chore: clear dependabot vulnerabilities + expand tests + fix blueprint lint#55
Open
TheRealAgentK wants to merge 9 commits into
Open
chore: clear dependabot vulnerabilities + expand tests + fix blueprint lint#55TheRealAgentK wants to merge 9 commits into
TheRealAgentK wants to merge 9 commits into
Conversation
Resolves 41 vulnerabilities (88 → 47) via package-lock.json updates only. - Critical: 3 → 0 - High: 25 → 6 - Moderate: 33 → 22 - Low: 27 → 19 No package.json changes; all fixes are transitive. Build + tests pass.
This reverts commit 4aef28d.
Adds 18 new tests, raising total from 9 to 26 (excluding the ember-qunit
harness check). Closes the test-gap items called out in AGENTS.md §8.7.
Service (tests/unit/services/raygun-test.js):
- setUser forwards args to rg4js('setUser', ...)
- trackEvent supports the pageView payload shape
- apiKey, enableCrashReporting, enablePulse setters call rg4js with the
correct command + value, and getters round-trip
- New 'when rg4js is unavailable' submodule verifies graceful
degradation: send/setUser/trackEvent return null + warn; the three
property setters are no-ops + warn
Instance initializer (tests/unit/instance-initializers/raygun-test.js):
- RSVP.on('error') handler is registered and forwards { error } to
raygun.send
- applicationInstance.onerror is wrapped and routes errors to
raygun.send
- A previously-installed onerror handler is preserved (chained), not
replaced
- router.routeDidChange subscription is created and emits a
trackEvent({ type: 'pageView', path: ... }) per transition
- When enableCrashReporting is false: no RSVP handler, no onerror
replacement, no routeDidChange subscription
TheRealAgentK
changed the title
TheRealAgentK
requested review from
QuantumNightmare,
miquelbeltran,
phillip-haydon and
sumitramanga
The blueprint was requiring three packages that aren't declared in
package.json — they only worked because ember-cli pulled them in
transitively, which lint was rightly flagging as
node/no-extraneous-require.
Replace each with a stdlib-only equivalent:
- chalk → ember-cli's this.ui.writeLine(msg, color), which
applies the same colorization internally
- fs-extra → util.promisify(fs.readFile) (works on Node 10.* per
package.json#engines, unlike fs.promises)
- rsvp → no longer needed; util.promisify replaces
rsvp.denodeify
Same install-time UX: success banner is still printed in green/blue,
config/environment.js is still patched idempotently.
Lint now clean; tests 27/27 still pass.
TheRealAgentK
changed the title
TheRealAgentK
added a commit
that referenced
this pull request
Apr 26, 2026
Two CI matrix entries were failing legitimately: 1. ember-classic — the Ember Classic edition was removed from Ember itself (deprecations.emberjs.com/v3.x/#toc_editions-classic), so the scenario can never pass on a modern Ember version. Removed from both config/ember-try.js and the GitHub Actions matrix. 2. ember-release — currently pulls Ember 6.x. The addon is pinned to the Ember 4.12 line and the 5/6 jump is tracked separately (mentioned in PR #55), so this scenario will fail until that work is done. Moved from the hard-required matrix to the allow-failure list (alongside ember-beta and ember-canary).
QuantumNightmare
left a comment
QuantumNightmare
left a comment
There was a problem hiding this comment.
I'm not familiar with Ember. I did a code review with AMP, which basically just said the equivalent of making sure the tests pass and it functions correctly. The main theme was that the tests are making assumptions about what methods exist, and so make sure that they do indeed exist. Otherwise I don't see any issues.
