warehouse (5 types), map tables (exposure, goals, attributes, JSON layouts), and data freshness config - Screenshots for all warehouse types, mapping flows, and configuration screens - Fix cytoscape dependency for local dev server
chris-absmartly
requested review from
bmsilva,
calthejuggler,
marcio-absmartly and
mario-silva
as code owners
WalkthroughAdds a new "Warehouse Native" documentation section with overview, a full Get Started guide, and per-warehouse connection pages (BigQuery, Snowflake, ClickHouse, Redshift, Databricks). Introduces category metadata for documentation layout, updates site branding (navbar/footer logos) and primary theme colours, and adjusts package resolutions for cytoscape and webpack. Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint skipped: no ESLint configuration detected in root package.json. To enable, add Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (3)
docusaurus.config.js (1)
215-217: 💤 Low valueConsider using consistent logo sizing approach.
The footer logo still uses fixed width styling (
width: "3rem"), whilst the navbar logo was changed to use responsive height-based sizing (height: "2rem", width: "auto"). For consistency, you might consider applying the same responsive approach to the footer logo.♻️ Proposed refactor for consistency
logo: { src: "img/absmartly-icon.png", alt: "The ABsmartly Logo", - style: { width: "3rem" }, + style: { height: "2rem", width: "auto" }, },🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docusaurus.config.js` around lines 215 - 217, The footer logo uses a fixed width style (style: { width: "3rem" }) while the navbar logo was changed to responsive sizing; update the footer logo's style in the footer logo object to match the navbar approach (use height-based responsive sizing, e.g., set height to the same value used for the navbar like "2rem" and width to "auto") so the footer and navbar logos are consistent (refer to the footer logo config where src/alt/style are defined and the navbar logo config for the exact sizing used).docs/web-console-docs/warehouse-native/get-started.mdx (2)
165-165: ⚡ Quick winAddress TODO: screenshot placeholder needs replacement.
The TODO comment indicates an updated screenshot is needed for the goals table mapping. Please ensure this is completed before merging.
Do you want me to open a new issue to track this task?
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/web-console-docs/warehouse-native/get-started.mdx` at line 165, Replace the screenshot placeholder comment {/* TODO: Replace with updated screenshot */} in get-started.mdx with the updated image showing the goals table mapping: add the new image asset to the repository, reference it in the MDX where the TODO comment lives (using the same JSX/image component pattern used elsewhere in the doc), ensure alt text describes "Goals table mapping", and verify the image renders correctly in the built docs.
182-182: ⚡ Quick winAddress TODO: screenshot placeholder needs replacement.
The TODO comment indicates an updated screenshot is needed for the attributes table mapping. Please ensure this is completed before merging.
Do you want me to open a new issue to track this task?
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/web-console-docs/warehouse-native/get-started.mdx` at line 182, Replace the screenshot placeholder comment {/* TODO: Replace with updated screenshot */} in docs/web-console-docs/warehouse-native/get-started.mdx with the actual image include for the attributes table mapping (e.g. <img src=".../attributes-mapping.png" alt="Attributes table mapping" />), add the new image file to the repo assets, update the relative path in the MDX, provide a concise alt text/caption, and remove the TODO comment so the doc shows the updated screenshot and no leftover markers; ensure the image file name and the src reference match exactly.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/web-console-docs/warehouse-native/get-started.mdx`:
- Around line 132-139: Update the "Accepted types" column for the table fields
(unit_uid, unit_type_id, experiment_id, variant, exposed_at, attributes) to use
generic type descriptions or clearly mark them as examples; for example replace
`INT64`/`STRING` with "integer types (e.g., INT64)" and "string/text types
(e.g., STRING)" or add a note above the table stating the listed types are
BigQuery examples and equivalents should be used for
Snowflake/ClickHouse/Redshift/Databricks.
In `@package.json`:
- Line 26: Update package.json to remove the version mismatch between the
"cytoscape" dependency and the "resolutions" entry: either change the
"cytoscape" dependency version from "^3.23.0" to "^3.28.0" so it matches the
pinned "3.28.1" resolution, or delete the "resolutions" override if pinning is
no longer required, or add a short comment explaining why the "resolutions"
entry must force 3.28.1; target the "cytoscape" dependency line and the
"resolutions" block to make the change.
---
Nitpick comments:
In `@docs/web-console-docs/warehouse-native/get-started.mdx`:
- Line 165: Replace the screenshot placeholder comment {/* TODO: Replace with
updated screenshot */} in get-started.mdx with the updated image showing the
goals table mapping: add the new image asset to the repository, reference it in
the MDX where the TODO comment lives (using the same JSX/image component pattern
used elsewhere in the doc), ensure alt text describes "Goals table mapping", and
verify the image renders correctly in the built docs.
- Line 182: Replace the screenshot placeholder comment {/* TODO: Replace with
updated screenshot */} in docs/web-console-docs/warehouse-native/get-started.mdx
with the actual image include for the attributes table mapping (e.g. <img
src=".../attributes-mapping.png" alt="Attributes table mapping" />), add the new
image file to the repo assets, update the relative path in the MDX, provide a
concise alt text/caption, and remove the TODO comment so the doc shows the
updated screenshot and no leftover markers; ensure the image file name and the
src reference match exactly.
In `@docusaurus.config.js`:
- Around line 215-217: The footer logo uses a fixed width style (style: { width:
"3rem" }) while the navbar logo was changed to responsive sizing; update the
footer logo's style in the footer logo object to match the navbar approach (use
height-based responsive sizing, e.g., set height to the same value used for the
navbar like "2rem" and width to "auto") so the footer and navbar logos are
consistent (refer to the footer logo config where src/alt/style are defined and
the navbar logo config for the exact sizing used).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: a26a4556-e59f-46af-82e7-420d77855b4e
⛔ Files ignored due to path filters (17)
package-lock.jsonis excluded by!**/package-lock.jsonstatic/img/absmartly-icon.pngis excluded by!**/*.pngstatic/img/warehouse-native/attributes-table-mapping.pngis excluded by!**/*.pngstatic/img/warehouse-native/data-freshness.pngis excluded by!**/*.pngstatic/img/warehouse-native/datasource-bigquery-connected.pngis excluded by!**/*.pngstatic/img/warehouse-native/datasource-bigquery.pngis excluded by!**/*.pngstatic/img/warehouse-native/datasource-clickhouse.pngis excluded by!**/*.pngstatic/img/warehouse-native/datasource-databricks.pngis excluded by!**/*.pngstatic/img/warehouse-native/datasource-redshift.pngis excluded by!**/*.pngstatic/img/warehouse-native/datasource-snowflake.pngis excluded by!**/*.pngstatic/img/warehouse-native/exposure-mapping-complete.pngis excluded by!**/*.pngstatic/img/warehouse-native/exposure-mapping-dropdown.pngis excluded by!**/*.pngstatic/img/warehouse-native/exposure-table-mapping.pngis excluded by!**/*.pngstatic/img/warehouse-native/exposure-table-test-results.pngis excluded by!**/*.pngstatic/img/warehouse-native/goals-table-mapping.pngis excluded by!**/*.pngstatic/img/warehouse-native/json-layouts-table.pngis excluded by!**/*.pngyarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (6)
docs/web-console-docs/warehouse-native/_category_.jsondocs/web-console-docs/warehouse-native/get-started.mdxdocs/web-console-docs/warehouse-native/overview.mdxdocusaurus.config.jspackage.jsonsrc/scss/custom.scss
| | Field | Description | Accepted types | | ||
| |---|---|---| | ||
| | **unit_uid** | Unique identifier for the unit | `STRING`, `INT64` | | ||
| | **unit_type_id** | Type of the unit (e.g., `user_id`, `device_id`) | `STRING`, `INT64` | | ||
| | **experiment_id** | Unique identifier for the experiment | `STRING`, `INT64` | | ||
| | **variant** | Variant/group assigned to the unit | `STRING`, `INT64` | | ||
| | **exposed_at** | Timestamp when the exposure occurred | `INT64` (milliseconds) | | ||
| | **attributes** | Attribute values as a JSON string | `STRING` | |
There was a problem hiding this comment.
