Merge main into development branch#120
Open
cbullinger wants to merge 23 commits into
Open
Conversation
* Bump pymongo to v4.17.0 * Merge TanStack Framework into Development (#105) * Set up TanStack Start sample app with tests, CI/CD, and Bluehawk snippet extraction (#101) * Adding TanStack Start + Unit & Integration Tests * Adding GH Actions * Add Bluehawk snippet extraction and improve test documentation - Set up Bluehawk for snippet extraction from source code - Add generic snip.js script for framework examples - Add processFiles.js for handling unannotated files - Extract 8 code snippets to testedSnippets/ - Add test:all npm script to run both unit and integration tests - Update all READMEs to clarify test commands (test vs test:all) - Document component testing status (not implemented due to TanStack Start beta) - Add Bluehawk annotations to source files (Header, RestaurantList, db, routes) * addressing pr feedback * Adding in copier flow (#104) * adding pining * fix(python-fastapi): bump pillow and python-dotenv for security advisories - pillow 12.2.0 (CVE-2026-42308 through CVE-2026-42311, GHSA-5xmw-vc9v-4wf2, etc.) - python-dotenv 1.2.2 (CVE-2026-28684, GHSA-mf9w-mj56-hr94) Addresses Dependabot alerts #47-51 on mongodb/docs-sample-apps. Co-authored-by: Cursor <cursoragent@cursor.com> * Batch Dependabot Fixes & Security Workflow (#110) * fix: dependabot issues and creating audit script * chore:remove cached audit files * chore: updating readme and gitignore * fix: batch updating the python packages for mflix to sure the security passes --------- Co-authored-by: Cory Bullinger <cory.bullinger@mongodb.com> Co-authored-by: cory <115956901+cbullinger@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com>
Bumps the Java Spring Mflix sample to Spring Boot 4.0.6, which brings the transitively-managed MongoDB Java Sync Driver from 5.5.2 to 5.6.5 (no GA Spring Boot release currently ships driver 5.7.0 — see DOCSP-59938). Also refreshes other deps to keep the sample current. - Spring Boot 3.5.13 -> 4.0.6 - springboot3-dotenv -> springboot4-dotenv (artifact rename) - springdoc-openapi 2.8.13 -> 3.0.3 (SB4-compatible major line) - langchain4j-voyage-ai 1.11.0-beta19 -> 1.15.0-beta25 - testcontainers junit-jupiter/mongodb -> testcontainers-junit-jupiter/ testcontainers-mongodb (testcontainers 2.0 module rename) - Add spring-boot-starter-webmvc-test (SB4 split @WebMvcTest out of spring-boot-starter-test) and update its import path - Add spring-boot-jackson2 to opt back into Jackson 2 (SB4 defaults to Jackson 3); rename spring.jackson.* properties to spring.jackson2.* and drop write-dates-as-timestamps (Jackson 3 removed the feature and ISO-8601 is now the default) - Drop commons-lang3 CVE-2025-48924 workaround (SB4 BOM ships 3.19.0, past the 3.18.0 fix) JIRA: DOCSP-59938
chore(java-spring): bump Spring Boot to 4.0.6 and refresh deps
…stapi Bump vulnerable npm and Python dependencies to patched versions, including vite, @tanstack/react-start, lodash, fast-uri, urllib3, langchain-core, langsmith, python-multipart, and idna. Resolves Dependabot alerts #52-71. Co-authored-by: Cursor <cursoragent@cursor.com>
Align @tanstack/react-router and related packages to resolve SSR runtime errors after the security dependency bump. Add the same createServerFn mock alias to the unit Vitest config used by integration tests. Co-authored-by: Cursor <cursoragent@cursor.com>
Starlette 0.49.3 fails pip-audit (CVE-2026-48710 Host header bypass). Upgrade to fastapi 0.136.3 and starlette 1.2.1 so CI pip-audit passes. Co-authored-by: Cursor <cursoragent@cursor.com>
fix: resolve Dependabot security alerts (#52-75)
Add server_error_response() to log failures server-side and return generic messages. Resolves CodeQL py/stack-trace-exposure alerts (#7-22). Co-authored-by: Cursor <cursoragent@cursor.com>
Escape user-supplied genre values before regex compilation and validate trailing-slash redirect targets to prevent open-redirect patterns. Co-authored-by: Cursor <cursoragent@cursor.com>
Add rate limiting on movie routes, escape user genre input for regex filters, and validate batch filter/update fields before MongoDB writes. Co-authored-by: Cursor <cursoragent@cursor.com>
Use VoyageAPIError.status_code in the global handler and wrap cursor iteration in get_all_movies so database errors are logged consistently. Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Use createErrorResponse for rate limits, validate update payload shape, return 400 for invalid ObjectId filters, skip whitespace-only genres, and add tests for rejected batch update payloads. Co-authored-by: Cursor <cursoragent@cursor.com>
upload-artifact@v4 authenticates via ACTIONS_RUNTIME_TOKEN, not GITHUB_TOKEN actions: write. Keep contents: read only per review. Co-authored-by: Cursor <cursoragent@cursor.com>
Minimal checkout + upload-artifact job with contents: read only to confirm actions: write is unnecessary. Remove after PR #116 merges. Co-authored-by: Cursor <cursoragent@cursor.com>
Verified upload-artifact@v4 succeeds with contents: read only (run 27133317095). No need to keep the throwaway workflow in the repo. Co-authored-by: Cursor <cursoragent@cursor.com>
Add logger.exception before raising VoyageAuthError so revoked or invalid API keys leave a trace in server logs. Addresses PR #117 review. Co-authored-by: Cursor <cursoragent@cursor.com>
fix(java-spring): resolve CodeQL regex and redirect findings
Consolidate movie field allowlists, use generic filter/update error messages, replace as-never assignment, and configure rate limit via RATE_LIMIT_MAX env var in test setup. Co-authored-by: Cursor <cursoragent@cursor.com>
fix(python-fastapi): stop exposing exception details in API errors
fix(js-express): resolve CodeQL rate limit, regex, and query findings
chore(ci): add explicit GITHUB_TOKEN permissions to workflows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge
mainintodevelopment: