Release FAC-99–103: Dependency Security Fixes & Pipeline Status Polling#229
Merged
Release FAC-99–103: Dependency Security Fixes & Pipeline Status Polling#229
Conversation
…ection + prototype pollution)#223 Upgrades @mikro-orm/core and related packages from ^6.6.6 to ^6.6.11, fixing GHSA-gwhv-j974-6fxm (critical SQL injection) and GHSA-qpfv-44f3-qqx6 (high prototype pollution in Utils.merge). Closes #219 https://claude.ai/code/session_01CDjjefp75nbDYiTgR7BVtu Co-authored-by: Claude <noreply@anthropic.com>
Add handlebars ^4.7.9 override in package.json to resolve 8 critical/high vulnerabilities (JS injection, XSS, prototype pollution) in the transitive handlebars dependency pulled in by ts-jest. Closes #220 https://claude.ai/code/session_01R7yFfaeTSDWFSSmYU4AVtS Co-authored-by: Claude <noreply@anthropic.com>
… packages Pin path-to-regexp to 8.4.1 via npm overrides to fix GHSA-j3q9-mxjg-w52f and GHSA-27v5-c462-wpq7 without requiring a breaking @nestjs/swagger upgrade. Closes #221 https://claude.ai/code/session_01BHq6RFwCFioLF9XzNAYvRm Co-authored-by: Claude <noreply@anthropic.com>
…227) * chore: add WIP tech-spec for frontend pipeline polling Initialize tech-spec for reshaping the analysis pipeline status endpoint into a polling-friendly DTO with consistent field presence, per-stage progress tracking, and retryable flag. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: update tech-spec WIP with deep investigation findings Add codebase patterns, files to reference, entity schemas, test patterns, and dependencies from Step 2 deep investigation of the analysis module. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: generate implementation plan for frontend pipeline polling spec Add 8 implementation tasks, 9 acceptance criteria, testing strategy, and finalize Step 3 of the quick-spec workflow. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: apply pre-mortem findings to pipeline polling spec Add risk mitigations: atomic deploy note, frontend null-safety guidance, staleness detection strategy, future scaling flag for sentiment COUNT, and retryable field scoping note. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: apply party mode feedback to pipeline polling spec Add Task 5 commit split strategy, zero-results edge case test, transition manual test step, mark Task 8 as low priority. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: finalize frontend pipeline polling tech spec Mark spec as ready-for-dev, rename from WIP to final filename. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: apply adversarial review fixes to pipeline polling spec Address all 14 findings from adversarial review: - F1: Add Task 0 for CustomBaseEntity onUpdate hook (critical fix) - F2: Document startedAt as createdAt proxy approximation - F3: Add explicit gateStatus derivation with processing state - F4: Strengthen deploy note to "required" with failure scenario - F5: Add intent signaling rationale for retryable flag - F6: Add caller verification note to Task 6 - F7: Clarify COUNT scopes to latest run, no regression possible - F8: Update query count to 8 - F9: Document embedding stage null timing, confirmedAt proxy - F10: Normalize errorMessage to .nullable() (remove .optional()) - F11: Fix test pattern reference for makeMockPipeline location - F12: Label frontend snippet as illustrative, not a contract - F13: Add AC 10 for CANCELLED pipeline state - F14: Remove controller spec from files_to_modify, Task 8 optional https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: apply second adversarial review fixes to pipeline polling spec Address 13 actionable findings from round 2 review: - F7: Scope Task 0 to AnalysisPipeline only (not CustomBaseEntity) - F1: Fix gateStatus for CANCELLED → 'skipped' - F2: Fix buildStage completedAt type to accept Date | null - F3: Add RunStatus mapping comment for enum coupling - F4: Fix query count to "up to 8" - F5: Note pre-existing z.string() status field as out of scope - F6: Add optional .parse() runtime safety net - F8: Fix duplicate step numbering in Task 5 - F9: Document sentiment gate timing as always null - F10: Use sentimentRun.submissionCount for progress.total - F11: Expand AC 10 to include gate skipped status - F13: Add code comment rationale for retryable flag - F14: Add task ordering dependency note https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: apply third adversarial review fixes to pipeline polling spec Address 10 actionable findings from round 3 review: - F1: Add code comment explaining gateStatus FAILED → 'pending' rationale - F2: Merge Task 6 into Task 5, eliminate ordering ambiguity - F3: Fix AC 1 to specify sentimentRun.submissionCount explicitly - F4: Show explicit sentimentGateSchema swap in Task 3 - F5: Guard sentiment progress — null when no run, real when run exists - F6: Make Task 7 (controller spec) required, add to files_to_modify - F7: Add preservation note for existing top-level fields in Task 1 - F9: Fix query count from 8 to 7 - F12: Clarify AC 10 precondition (sentimentGateIncluded: null) - Renumber tasks after merging Task 6 into Task 5 https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * feat: reshape pipeline status endpoint for frontend polling Restructure GET /analysis/pipelines/:id/status response for polling consistency: null over omission, per-stage progress/startedAt/completedAt, top-level retryable + updatedAt, and dedicated sentiment gate schema. - Add onUpdate hook to AnalysisPipeline.updatedAt - Replace optional stage fields with progress object and timestamps - Add sentimentGateSchema with included/excluded fields - Add sentiment progress COUNT query (SentimentResult rows) - Add retryable boolean and updatedAt to top-level response - Clamp sentiment progress to prevent current > total - Fix embedding stage status for FAILED pipelines (use sentimentRun heuristic) - Update service and controller tests (8 new test cases) Breaking change: frontend must deploy atomically with this backend change. --------- Co-authored-by: Claude <noreply@anthropic.com>
…brace-expansion, yaml) (#228)
y4nder
added a commit
that referenced
this pull request
Mar 31, 2026
…ng (#229) * FAC-99 fix: resolve critical @mikro-orm/core vulnerabilities (SQL injection + prototype pollution)#223 Upgrades @mikro-orm/core and related packages from ^6.6.6 to ^6.6.11, fixing GHSA-gwhv-j974-6fxm (critical SQL injection) and GHSA-qpfv-44f3-qqx6 (high prototype pollution in Utils.merge). Closes #219 https://claude.ai/code/session_01CDjjefp75nbDYiTgR7BVtu Co-authored-by: Claude <noreply@anthropic.com> * FAC-100 fix: resolve critical handlebars vulnerabilities #224 Add handlebars ^4.7.9 override in package.json to resolve 8 critical/high vulnerabilities (JS injection, XSS, prototype pollution) in the transitive handlebars dependency pulled in by ts-jest. Closes #220 https://claude.ai/code/session_01R7yFfaeTSDWFSSmYU4AVtS Co-authored-by: Claude <noreply@anthropic.com> * FAC-101 fix: resolve high severity path-to-regexp ReDoS in NestJS v11 packages Pin path-to-regexp to 8.4.1 via npm overrides to fix GHSA-j3q9-mxjg-w52f and GHSA-27v5-c462-wpq7 without requiring a breaking @nestjs/swagger upgrade. Closes #221 https://claude.ai/code/session_01BHq6RFwCFioLF9XzNAYvRm Co-authored-by: Claude <noreply@anthropic.com> * FAC-102 feat: reshape pipeline status endpoint for frontend polling (#227) * chore: add WIP tech-spec for frontend pipeline polling Initialize tech-spec for reshaping the analysis pipeline status endpoint into a polling-friendly DTO with consistent field presence, per-stage progress tracking, and retryable flag. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: update tech-spec WIP with deep investigation findings Add codebase patterns, files to reference, entity schemas, test patterns, and dependencies from Step 2 deep investigation of the analysis module. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: generate implementation plan for frontend pipeline polling spec Add 8 implementation tasks, 9 acceptance criteria, testing strategy, and finalize Step 3 of the quick-spec workflow. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: apply pre-mortem findings to pipeline polling spec Add risk mitigations: atomic deploy note, frontend null-safety guidance, staleness detection strategy, future scaling flag for sentiment COUNT, and retryable field scoping note. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: apply party mode feedback to pipeline polling spec Add Task 5 commit split strategy, zero-results edge case test, transition manual test step, mark Task 8 as low priority. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: finalize frontend pipeline polling tech spec Mark spec as ready-for-dev, rename from WIP to final filename. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: apply adversarial review fixes to pipeline polling spec Address all 14 findings from adversarial review: - F1: Add Task 0 for CustomBaseEntity onUpdate hook (critical fix) - F2: Document startedAt as createdAt proxy approximation - F3: Add explicit gateStatus derivation with processing state - F4: Strengthen deploy note to "required" with failure scenario - F5: Add intent signaling rationale for retryable flag - F6: Add caller verification note to Task 6 - F7: Clarify COUNT scopes to latest run, no regression possible - F8: Update query count to 8 - F9: Document embedding stage null timing, confirmedAt proxy - F10: Normalize errorMessage to .nullable() (remove .optional()) - F11: Fix test pattern reference for makeMockPipeline location - F12: Label frontend snippet as illustrative, not a contract - F13: Add AC 10 for CANCELLED pipeline state - F14: Remove controller spec from files_to_modify, Task 8 optional https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: apply second adversarial review fixes to pipeline polling spec Address 13 actionable findings from round 2 review: - F7: Scope Task 0 to AnalysisPipeline only (not CustomBaseEntity) - F1: Fix gateStatus for CANCELLED → 'skipped' - F2: Fix buildStage completedAt type to accept Date | null - F3: Add RunStatus mapping comment for enum coupling - F4: Fix query count to "up to 8" - F5: Note pre-existing z.string() status field as out of scope - F6: Add optional .parse() runtime safety net - F8: Fix duplicate step numbering in Task 5 - F9: Document sentiment gate timing as always null - F10: Use sentimentRun.submissionCount for progress.total - F11: Expand AC 10 to include gate skipped status - F13: Add code comment rationale for retryable flag - F14: Add task ordering dependency note https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: apply third adversarial review fixes to pipeline polling spec Address 10 actionable findings from round 3 review: - F1: Add code comment explaining gateStatus FAILED → 'pending' rationale - F2: Merge Task 6 into Task 5, eliminate ordering ambiguity - F3: Fix AC 1 to specify sentimentRun.submissionCount explicitly - F4: Show explicit sentimentGateSchema swap in Task 3 - F5: Guard sentiment progress — null when no run, real when run exists - F6: Make Task 7 (controller spec) required, add to files_to_modify - F7: Add preservation note for existing top-level fields in Task 1 - F9: Fix query count from 8 to 7 - F12: Clarify AC 10 precondition (sentimentGateIncluded: null) - Renumber tasks after merging Task 6 into Task 5 https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * feat: reshape pipeline status endpoint for frontend polling Restructure GET /analysis/pipelines/:id/status response for polling consistency: null over omission, per-stage progress/startedAt/completedAt, top-level retryable + updatedAt, and dedicated sentiment gate schema. - Add onUpdate hook to AnalysisPipeline.updatedAt - Replace optional stage fields with progress object and timestamps - Add sentimentGateSchema with included/excluded fields - Add sentiment progress COUNT query (SentimentResult rows) - Add retryable boolean and updatedAt to top-level response - Clamp sentiment progress to prevent current > total - Fix embedding stage status for FAILED pipelines (use sentimentRun heuristic) - Update service and controller tests (8 new test cases) Breaking change: frontend must deploy atomically with this backend change. --------- Co-authored-by: Claude <noreply@anthropic.com> * FAC-103 fix: resolve moderate dependency vulnerabilities (picomatch, brace-expansion, yaml) (#228) --------- Co-authored-by: Claude <noreply@anthropic.com>
y4nder
added a commit
that referenced
this pull request
Mar 31, 2026
…ng (#229) (#230) * FAC-99 fix: resolve critical @mikro-orm/core vulnerabilities (SQL injection + prototype pollution)#223 Upgrades @mikro-orm/core and related packages from ^6.6.6 to ^6.6.11, fixing GHSA-gwhv-j974-6fxm (critical SQL injection) and GHSA-qpfv-44f3-qqx6 (high prototype pollution in Utils.merge). Closes #219 https://claude.ai/code/session_01CDjjefp75nbDYiTgR7BVtu * FAC-100 fix: resolve critical handlebars vulnerabilities #224 Add handlebars ^4.7.9 override in package.json to resolve 8 critical/high vulnerabilities (JS injection, XSS, prototype pollution) in the transitive handlebars dependency pulled in by ts-jest. Closes #220 https://claude.ai/code/session_01R7yFfaeTSDWFSSmYU4AVtS * FAC-101 fix: resolve high severity path-to-regexp ReDoS in NestJS v11 packages Pin path-to-regexp to 8.4.1 via npm overrides to fix GHSA-j3q9-mxjg-w52f and GHSA-27v5-c462-wpq7 without requiring a breaking @nestjs/swagger upgrade. Closes #221 https://claude.ai/code/session_01BHq6RFwCFioLF9XzNAYvRm * FAC-102 feat: reshape pipeline status endpoint for frontend polling (#227) * chore: add WIP tech-spec for frontend pipeline polling Initialize tech-spec for reshaping the analysis pipeline status endpoint into a polling-friendly DTO with consistent field presence, per-stage progress tracking, and retryable flag. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: update tech-spec WIP with deep investigation findings Add codebase patterns, files to reference, entity schemas, test patterns, and dependencies from Step 2 deep investigation of the analysis module. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: generate implementation plan for frontend pipeline polling spec Add 8 implementation tasks, 9 acceptance criteria, testing strategy, and finalize Step 3 of the quick-spec workflow. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: apply pre-mortem findings to pipeline polling spec Add risk mitigations: atomic deploy note, frontend null-safety guidance, staleness detection strategy, future scaling flag for sentiment COUNT, and retryable field scoping note. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: apply party mode feedback to pipeline polling spec Add Task 5 commit split strategy, zero-results edge case test, transition manual test step, mark Task 8 as low priority. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: finalize frontend pipeline polling tech spec Mark spec as ready-for-dev, rename from WIP to final filename. https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: apply adversarial review fixes to pipeline polling spec Address all 14 findings from adversarial review: - F1: Add Task 0 for CustomBaseEntity onUpdate hook (critical fix) - F2: Document startedAt as createdAt proxy approximation - F3: Add explicit gateStatus derivation with processing state - F4: Strengthen deploy note to "required" with failure scenario - F5: Add intent signaling rationale for retryable flag - F6: Add caller verification note to Task 6 - F7: Clarify COUNT scopes to latest run, no regression possible - F8: Update query count to 8 - F9: Document embedding stage null timing, confirmedAt proxy - F10: Normalize errorMessage to .nullable() (remove .optional()) - F11: Fix test pattern reference for makeMockPipeline location - F12: Label frontend snippet as illustrative, not a contract - F13: Add AC 10 for CANCELLED pipeline state - F14: Remove controller spec from files_to_modify, Task 8 optional https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: apply second adversarial review fixes to pipeline polling spec Address 13 actionable findings from round 2 review: - F7: Scope Task 0 to AnalysisPipeline only (not CustomBaseEntity) - F1: Fix gateStatus for CANCELLED → 'skipped' - F2: Fix buildStage completedAt type to accept Date | null - F3: Add RunStatus mapping comment for enum coupling - F4: Fix query count to "up to 8" - F5: Note pre-existing z.string() status field as out of scope - F6: Add optional .parse() runtime safety net - F8: Fix duplicate step numbering in Task 5 - F9: Document sentiment gate timing as always null - F10: Use sentimentRun.submissionCount for progress.total - F11: Expand AC 10 to include gate skipped status - F13: Add code comment rationale for retryable flag - F14: Add task ordering dependency note https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * chore: apply third adversarial review fixes to pipeline polling spec Address 10 actionable findings from round 3 review: - F1: Add code comment explaining gateStatus FAILED → 'pending' rationale - F2: Merge Task 6 into Task 5, eliminate ordering ambiguity - F3: Fix AC 1 to specify sentimentRun.submissionCount explicitly - F4: Show explicit sentimentGateSchema swap in Task 3 - F5: Guard sentiment progress — null when no run, real when run exists - F6: Make Task 7 (controller spec) required, add to files_to_modify - F7: Add preservation note for existing top-level fields in Task 1 - F9: Fix query count from 8 to 7 - F12: Clarify AC 10 precondition (sentimentGateIncluded: null) - Renumber tasks after merging Task 6 into Task 5 https://claude.ai/code/session_01M88u9jMRL4UwpQ4ottGGCA * feat: reshape pipeline status endpoint for frontend polling Restructure GET /analysis/pipelines/:id/status response for polling consistency: null over omission, per-stage progress/startedAt/completedAt, top-level retryable + updatedAt, and dedicated sentiment gate schema. - Add onUpdate hook to AnalysisPipeline.updatedAt - Replace optional stage fields with progress object and timestamps - Add sentimentGateSchema with included/excluded fields - Add sentiment progress COUNT query (SentimentResult rows) - Add retryable boolean and updatedAt to top-level response - Clamp sentiment progress to prevent current > total - Fix embedding stage status for FAILED pipelines (use sentimentRun heuristic) - Update service and controller tests (8 new test cases) Breaking change: frontend must deploy atomically with this backend change. --------- * FAC-103 fix: resolve moderate dependency vulnerabilities (picomatch, brace-expansion, yaml) (#228) --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
staging@mikro-orm/core,handlebars,path-to-regexp,picomatch,brace-expansion, andyamlIncluded work
Verification
npm run test -- src/modules/analysis/analysis.controller.spec.ts src/modules/analysis/services/pipeline-orchestrator.service.spec.tsnpm run build