Clarify that data types are examples or use generic descriptions.
The "Accepted types" column lists INT64 and STRING, which are BigQuery-specific type names. Since this guide covers multiple warehouse platforms (Snowflake, ClickHouse, Redshift, Databricks), users of other warehouses might be confused about whether their equivalent types are supported. Consider either using generic descriptions (e.g., "integer types", "string/text types") or noting that these are examples.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@docs/web-console-docs/warehouse-native/get-started.mdx` around lines 132 -
139, Update the "Accepted types" column for the table fields (unit_uid,
unit_type_id, experiment_id, variant, exposed_at, attributes) to use generic
type descriptions or clearly mark them as examples; for example replace
`INT64`/`STRING` with "integer types (e.g., INT64)" and "string/text types
(e.g., STRING)" or add a note above the table stating the listed types are
BigQuery examples and equivalents should be used for
Snowflake/ClickHouse/Redshift/Databricks.
✅ Deploy Preview for absmartly-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Docusaurus 2.4.3 is incompatible with webpack 5.106+ (ProgressPlugin API change) and cytoscape 3.28+ (exports field blocks mermaid's UMD import).
Covers enabling the BigQuery API, creating a dedicated service account, granting the minimum required roles, and generating the JSON key. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
docs/web-console-docs/warehouse-native/get-started.mdx (1)
63-70:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winThe data type issue from previous review remains unaddressed.
The "Accepted types" columns across all mapping tables still list BigQuery-specific type names (
INT64,STRING) without qualification. Since this guide covers five different warehouse platforms (Snowflake, ClickHouse, Redshift, Databricks, BigQuery), users of non-BigQuery warehouses may be uncertain whether their equivalent types (e.g., Snowflake'sNUMBER,VARCHAR) are supported.Consider either using generic type descriptions (e.g., "integer types", "string/text types") or adding a note that the listed types are BigQuery examples and platform equivalents should be used.
This issue appears in:
- Exposure table (lines 63-70)
- Goals table (lines 88-94)
- Attributes table (lines 106-111)
- JSON layouts table (lines 134-141)
Also applies to: 88-94, 106-111, 134-141
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/web-console-docs/warehouse-native/get-started.mdx` around lines 63 - 70, The tables (Exposure, Goals, Attributes, JSON layouts) currently list BigQuery-specific types (e.g., INT64, STRING) for fields like unit_uid, unit_type_id, experiment_id, variant, exposed_at, attributes; update these rows to either use generic type descriptions (e.g., "integer types", "string/text types", "timestamp (ms)") or add a short per-table note stating "Types shown are BigQuery examples — use your warehouse's equivalent (e.g., Snowflake VARCHAR/NUMBER, Redshift BIGINT/VARCHAR, ClickHouse Int64/String)." Make this change consistently for the Exposure table (fields above), Goals table, Attributes table, and JSON layouts table so readers on Snowflake/ClickHouse/Redshift/Databricks know to map to their platform equivalents.
🧹 Nitpick comments (1)
package.json (1)
57-60: ⚡ Quick winDocument the rationale for version resolutions.