|
Just noting there are some major version bumps, so it might also pay to spin up a fresh Ember app to validate the provider is still functioning as intended by running some CR traffic through it and seeing it correctly turn up in the webapp |
Contributor
Author
The major bumps are in secondary libraries, but it's a good point regardless. I will have a look when I'm fully back. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three related changes bundled:
npm auditvulnerabilities 88 → 43 (51% reduction; all 3 critical eliminated, high 25 → 6) while staying on Ember 4.12 (no framework version bump).AGENTS.md§8.7.node/no-extraneous-requireerrors in the install blueprint by replacing undeclared transitive deps (chalk,fs-extra,rsvp) with Node stdlib +this.uicolor support — same install-time UX, no new dependencies.All vulnerabilities are in
devDependencies— no consumer-facing runtime code is affected.Verification
npx ember build— succeedsnpx ember test— 27/27 passing (verified locally with Firefox headless; CI uses the standard Chrome configuration in testem.js)npm run lint— clean (was 3 pre-existing errors)Closes / resolves these dependabot PRs
All 13 open dependabot PRs target packages that are now updated past their target versions:
ws→ 7.4.6underscore→ 1.13.1tmpl→ 1.0.5path-parse→ 1.0.7hosted-git-info→ 2.8.9terser→ 4.8.1socket.io-parser→ 3.3.3engine.io&socket.io→ 3.6.1 / 2.5.0decode-uri-component→ 0.2.2qs→ 6.5.3express→ 4.18.2mout→ 1.2.3follow-redirects→ 1.14.8npm auditconfirms 0/13 of those packages remain vulnerable after this PR. The open dependabot PRs can be closed (manually or via@dependabot recreateto confirm they auto-close).Commits
Dependency bumps
chore(deps): npm audit fix — non-breaking transitive patches— closes 41 vulns via package-lock.json only.chore(deps): bump qunit-dom 2 → 3.5.1chore(deps): bump @ember/string 3 → 4.0.1chore(deps): bump @ember/optional-features 2 → 3.0.0chore(deps): bump @glimmer/component 1 → 2.1.1+ Revert — kept in history to document that@glimmer/component@2violatesember-source@4.12.4's peer requirement of^1.1.2. We must stay on@glimmer/component@1while on Ember 4.12.chore(deps): bump ember-resolver 11 → 13.2.0Test additions
test: expand unit coverage for service + initializer— 18 new tests against the upgraded deps:Service
setUserforwards args torg4js('setUser', ...)trackEventsupports thepageViewpayload shapeapiKey,enableCrashReporting,enablePulsesetters callrg4jswith the correct command + value, and getters round-tripwhen rg4js is unavailablesubmodule — verifies graceful degradation:send/setUser/trackEventreturnnull+ warn; the three property setters are no-ops + warnInstance initializer
RSVP.on('error')handler is registered and forwards{ error }toraygun.sendapplicationInstance.onerroris wrapped and routes errors toraygun.sendonerrorhandler is preserved (chained), not replacedrouter.routeDidChangesubscription is created and emitstrackEvent({ type: 'pageView', path: ... })per transitionenableCrashReportingis false: no RSVP handler, noonerrorreplacement, norouteDidChangesubscriptionPattern: tests intercept
RSVP.on/router.onto capture the handlers the initializer registers, then invoke each captured handler directly with synthetic input — verifying both the wiring and the behavior without depending on real RSVP rejections or real router transitions.Blueprint lint fix
fix(blueprint): drop undeclared chalk/fs-extra/rsvp depsThe blueprint was requiring three packages that aren't declared in
package.json— they only worked becauseember-clipulled them in transitively, which lint was rightly flagging asnode/no-extraneous-require.Replaced with stdlib-only equivalents (no new dependencies added):
chalkthis.ui.writeLine(msg, color)— ember-cli's UI helper applies the same colorization internallyfs-extrautil.promisify(fs.readFile)— works on Node 10.* perpackage.json#engines, unlikefs.promises(Node ≥10.17)rsvputil.promisifyreplacesrsvp.denodeifySame install-time UX: success banner is still printed in green/blue,
config/environment.jsis still patched idempotently.What is not in this PR (deferred)
The remaining 43 vulnerabilities are blocked by the "stay on Ember 4.12" constraint:
ember-cli(high),@glimmer/component(low), and a large transitive cluster (braces,micromatch,ansi-html,body-parser,path-to-regexp,cookie, etc.) which are all only fixable viaember-cli@6.12.0.@ember/test-helpers@5andember-qunit@9changed thestart()/ test-loader API; bumping requires migratingtests/test-helper.jsandtests/index.htmlto the new pattern. Attempted in this branch and reverted.@embroider/macros,ember-cli-babel,ember-auto-import,ember-maybe-import-regenerator,ember-try,ember-source.These should be tackled in a follow-up PR that explicitly bumps the Ember major version.
Supersedes #56 (test changes were rolled into this PR).