chore: configuration updates

[basmasking]

Fixes #491

Changes proposed in this pull request:

• social domain config updates
• workflow actions fixed to SHA
• dependency updates
• vite dependency dedupes

@MaskingTechnology/comify

[coderabbitai]

Warning

Review limit reached

@basmasking, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 38 minutes and 18 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 359c4c16-4c90-4379-93dc-8032901768b0

📥 Commits

Reviewing files that changed from the base of the PR and between e79134e and 229ffe6.

📒 Files selected for processing (2)

• .github/workflows/codeql.yml
• .github/workflows/nodejsci.yml

Walkthrough

Infrastructure and configuration updates: CI actions pinned to commit SHAs, Dependabot adds an npm cooldown, package.json dependency specifiers moved to caret ranges, Vite configs deduplicate React, per-app tsconfigs add vite/client types while vite-env.d.ts references were removed, and OpenID redirect paths updated to social routes.

Changes

Infrastructure Configuration and Dependency Updates

Layer / File(s)	Summary
Package dependency versioning and management package.json	Dependencies/devDependencies moved to caret (^) ranges with bumps (e.g., react/react-dom, react-router-dom, vite-tsconfig-paths, cpx2); overrides and allowScripts entries adjusted; script layout reformatted.
GitHub Actions workflow pinning .github/workflows/codeql.yml, .github/workflows/nodejsci.yml	Pins actions/checkout to v6.0.3, actions/setup-node to v6.4.0, and github/codeql-action/* to v4.36.2 via commit SHAs instead of floating @v* tags.
Dependabot configuration .github/dependabot.yml	Adds GitHub Actions and npm ("jitar") monthly update sections; npm updates include a cooldown policy (default-days: 4) and retain existing commit-message and branch-name settings.
Vite build configuration for React deduplication development/insights/app/vite.config.ts, development/moderation/app/vite.config.ts, development/social/app/vite.config.ts	Each Vite config adds resolve.dedupe for react and react-dom to avoid duplicate module resolution in builds.
Authentication and deployment path updates deployment/docker/keycloak/comify-realm.json, example.env	OpenID client redirect URIs and OPENID_REDIRECT_PATH changed to /rpc/social/domain/authentication/login.
Per-app TypeScript Vite types & env development/*/app/tsconfig.json, development/*/app/vite-env.d.ts, .npmrc	Per-app tsconfig.json now includes compilerOptions.types: ["vite/client"]; corresponding vite-env.d.ts triple-slash references removed; .npmrc min-release-age changed from 4 to 2.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• MaskingTechnology/comify#479: Updates package.json dependency metadata and @rollup/plugin-terser overrides.

Suggested labels

dependencies, javascript

Suggested reviewers

• petermasking

Poem

🐰 A rabbit nudges configs, neat and small,
Pins CI steps and tames Dependabot's call,
React deduped across each dev app,
Types aligned and redirects on the map,
Hopping off—builds run smooth for all.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'chore: configuration updates' is vague and generic, using non-descriptive terms that don't convey the specific nature of the changeset beyond indicating it's maintenance work.	Consider a more specific title that highlights the main change, such as 'chore: pin GitHub Actions to specific SHAs and update dependencies' or 'chore: update social domain configuration and Vite setup'.
Linked Issues check	❓ Inconclusive	The linked issue #491 lacks specific coding requirements, making it impossible to validate whether code changes meet the primary objectives.	Ensure the linked issue contains detailed technical requirements or acceptance criteria so compliance can be properly assessed.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The pull request description follows the template structure and provides a concise summary of changes, though details are minimal for some items.
Out of Scope Changes check	✅ Passed	All changes appear related to configuration, dependencies, and workflows mentioned in the PR description, with no evident out-of-scope modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/dependabot.yml:
- Around line 23-24: The current Dependabot config sets a 4-day cooldown
("cooldown: default-days: 4") combined with "open-pull-requests-limit: 1", which
can delay critical security patches; update the config or repo processes to
ensure timely security fixes by either lowering "default-days" (e.g., to 0–1),
adding documentation that critical/security updates are manually expedited,
and/or verifying Dependabot security alerts bypass the cooldown behavior; locate
and change the "cooldown: default-days: 4" entry (and consider adjusting
"open-pull-requests-limit: 1") and add a short note in your security/operations
docs describing the manual escalation path if Dependabot’s default behavior does
not bypass the cooldown.

