fix(deps): security upgrades — 49→13 vulnerabilities + materialize-css removal#987
Merged
Merged
Conversation
Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
…d-tools feat: rewrite separated tools system from jQuery to React components
Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
…set) _makeHistogram renders inside the timeline slider which doesn't exist on mobile. Without it, _timelineStartTimestamp is NaN, causing 'Invalid time value' RangeError at toISOString(). Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
…nel height - TimeUI.js attachEvents: use _initialStart/_initialEnd on mobile (same as desktop) instead of L_.TimeControl_ which isn't set yet at init time. Fixes 'Invalid date' in start/end time inputs. - TimeUI.js fina: set expanded=true on mobile and call _populateExpandedRows() so year/month/day/hour rows actually render. Removed position:absolute and pointer-events:none overrides. - Toolbar.jsx: set tool panel height to 217px (TimeUI.height) instead of 45% viewport — matches actual TimeUI content height. - UserInterfaceMobile_.css: expanded content flows naturally (position:relative), hide start time inputs, allow overflow scroll, flex-wrap topbar. Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
- Add justify-content: center to #mmgisTimeUIMain on mobile - Remove border-bottom: none override so toolbar keeps its default border Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
…fset - #timeUI overflow-y: hidden (was auto, causing 2px scroll) - Scalebar/compass/map controls stay at fixed 40px offset (above toolbar) regardless of tool panel state — no longer shift up by pxIsTools Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
- Restructure AGENTS.md from 745 lines to 106 lines (Tier 1: essential context) - Create knowledge/ directory with 30+ wiki-style documentation files (Tier 2: deep knowledge) - Create knowledge/reference/ with 8 detailed reference files (Tier 3: lookup material) - Move AI-GETTING-STARTED.md and AI-DEVELOPMENT.md to knowledge/ - Update all file references in .specify/templates and blueprints - Create knowledge/README.md as the full knowledge base index - Create knowledge/reference/README.md as reference material index Three-tier knowledge discovery system: Tier 1: AGENTS.md (~106 lines) - scannable in <2 minutes Tier 2: knowledge/*.md - deep knowledge on architecture, tools, APIs, DB, infra Tier 3: knowledge/reference/*.md - coding conventions, API reference, troubleshooting Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
…gnment - All mobile toolbar buttons (ToolButton, MobileCoordButton, MobileTimeUIToggle) now use display:flex with align-items/justify-content center for proper vertical icon centering - MobileCoordButton: changed 'active' class to 'toolButtonActive' to match the global CSS active style (color-mmgis + color-i background) - Removed inline color overrides so CSS .toolButtonActive takes effect Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Include curated lessons learned from past Devin sessions: - CI/CD: ignore build-arm64/amd64 failures, focus on required checks - Child sessions: no separate PRs when consolidating - ENV triple-update rule (.env, sample.env, ENVs.md) - Error handling: use logger with infrastructure_error for fatal startup errors - Path traversal security: stay within /Missions, handle subpath serving - Database initialization architecture and migration patterns - API authentication behavior across AUTH modes - Auto-generated MMGIS concept index Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
…ation - Active toolbar buttons get desktop-matching margin (1px 0) and border-radius (8px) via .toolButton.toolButtonActive CSS rule - Removed line-height: 40px from .toolButton (flex centering handles vertical alignment, line-height was pushing icons up) - MobileCoordButton now watches activeToolName store and deactivates when another tool opens (fixes coords staying active) - MobileTimeUIToggle sets activeToolName='MobileTimeUI' when opening so coords/other buttons can detect it and deactivate - MobileTimeUIToggle clears activeToolName when closing - Both custom buttons skip self-deactivation via name check Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
…vin knowledge notes Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
- #toolbar .toolButton i: height 40px fixes icon vertical alignment - #toolbar .toolButton: margin 0 2px gives spacing between buttons - #toolbar .toolButton.toolButtonActive: margin 1px 2px so active background has visual padding around the icon Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
…ntion Dot-prefix signals agent infrastructure (not source code), consistent with .specify/, .github/, .vscode/ conventions. All cross-references updated. Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
…height - Coord and TimeUI button <i> icons get line-height: 40px - Active buttons: height 34px (vs 40px toolbar) creates visual padding around the active background, centered by flex align-items - Buttons get margin: 0 1px for horizontal spacing Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
…/TimeUI - MobileCoordButton: call closeActiveTool() before opening, destroy _pendingCloseTool if set, increment _closeSeq to cancel deferred tools.innerHTML clear - MobileTimeUIToggle: same _pendingCloseTool + _closeSeq fix after closeActiveTool() to prevent 420ms deferred cleanup from wiping #timeUI after it's placed in #tools - Removed redundant closeActiveTool() from MobileCoordButton close path (was being called after destroy, not needed) Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Remove 33 wiki files that duplicate docs/pages/ content. Remove 9 reference/ files derivable from source code. Keep only 5 files (down from 46): - AI-GETTING-STARTED.md (agent setup walkthrough) - AI-DEVELOPMENT.md (spec-kit workflow) - conventions-and-gotchas.md (naming, code style, common issues) - 12-devin-knowledge-notes.md (CI, auth, DB init, security gotchas) - README.md (index pointing to docs/pages/ for everything else) Principle: don't duplicate docs/ — only keep what's uniquely agent-optimized. Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
… CI section Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
…sktop) Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
… project structure - Important Instructions in AGENTS.md: MCP tools, hot-reload, Reference Mission - .knowledge/code-patterns.md: full directory tree with key directory annotations, plus copy-paste templates for Express routes, Sequelize models, Tool plugins, and WebSocket handlers Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
fix: mobile UI improvements — menu, panel toggles, toolbar, scalebar, TimeUI
Add missing directories: tests/, .knowledge/, .specify/, .github/, views/, private/, spice/, build/, examples/, scripts/middleware.js. Both abbreviated (AGENTS.md) and detailed (.knowledge/code-patterns.md) trees now match the actual repo layout. Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
…plates API/Backend/ uses feature-domain modules (Draw/, Users/, Config/, etc.) with setup.js + routes/ + models/ per feature — not APIs/ or Databases/. Frontend essence/ has Components/, Helpers/, LandingPage/, mmgisAPI/, services/ — not Ancillary/. Basics/ includes all singletons (Globe_, Formulae_, ToolController_, Viewer_, ComponentController_, Test_). Code templates updated to match actual patterns (setup.js, module.exports). Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
- Sanitize.js: add ul, li tags and id attribute to allowlist for IdentifierTool cursor info compatibility - users.js: remove token-reauth bypass from authLimiter to prevent crafted-cookie abuse; rate limit applies to all /login requests Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Renamed .test.js to .spec.js (matches testMatch pattern) and converted from plain Node script to Playwright test.describe/test structure so it runs via npm test like all other tests. Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
loginIfRequired now skips login for both AUTH=off and AUTH=none, preventing timeout when no login form is rendered. Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
The control character regex now excludes \n (0x0A), \r (0x0D), and \t (0x09) so stack traces and multi-line messages remain readable in development mode. Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
fix(security): apply 7 Sonar security recommendations with TDD
AJAX callbacks fired by makeLayers → captureVector → $.getJSON can resolve and access L_.Map_.map.getZoom() while L_.Map_ is still null because L_.fina() hasn't run yet. Setting L_.Map_ = this immediately before the makeLayers call ensures the Leaflet map instance is available to any callback. L_.fina() will still reassign to the same value later, so there is no conflict. Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
fix(map): expose L_.Map_ before makeLayers to prevent race condition
Security upgrades: - sequelize ^6.33.0 → ^6.37.8 (HIGH — SQL injection CVE-2026-30951) - sharp ^0.31.2 → ^0.33.0 (HIGH — libwebp heap buffer overflow GHSA-54xq-cgqr-rpm3) - requests 2.32.3 → 2.33.0 (MODERATE — credential leak + insecure temp-file) Dev-tool security upgrade: - webpack-dev-server 4.15.2 → ^5.2.1 (MODERATE — dev-only CVEs) - Migrated 'https' config to 'server' option for v5 compatibility Deprecated package removal: - Removed turf ^3.0.14, migrated DrawTool imports to @turf/turf ^6.5.0 - DrawTool.js: removed unused turf import - DrawTool_Drawing.js: merged turf + @turf/turf imports into single @turf/turf - DrawTool_Editing.js: migrated import to @turf/turf - Functions used (bbox, difference) are API-compatible in @turf/turf v6 Added TDD test coverage: - tests/unit/dependency-upgrades.spec.js (11 tests) - tests/e2e/api/dependency-upgrades.spec.js (7 tests) Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Turf import changes:
- DrawTool_Drawing.js: import { bbox as turfBbox, difference as turfDifference }
- DrawTool_Editing.js: import { bbox as turfBbox }
- Updated all call sites to use named imports instead of namespace
Test reorganization (first-class additions to test suite):
- tests/unit/sequelize.spec.js — Sequelize ORM module tests
- tests/unit/sharp.spec.js — Sharp image processing tests
- tests/unit/turf.spec.js — @turf/turf geometry function tests
- tests/e2e/api/sequelize-orm.spec.js — Sequelize-backed API endpoint tests
- tests/e2e/api/sharp-imaging.spec.js — Sharp tile compositing middleware tests
- tests/e2e/tools/draw-turf-geometry.spec.js — Draw tool turf geometry tests
Also fixed detect-secrets false positive (removed postgres:// URL from test)
Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Direct dependency upgrades: - react-pdf ^7.7.3 → ^10.4.1 (HIGH — pdfjs-dist JS execution vuln) - Updated PDFViewer.js worker path: .js → .mjs (react-pdf 9+ change) - Added new pdfjs 5.x worker file (pdf.worker.min.mjs) - uuid ^9.0.0 → ^11.1.1 (MODERATE — buffer bounds check) - Verified CJS require pattern still works with v11 - ws 8.18.3 → ~8.21.0 (MODERATE — memory disclosure) npm overrides for transitive dependencies: - protobufjs ^7.5.8 (was CRITICAL — 9 advisories incl. arbitrary code exec) - @babel/plugin-transform-modules-systemjs ^7.29.0 (HIGH — malicious input) - braces ^3.0.3, micromatch ^4.0.8, picomatch ^2.3.2 (HIGH — ReDoS) - lodash ^4.17.24 (HIGH — prototype pollution) - serialize-javascript ^7.0.3 (HIGH — RCE) - minimatch ^3.1.4, brace-expansion ^1.1.13 (HIGH/MODERATE — ReDoS) - follow-redirects ^1.15.12 (MODERATE — credential leak) - postcss ^8.5.10, svgo ^3.3.3, yaml ^2.8.3 (MODERATE) - dottie ^2.0.7, diff ^4.0.4, qs ^6.15.2, underscore ^1.13.8 - elliptic ^6.6.1, ajv ^6.14.0/^8.18.0 Remaining 14 vulns are all NO FIX available: - html2pug/html-minifier (skipped per plan) - materialize-css, showdown (abandoned upstream) - georaster/georaster-stack cluster (bundled webpack 4, 10 LOW) Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
- Remove materialize-css dependency (abandoned, 4 moderate XSS vulns) - Upgrade @base-ui-components/react (deprecated) → @base-ui/react ^1.5.0 - Rewrite Toast.js to use base-ui global toast manager pattern - Add ToastRenderer.jsx with inline styles (viewport + toast variants) - Add toastManager.js singleton for imperative Toast API - Migrate raw M.toast() calls in essence.js (WebSocket toasts) - Migrate raw M.toast() calls in TimeUI.js (5 error toasts) - Update base-ui import paths in Button, IconButton, Modal components - Update attributions.js (Materialize → Base UI) - Remove toast CSS from mmgisUI.css (now inline in ToastRenderer) Vulnerability count: 14 → 13 (materialize-css XSS vulns eliminated) Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
- Remove separate toastManager.js — export toastManager from Toast.js - Fix TimeUI.js import: 4 levels up → 3 levels up (correct relative path) Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
- Fix dismissAll: track active IDs in a Set (toastManager.toasts is not accessible outside React context) - Move viewport from bottom to top-center - Reduce font size to 13px, tighter padding - Ensure variant border-left color renders via inline style Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
- Render Toast.Title as <span> instead of default <h2> (fixes oversized text) - Read toast.type instead of toast.data?.type (fixes variant borders never showing) - Use 'timeout' instead of 'duration' (correct base-ui API field name) Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Enter: fade in + ease down from -12px Exit: fade out + ease down to +12px Uses base-ui data-starting-style/data-ending-style attributes Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
Schedule cleanup of each toast ID after its timeout + 500ms buffer. Consolidate add logic into shared addToast() helper. Co-Authored-By: tariq.k.soliman <tariqksoliman@gmail.com>
…pgrades fix(deps): security upgrades — 49→13 vulnerabilities + materialize-css removal
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
With Devin: JPL-Devin#86
Purpose
materialize-css(4 moderate XSS vulns) by migrating Toast to@base-ui/reactProposed Changes
Commit 1: 5 core dependency security upgrades (TDD verified)
sequelize^6.33.0 → ^6.37.8 (CVE-2026-30951 SQL injection)sharp^0.31.2 → ^0.33.0 (GHSA-54xq-cgqr-rpm3 libwebp heap buffer overflow)requests2.32.3 → 2.33.0 inpython-environment.yml(credential leak + insecure temp-file)webpack-dev-server4.15.2 → ^5.2.1 (dev-only CVEs,https→serverconfig migration)turf@^3.0.14, migrate 3 DrawTool files to@turf/turf@^6.5.0with targeted named importsCommit 2: Test restructuring + turf import cleanup
tests/unit/sequelize.spec.js,tests/unit/sharp.spec.js,tests/unit/turf.spec.jstests/e2e/api/sequelize-orm.spec.js,tests/e2e/api/sharp-imaging.spec.js,tests/e2e/tools/draw-turf-geometry.spec.jsimport * as turf→ targeted named imports (bbox,difference)Commit 3: 35 additional vulnerability fixes
react-pdf^7.7.3 → ^10.4.1 (HIGH — pdfjs-dist JS execution vuln)PDFViewer.jsworker path:.js→.mjspublic/workers/pdf.worker.min.mjs)uuid^9.0.0 → ^11.1.1 (MODERATE — buffer bounds check)ws8.18.3 → ~8.21.0 (MODERATE — memory disclosure)overridesfor 20 transitive dependencies:protobufjs^7.5.8 (arbitrary code execution — 9 advisories)@babel/plugin-transform-modules-systemjs^7.29.0,braces^3.0.3,micromatch^4.0.8,picomatch^2.3.2,lodash^4.17.24,serialize-javascript^7.0.3,minimatch^3.1.4,brace-expansion^1.1.13,underscore^1.13.8,svgo^3.3.3follow-redirects^1.15.12,postcss^8.5.10,ajv^6.14.0/^8.18.0,dottie^2.0.7,yaml^2.8.3,qs^6.15.2,diff^4.0.4,elliptic^6.6.1Commit 4: Replace materialize-css with base-ui Toast
materialize-css(abandoned/archived, 4 moderate XSS vulns)@base-ui-components/react(deprecated) →@base-ui/react^1.5.0ToastRenderer.jsx— base-ui Toast viewport with inline stylestoastManager.js— global toast manager singleton for imperative APIToast.js— rewritten to use base-uitoastManager.add()instead ofM.toast()essence.js— WebSocket toasts migrated fromM.toast()→Toast.error()/Toast.dismissAll()TimeUI.js— 5 error toasts migrated fromM.toast()→Toast.error()Button.jsx,IconButton.jsx,Modal.jsx— import paths updated for package renameattributions.js— Materialize attribution replaced with Base UImmgisUI.css— toast CSS removed (now inline in ToastRenderer)Remaining 13 vulnerabilities (all NO FIX available)
html2pug/html-minifier(2 HIGH) — skipped per planshowdown(1 MODERATE) — ReDoS, no upstream fixgeoraster/georaster-stackcluster (10 LOW) — bundles webpack 4 internallyIssues
Testing
PLAYWRIGHT_TEST_UNIT_ONLY=true npx playwright test tests/unit)PLAYWRIGHT_TEST_UNIT_ONLY=true npx playwright test tests/ci)