The
resolutionsblock lacks explanatory comments. Future maintainers will not understand why these specific versions are pinned or whether the pins are still necessary.📝 Suggested documentation approach
"resolutions": { + // Pinned to 3.23.0 to resolve [specific issue/compatibility concern] "cytoscape": "3.23.0", + // Pinned to 5.76.1 to fix [security vulnerability/build issue] "webpack": "5.76.1" }Replace the placeholders with the actual reasons for these pins (e.g., "CVE-XXXX-YYYY fix", "compatibility with Docusaurus 2.4.3", etc.).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@package.json` around lines 57 - 60, The package.json "resolutions" block pins "cytoscape" and "webpack" but lacks rationale; update the repo by adding concise documentation explaining why these specific versions are pinned (e.g., "cytoscape: 3.23.0 — fixes CVE-XXXX-YYYY / breaking API change in v3.24", "webpack: 5.76.1 — required for compatibility with Docusaurus 2.4.3 / avoids regression in plugin X"), and either add inline comments near the "resolutions" block or a short entry in the README/CHANGELOG that names the symbols "resolutions", "cytoscape", and "webpack", cites the upstream issue/CVE or dependency conflict, and notes criteria for unpinning or bumping.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Around line 58-59: Update the pinned dependency resolution for "webpack" in
package.json to at least 5.104.0 to address CVE-2024-43788 and CVE-2025-68157,
and optionally bump "cytoscape" (currently 3.23.0) to a more recent release
(e.g., 3.33.4) for general currency; also add a short comment in the
package.json near the "resolutions" block explaining why webpack is pinned to
that minimum (security fixes for the CVEs) and note any webpack-dev-server
versions to be checked. Locate the "webpack" and "cytoscape" entries under the
resolutions/dependencies section and modify the version strings accordingly,
then add a one-line rationale comment above the resolutions explaining the
security-driven pin and reference the CVE numbers.
---
Duplicate comments:
In `@docs/web-console-docs/warehouse-native/get-started.mdx`:
- Around line 63-70: The tables (Exposure, Goals, Attributes, JSON layouts)
currently list BigQuery-specific types (e.g., INT64, STRING) for fields like
unit_uid, unit_type_id, experiment_id, variant, exposed_at, attributes; update
these rows to either use generic type descriptions (e.g., "integer types",
"string/text types", "timestamp (ms)") or add a short per-table note stating
"Types shown are BigQuery examples — use your warehouse's equivalent (e.g.,
Snowflake VARCHAR/NUMBER, Redshift BIGINT/VARCHAR, ClickHouse Int64/String)."
Make this change consistently for the Exposure table (fields above), Goals
table, Attributes table, and JSON layouts table so readers on
Snowflake/ClickHouse/Redshift/Databricks know to map to their platform
equivalents.
---
Nitpick comments:
In `@package.json`:
- Around line 57-60: The package.json "resolutions" block pins "cytoscape" and
"webpack" but lacks rationale; update the repo by adding concise documentation
explaining why these specific versions are pinned (e.g., "cytoscape: 3.23.0 —
fixes CVE-XXXX-YYYY / breaking API change in v3.24", "webpack: 5.76.1 — required
for compatibility with Docusaurus 2.4.3 / avoids regression in plugin X"), and
either add inline comments near the "resolutions" block or a short entry in the
README/CHANGELOG that names the symbols "resolutions", "cytoscape", and
"webpack", cites the upstream issue/CVE or dependency conflict, and notes
criteria for unpinning or bumping.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: bdaad34b-debb-4bab-bfd0-4a276f80732c
⛔ Files ignored due to path filters (6)
package-lock.jsonis excluded by!**/package-lock.jsonstatic/img/warehouse-native/attributes-mapping-complete.pngis excluded by!**/*.pngstatic/img/warehouse-native/goals-mapping-complete.pngis excluded by!**/*.pngstatic/img/warehouse-native/json-layouts-detected.pngis excluded by!**/*.pngstatic/img/warehouse-native/json-layouts-mapping.pngis excluded by!**/*.pngyarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (8)