In @.github/workflows/codeql.yml:
- Line 40: The comments next to the SHA-pinned actions are incorrect: update the
comment for the uses entry
"actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" so the tag comment
matches that SHA (or replace the SHA with the intended tag v6.0.3), and likewise
update both uses entries
"github/codeql-action@8aad20d150bbac5944a9f9d289da16a4b0d87c1e" (the init and
analyze steps) so their comment matches the actual SHA (or repin them to the
intended tag v4.36.2); ensure each uses line's trailing comment correctly
reflects the version/tag that corresponds to the pinned SHA.

In @.github/workflows/nodejsci.yml:
- Line 17: The checkout step using "uses:
actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10" should disable
credential persistence to prevent token exfiltration; update the checkout step
to include the input "persist-credentials: false" (as a sibling to the uses key)
so the GitHub token is not written to .git/config during npm ci/build/test.

In `@package.json`:
- Line 45: The package.json bump to "react-router-dom": "^7.17.0" may be low
risk but you should proactively scan routing configuration and usages for any
soon-to-be-deprecated flags or warnings (especially any "future/*" options);
search the codebase for react-router-dom imports (e.g., BrowserRouter,
MemoryRouter, createBrowserRouter, createRoutesFromElements, useRoutes, Route
components and any runtime router config) and run the app/tests to catch console
warnings, then remove or replace any "future/*" or deprecated options and update
call signatures to match v7.17.0 before merging.
- Line 87: The dependency upgrade to "vite-tsconfig-paths" from 5.1.4 → ^6.1.1
may change rooted-path alias behavior and JSON import-guard semantics; run a
quick Vite/Vitest smoke check to verify that tsconfig "paths" (especially "^/*"
and "`@comify/common/`*") resolve correctly in dev/build/test. If alias resolution
breaks, either pin "vite-tsconfig-paths" back to 5.1.4 in package.json or update
Vite config (resolve.alias/plugin options) to restore previous behavior; adjust
tests and any import statements accordingly and re-run Vitest until all
import-alias-based tests pass. Ensure Node/Vite versions meet v6 requirements
(Node>=18, Vite>=5) before accepting the upgrade.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e23d4afa-498f-4c37-9249-86486b9bbb96

📥 Commits

Reviewing files that changed from the base of the PR and between e93a1ee and 90e7b60.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (9)

• .github/dependabot.yml
• .github/workflows/codeql.yml
• .github/workflows/nodejsci.yml
• deployment/docker/keycloak/comify-realm.json
• development/insights/app/vite.config.ts
• development/moderation/app/vite.config.ts
• development/social/app/vite.config.ts
• example.env
• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoff

Consider security implications of the 4-day cooldown period.

The cooldown policy delays follow-up dependency update PRs by 4 days after a merge. Combined with open-pull-requests-limit: 1, this significantly throttles updates. While this reduces PR noise, it may delay critical security patches by up to 4 days, potentially leaving the system exposed to known vulnerabilities.

Consider either:

• Reducing the cooldown period for faster security response
• Documenting that critical security updates should be manually expedited
• Verifying that Dependabot security alerts bypass the cooldown (behavior may vary)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/dependabot.yml around lines 23 - 24, The current Dependabot config
sets a 4-day cooldown ("cooldown: default-days: 4") combined with
"open-pull-requests-limit: 1", which can delay critical security patches; update
the config or repo processes to ensure timely security fixes by either lowering
"default-days" (e.g., to 0–1), adding documentation that critical/security
updates are manually expedited, and/or verifying Dependabot security alerts
bypass the cooldown behavior; locate and change the "cooldown: default-days: 4"
entry (and consider adjusting "open-pull-requests-limit: 1") and add a short
note in your security/operations docs describing the manual escalation path if
Dependabot’s default behavior does not bypass the cooldown.

[sonarqubecloud]

Quality Gate failed

Failed conditions
7.5% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud