#2259 feat: add modern dependency management and update frontend stru…#2260
#2259 feat: add modern dependency management and update frontend stru…#2260
Conversation
There was a problem hiding this comment.
Summary of Changes
Hello @robfrank, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request significantly overhauls the ArcadeDB Studio frontend's dependency management and build process. It transitions to a modern npm/Webpack-based approach, integrates this into the existing Maven build, and establishes robust automated security and license compliance checks via GitHub Actions and Dependency Review. The changes aim to streamline development workflows, enhance security posture, and ensure build consistency.
Highlights
- Modernized Frontend Build: Introduced npm and Webpack for managing frontend dependencies and building assets in the
studiomodule. - Maven Integration: Integrated the Node.js/npm installation, dependency management, security audit, and Webpack build steps into the Maven lifecycle using the
frontend-maven-plugin. - Automated Dependency Updates: Configured Dependabot to automatically manage and group updates for Studio frontend dependencies, including specific rules for security-critical and build tools.
- Enhanced Security Auditing: Added a new GitHub Actions workflow (
studio-security-audit.yml) and a custom script (security-audit.sh) to automate vulnerability checks (npm audit), outdated package checks, and license compliance validation. - Dependency Review Configuration: Configured GitHub's Dependency Review action (
dependency-review-config.yml) to enforce security policies (fail on moderate+ severity), define allowed/denied licenses, set minimum versions for critical packages, deny known malicious packages, and require review for significant changes. - Dependency Management Configuration: Added
.npmrcand.nvmrcfiles to standardize npm behavior and Node.js version, and updated.gitignoreto exclude frontend build artifacts and dependency directories. - Bootstrap 5 Update & Compatibility: Updated Bootstrap to version 5 and included compatibility shims in
index.htmlfor data attributes (data-toggletodata-bs-toggle,data-dismisstodata-bs-dismiss) and replacedbootstrap-notifywithnotyffor notifications.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configureGemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
| @@ -0,0 +1,78 @@ | |||
| { | |||
Check warning
Code scanning / Meterian
[security] jquery@3.7.1 is vulnerable (MET-4298919f0a13) Warning
| @@ -0,0 +1,78 @@ | |||
| { | |||
Check notice
Code scanning / Meterian
[stability] codemirror@5.65.19 is outdated Low
There was a problem hiding this comment.
Code Review
This pull request modernizes the ArcadeDB Studio frontend by introducing robust dependency management with npm, a comprehensive security auditing process, and integration into the Maven build lifecycle. Key additions include dependabot.yml for automated dependency updates, dependency-review-config.yml for security and license compliance, a detailed security-audit.sh script, and a webpack.config.js to manage frontend assets. The changes also update index.html to use these npm-managed dependencies and include compatibility shims for Bootstrap 5. Overall, these are excellent improvements for maintainability, security, and the development workflow. A few minor configuration conflicts and script details have been highlighted for potential refinement.
studio/package.json
Outdated
| "security-audit": "./scripts/security-audit.sh", | ||
| "build": "webpack --mode=production", | ||
| "dev": "webpack --mode=development --watch", | ||
| "clean": "rm -rf dist node_modules", |
There was a problem hiding this comment.
The clean script uses rm -rf dist node_modules. The webpack.config.js outputs to src/main/resources/static/dist, and the pom.xml already handles cleaning node_modules and this webpack output directory. If the dist directory at the root of studio/ is no longer used, this part of the script might be unnecessary. Consider clarifying its purpose or removing the dist part if it's obsolete.
"clean": "rimraf src/main/resources/static/dist node_modules",
studio/package.json
Outdated
| "clean": "rm -rf dist node_modules", | ||
| "precommit": "npm run security-check && npm run build", | ||
| "prepare": "npm run security-check", | ||
| "version": "npm run security-check && npm run build && git add ." |
There was a problem hiding this comment.
The version script uses git add .. It's generally safer to explicitly add only the files that should be part of the version commit, such as package.json and package-lock.json. This prevents accidental inclusion of unrelated files.
"version": "npm run security-check && npm run build && git add package.json package-lock.json"
| if npm list license-checker &> /dev/null; then | ||
| npx license-checker --summary | ||
| else | ||
| echo "ℹ️ Install license-checker for license analysis: npm install -g license-checker" |
There was a problem hiding this comment.
The script suggests npm install -g license-checker if license-checker is not found. For better project encapsulation, it's recommended to add license-checker as a devDependency in package.json and then run it using npx license-checker.
| echo "ℹ️ Install license-checker for license analysis: npm install -g license-checker" | |
| npm install -D license-checker |
Coverage summary from CodacySee diff coverage on Codacy
Coverage variation details
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: Diff coverage details
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: See your quality gate settings Change summary preferences |
| @@ -0,0 +1,78 @@ | |||
| { | |||
Check warning
Code scanning / Meterian
[security] sweetalert2@11.22.0 is vulnerable (MET-5ce58a1dd896) Medium
072e823 to
c54c049
Compare
| @@ -0,0 +1,78 @@ | |||
| { | |||
Check notice
Code scanning / Meterian
[security] cytoscape-graphml@1.0.6 is vulnerable (MET-ef60ef67e0bf) Low
2d83147 to
a5fbe09
Compare
This pull request introduces significant improvements to the dependency management, security auditing, and build processes for the ArcadeDB Studio frontend. Key changes include the addition of automated workflows for security checks, enhanced configuration files for dependency updates and reviews, and a comprehensive security audit script. These changes aim to streamline development, ensure compliance with security and licensing standards, and improve the overall stability of the project.
Dependency Management Enhancements:
.github/dependabot.yml: Added high-priority dependency update rules for the Studio frontend, including grouping updates by type (e.g., security-critical, UI libraries, build tools) and limiting major version updates for stability.studio/package.json: Defined dependencies and devDependencies with updated versions, added scripts for auditing, building, and security checks, and specified minimum Node.js and npm versions.Security Auditing Improvements:
.github/workflows/studio-security-audit.yml: Introduced a new workflow to automate security audits for frontend dependencies, including npm audit, outdated package checks, and license compliance validation.studio/scripts/security-audit.sh: Added a comprehensive security audit script to check vulnerabilities, outdated dependencies, license compliance, and bundle sizes.Licensing and Dependency Review:
.github/dependency-review-config.yml: Configured dependency review rules to enforce security and licensing requirements, including allowed and denied licenses and package-specific rules.Build Process Optimization:
studio/pom.xml: Integrated the Frontend Maven Plugin to manage Node.js and npm installations, dependency installations, security audits, and webpack builds as part of the Maven lifecycle.Miscellaneous Configuration Updates:
studio/.gitignore: Updated to exclude common dependency directories, build outputs, logs, and temporary files.studio/.npmrc: Configured npm settings for security (audit-level=moderate) and performance (prefer-offline=true).studio/.nvmrc: Specified Node.js version18.19.0for consistency across environments.…ctureChecklist
mvn clean packagecommand