docs/web-console-docs/warehouse-native/connect/_category_.jsondocs/web-console-docs/warehouse-native/connect/bigquery.mdxdocs/web-console-docs/warehouse-native/connect/clickhouse.mdxdocs/web-console-docs/warehouse-native/connect/databricks.mdxdocs/web-console-docs/warehouse-native/connect/redshift.mdxdocs/web-console-docs/warehouse-native/connect/snowflake.mdxdocs/web-console-docs/warehouse-native/get-started.mdxpackage.json
✅ Files skipped from review due to trivial changes (6)
- docs/web-console-docs/warehouse-native/connect/category.json
- docs/web-console-docs/warehouse-native/connect/clickhouse.mdx
- docs/web-console-docs/warehouse-native/connect/redshift.mdx
- docs/web-console-docs/warehouse-native/connect/bigquery.mdx
- docs/web-console-docs/warehouse-native/connect/snowflake.mdx
- docs/web-console-docs/warehouse-native/connect/databricks.mdx
| "cytoscape": "3.23.0", | ||
| "webpack": "5.76.1" |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
webpack 5.76.1 known vulnerabilities CVEs 2024 2025 2026
💡 Result:
For webpack 5.76.1 (released before the patches below), the relevant known CVEs published/updated during 2024–2026 include: 1) CVE-2023-28154 (cross-realm object access; magic comment mishandling) - Impact summary: Webpack 5 before 5.76.0 can expose the real global object via a cross-realm object access issue in ImportParserPlugin.js. [1] - Relevance to 5.76.1: 5.76.1 is not in the vulnerable range stated by NVD (it’s “before 5.76.0”), so this CVE should be considered fixed in your version. [1] 2) CVE-2024-43788 (DOM clobbering gadget leading to XSS) - Impact summary: DOM Clobbering in Webpack’s AutoPublicPathRuntimeModule can lead to cross-site scripting (XSS) when attacker-controlled “scriptless” HTML elements shadow document.currentScript; fixed in Webpack 5.94.0. [2][3] - Affected/fixed relation: NVD states the issue is addressed in release version 5.94.0; therefore webpack 5.76.1 is expected to be vulnerable if the vulnerable code path is reachable (e.g., publicPath “auto” / not set). [2] 3) CVE-2025-68157 (buildHttp allowedUris allow-list bypass leading to build-time SSRF) - Impact summary: When experiments.buildHttp is enabled, Webpack’s HttpUriPlugin can fail to re-validate allowedUris after HTTP 30x redirects, enabling an allow-list bypass and build-time SSRF / untrusted content inclusion; patched in 5.104.0. [4] - Affected/fixed relation: NVD states the vulnerable range is “from 5.49.0 to before 5.104.0”, so webpack 5.76.1 falls in the vulnerable range. [4] 4) (Also observed in third-party tracking) CVE-2025-68458 - Note: Repology lists CVE-2025-68458 for a range overlapping webpack 5.76.x ([5]), but the search results I have here do not include an authoritative CVE record/patch details for 5.76.1 specifically. Treat as “possible” until confirmed from an official advisory/CVE page. 5) CVE-2025-30360 (webpack-dev-server source code exposure via Origin validation gaps) - Impact summary: Prior to 5.2.1, webpack-dev-server could allow source theft when accessed from malicious web pages due to Origin header handling with IP-address origins; patched in 5.2.1. [6] - Relevance to webpack 5.76.1: This CVE is about webpack-dev-server and its versioning, not webpack core. If you only have webpack 5.76.1 (and not an older webpack-dev-server), it may not apply. [6] Bottom line for webpack 5.76.1 on 2026-05-21 - Likely vulnerable: CVE-2024-43788 and CVE-2025-68157 (based on “fixed in 5.94.0” and “patched in 5.104.0” statements, respectively). [2][4] - Likely fixed already: CVE-2023-28154 (NVD’s affected range ends before 5.76.0). [1] - Confirm separately for your stack: any webpack-dev-server version you use (for CVE-2025-30360), and any additional CVEs you might have in your exact dependency graph (and whether experiments.buildHttp is enabled for CVE-2025-68157). [6][4] Suggested remediation - Upgrade webpack to at least 5.104.0 (to address CVE-2025-68157) and at least 5.94.0 (to address CVE-2024-43788). [4][2] - If you rely on experiments.buildHttp, treat it as a high-risk surface until upgraded. [4][7]
