fix: Address LGPL License concerns#1725
Merged
Merged
Conversation
github-actions
Bot
added
community
frontend
Contributor
WalkthroughNext.js image optimization is disabled via configuration, and a local no-op ChangesSharp dependency removal
🎯 1 (Trivial) | ⏱️ ~5 minutes Suggested Labels
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
github-actions
Bot
added
bug
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (2)
frontend/stubs/sharp/index.js (1)
6-6: ⚡ Quick winMake the stub fail fast with a clear error if ever invoked.
module.exports = {}can produce opaque runtime errors (... is not a function) if any code path unexpectedly callssharp. Exporting a throwing proxy/function makes accidental usage immediately diagnosable.Proposed refactor
-module.exports = {}; +const fail = () => { + throw new Error( + "sharp stub invoked: image optimization should be disabled (images.unoptimized=true).", + ); +}; + +module.exports = new Proxy(fail, { + apply: fail, + get: () => fail, +});🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@frontend/stubs/sharp/index.js` at line 6, Replace the empty stub export with a fail-fast stub so any accidental import/use of sharp surfaces a clear error; update module.exports (the exported value from frontend/stubs/sharp/index.js) to be a function or a Proxy that throws a descriptive Error when called or when any property is accessed (e.g., "sharp is not available in this environment — stub invoked"), so attempts to invoke methods or access properties immediately throw instead of producing opaque "is not a function" errors.frontend/package.json (1)
87-87: ⚡ Quick win
sharpoverride tgz is git-tracked; CI-missing risk is largely mitigated—consider less brittle folder override
frontend/package.jsonpointssharptofile:./stubs/sharp-0.34.5.tgz(line 87), and the tgz is present in the repo’s git-tracked files. The “artifact missing on clean clones/CI” concern doesn’t apply; the remaining downside is tight coupling to that exact tgz filename/version.Safer/future-proof option
- "sharp": "file:./stubs/sharp-0.34.5.tgz" + "sharp": "file:./stubs/sharp"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@frontend/package.json` at line 87, The package.json currently pins the sharp dependency to a specific tarball filename ("sharp": "file:./stubs/sharp-0.34.5.tgz"), which tightly couples consumers to that exact filename; change the dependency reference to a stable path/alias (for example point to a generic stub file name such as "file:./stubs/sharp.tgz" or a stub directory like "file:./stubs/sharp" and ensure the repository-stored artifact is renamed/moved accordingly) so CI/clean clones remain resilient to minor tarball renames while keeping the tracked stub in the repo; update the sharp entry in package.json to the new path and move/rename the tracked tarball under ./stubs to match.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@frontend/package.json`:
- Line 87: The package.json currently pins the sharp dependency to a specific
tarball filename ("sharp": "file:./stubs/sharp-0.34.5.tgz"), which tightly
couples consumers to that exact filename; change the dependency reference to a
stable path/alias (for example point to a generic stub file name such as
"file:./stubs/sharp.tgz" or a stub directory like "file:./stubs/sharp" and
ensure the repository-stored artifact is renamed/moved accordingly) so CI/clean
clones remain resilient to minor tarball renames while keeping the tracked stub
in the repo; update the sharp entry in package.json to the new path and
move/rename the tracked tarball under ./stubs to match.
In `@frontend/stubs/sharp/index.js`:
- Line 6: Replace the empty stub export with a fail-fast stub so any accidental
import/use of sharp surfaces a clear error; update module.exports (the exported
value from frontend/stubs/sharp/index.js) to be a function or a Proxy that
throws a descriptive Error when called or when any property is accessed (e.g.,
"sharp is not available in this environment — stub invoked"), so attempts to
invoke methods or access properties immediately throw instead of producing
opaque "is not a function" errors.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 990883c6-255a-438f-b8e9-09f8f6cf34ee
⛔ Files ignored due to path filters (1)
frontend/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (5)
frontend/next.config.tsfrontend/package.jsonfrontend/stubs/sharp-0.34.5.tgzfrontend/stubs/sharp/index.jsfrontend/stubs/sharp/package.json
lucaseduoli
added a commit
that referenced
this pull request
Jun 8, 2026
* fix: upgrade Langflow to 1.9.6 (#1621) * Upgraded Langflow to 1.9.3 * update docling remote to throw errors * upgrade docling version on docling manager * style: ruff autofix (auto) * Update docling code and fix docling manager lint * updated langflow to 1.9.4 * change image to future langflow image * upgraded to langflow 1.9.6rc0 * fix langflow image --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> * fix: field indentation / enable-disable auto-mounting of service account K8S token (#1741) * Fix field indentation / enable-disable automounting of service account K8S token * Fix field indentation in template, must be top-level --------- Co-authored-by: rodageve <rodrigo.geve@datastax.com> * fix: Address LGPL License concerns (#1725) * address lgpl concerns around sharp * style: apply biome auto-fixes [skip ci] --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * fix: fix cves on npm packages (#1750) * fix cves on npm packages * ci fix * fix: bump pyjwt, authlib, idna to resolve image scan CVEs (#1761) * Update test-e2e.yml fix(deps): bump pyjwt, authlib, idna to resolve CVEs Security fixes for CVEs flagged in image scan (openrag-backend): - pyjwt 2.12.1 → 2.13.0 (fixes CVE-2026-48522, CVE-2026-48524, CVE-2026-48525, CVE-2026-48526) - authlib 1.6.10 → 1.7.2 — promoted to direct dep (was transitive); fixes CVE-2026-41425, CVE-2026-44681 - idna 3.11 → 3.18 — promoted to direct dep (was transitive); fixes CVE-2026-45409 authlib and idna are pinned explicitly in pyproject.toml to prevent transitive resolution from pulling in vulnerable versions in future dependency updates. uv.lock updated accordingly; joserfc 1.7.0 added as new transitive dep introduced by authlib 1.7.x. * fix: bump pyjwt, authlib, idna to resolve image scan CVEs Pull Request - #1761 Summary - Bumped `authlib` and `idna` minimum versions to address CVEs flagged by image scanning. Dependency Updates - Raised `authlib` lower bound from `>=1.7.1` to `>=1.7.2` and added an upper bound `<2.0.0` to prevent unvetted major-version upgrades - Raised `idna` lower bound from `>=3.15` to `>=3.18` - Lock file updated to reflect resolved versions: `authlib==1.7.2`, `idna==3.18` --------- Co-authored-by: Mike Pawlowski <mpawlow@ca.ibm.com> * chore: update uv.lock files after version bump * removed last space * style: ruff autofix (auto) * override jobkit * fixed docling extras --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: rodageve <78763007+rodageve@users.noreply.github.com> Co-authored-by: rodageve <rodrigo.geve@datastax.com> Co-authored-by: Mike Fortman <mfortman11@gmail.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Edwin Jose <edwin.jose@datastax.com> Co-authored-by: Mike Pawlowski <mpawlow@ca.ibm.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Address LGPL License concerns around sharp (a package brought in by next.js but we don't use)
Summary by CodeRabbit