Citations:
- 1: https://nvd.nist.gov/vuln/detail/cve-2023-28154
- 2: https://nvd.nist.gov/vuln/detail/CVE-2024-43788
- 3: GHSA-4vvj-4cpr-p986
- 4: https://nvd.nist.gov/vuln/detail/CVE-2025-68157
- 5: https://repology.org/project/node%3Awebpack/cves?version=4.30.0
- 6: https://nvd.nist.gov/vuln/detail/CVE-2025-30360
- 7: GHSA-8fgc-7cc6-rx7x
🌐 Web query:
cytoscape npm 3.23.0 security vulnerabilities latest version 2026
💡 Result:
Latest Cytoscape.js npm version (as of 2026-05-21): 3.33.4 is published on npm; the package also shows 3.33.1 as the latest version in Snyk’s “latest” view. [1] cytoscape npm 3.23.0 security vulnerabilities (status): I did not find any published security advisories on the official cytoscape/cytoscape.js GitHub security advisories page, and Snyk reports “No direct vulnerabilities have been found” for the cytoscape npm package (Snyk’s latest-version view). [2][3] However, there is evidence of historical/issue-level security concerns in the project tracker (not the same as an official, published advisory): a closed issue describes prototype pollution behavior in cytoscape.js version 3.18.1. [4] For version-specific assurance about 3.23.0 specifically, none of the authoritative sources found in this research explicitly list concrete CVEs/GSAs/security advisories affecting cytoscape@3.23.0. (The official security advisories page says there aren’t any published security advisories.) [2] Practical recommendation: for “latest version 2026” risk reduction, prefer upgrading from 3.23.0 to the latest npm release (3.33.4 per npm). [1] Note: there are unrelated reports of broad npm ecosystem supply-chain compromise events in 2026 (e.g., @antv packages), which are not specific to cytoscape@3.23.0 but are relevant to general npm hygiene (pin/lockfile, verify provenance, monitor advisories). [5]
Citations:
- 1: https://registry.npmjs.org/cytoscape
- 2: https://github.com/cytoscape/cytoscape.js/security/advisories
- 3: https://security.snyk.io/package/npm/cytoscape
- 4: Prototype Pollution in cytoscape.js cytoscape/cytoscape.js#2846
- 5: https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/
Security: upgrade the pinned webpack (and add rationale for resolutions)
With resolutions pinning webpack to 5.76.1:
"cytoscape": "3.23.0",
"webpack": "5.76.1"webpack@5.76.1is within vulnerable ranges for CVE-2024-43788 (fixed in 5.94.0) and CVE-2025-68157 (fixed in 5.104.0). Upgrade thewebpackresolution to at least 5.104.0 (and check anywebpack-dev-serverversion you use, since some advisories target that package rather than webpack core).cytoscape@3.23.0: no specific published advisory/CVE found for that exact version in the research; still, it’s behind the latest npm release (3.33.4), so consider bumping for general currency.- Add a short comment/rationale for why these exact
resolutionsare pinned (especially thewebpackdowngrade/hold), so future maintenance is safe.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` around lines 58 - 59, Update the pinned dependency resolution
for "webpack" in package.json to at least 5.104.0 to address CVE-2024-43788 and
CVE-2025-68157, and optionally bump "cytoscape" (currently 3.23.0) to a more
recent release (e.g., 3.33.4) for general currency; also add a short comment in
the package.json near the "resolutions" block explaining why webpack is pinned
to that minimum (security fixes for the CVEs) and note any webpack-dev-server
versions to be checked. Locate the "webpack" and "cytoscape" entries under the
resolutions/dependencies section and modify the version strings accordingly,
then add a one-line rationale comment above the resolutions explaining the
security-driven pin and reference the CVE numbers.
1 participant
Summary by CodeRabbit
Documentation
Design