Skip to content

fix: Frontend Lint zod-validation-error (#737)#744

Merged
anchapin merged 3 commits intomainfrom
feat/add-ruff-linter-678
Mar 8, 2026
Merged

fix: Frontend Lint zod-validation-error (#737)#744
anchapin merged 3 commits intomainfrom
feat/add-ruff-linter-678

Conversation

@anchapin
Copy link
Copy Markdown
Owner

@anchapin anchapin commented Mar 8, 2026

This PR fixes GitHub issue #737 by adding a workaround to clear the node_modules/.cache directory before running the frontend lint command in CI.

The issue was caused by the zod-validation-error package having export issues when certain cache files were present. The fix adds:

# Clear node_modules/.cache to fix zod-validation-error export issue
rm -rf frontend/node_modules/.cache

This is added before running npm run lint in the CI workflow.

Fixes #737

@openhands-agent
fix: clear node cache in frontend lint CI to resolve zod-validation-e…
c312098 
…rror issue (#737)
@openhands-agent
fix: add structlog to dev dependencies for CI mutation testing (#738)
d805e69
@openhands-agent
feat: Add dependency vulnerability scanning (#702)
73bacf8 
Add dependency vulnerability scanning to the CI pipeline:
- Added pip-audit for Python dependencies (backend, ai-engine)
- Added npm audit for Node.js dependencies (frontend)
- Scans run on changes to dependencies, frontend, backend, or ai-engine
- Uses audit-level=high for npm to catch high severity vulnerabilities
- Uses pip-audit for comprehensive Python vulnerability detection
- Results are reported in CI logs for visibility

Co-authored-by: openhands <openhands@all-hands.dev>
Copilot AI review requested due to automatic review settings March 8, 2026 00:07
sourcery-ai[bot]
sourcery-ai Bot reviewed Mar 8, 2026
View reviewed changes
Copy link
Copy Markdown

@sourcery-ai sourcery-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @anchapin, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

Copilot AI reviewed Mar 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to resolve CI frontend lint failures related to a zod-validation-error export issue by clearing cached frontend artifacts before running lint in the CI workflow.

Changes:

  • Clears node_modules/.cache before running the frontend lint job in CI.
  • Adds a new “Dependency Vulnerability Scan” job to CI (pip-audit + npm audit).
  • Adds structlog to backend and AI engine development dependency lists.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

File Description
backend/requirements-dev.txt Adds structlog to backend dev requirements.
ai-engine/pyproject.toml Adds structlog to the AI engine’s dev optional dependencies.
.github/workflows/ci.yml Clears frontend cache before lint; adds a dependency vulnerability scanning job.

Comment thread .github/workflows/ci.yml
Comment on lines +1032 to +1036
# Dependency vulnerability scanning
vulnerability-scan:
name: Dependency Vulnerability Scan
runs-on: ubuntu-latest
needs: [changes]
Copy link

Copilot AI Mar 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is described as a targeted workaround for the frontend lint cache issue, but it also introduces an entirely new vulnerability-scan CI job. If this job is intentional, it should be called out in the PR title/description (or split into a separate PR) to keep scope and review expectations aligned.

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/ci.yml
permissions:
actions: read
contents: read
security-events: write
Copy link

Copilot AI Mar 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-events: write is granted here, but the job only prints audit output to logs and doesn’t upload any SARIF/security events. Consider either removing this permission (least privilege) or adding a step to publish results (e.g., SARIF upload) so the permission is justified.

Suggested change
security-events: write

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/ci.yml
Comment on lines +1060 to +1064
run: |
echo "=== Scanning Backend Dependencies ==="
cd backend
pip-audit -r requirements.txt || true
continue-on-error: true
Copy link

Copilot AI Mar 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This step uses both pip-audit ... || true and continue-on-error: true. Using both is redundant and makes it harder to tell which failures are being intentionally tolerated—prefer one mechanism (typically continue-on-error) and drop the other.

Copilot uses AI. Check for mistakes.
Comment thread backend/requirements-dev.txt
Comment on lines +13 to +15

# Logging
structlog
Copy link

Copilot AI Mar 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

requirements-dev.txt is documented as containing only dev-only tools (with base deps in requirements.txt), but structlog is already included in backend/requirements.txt (structlog>=24.0.0). Keeping it here duplicates dependency definitions and can lead to version drift; consider removing it from the dev requirements (or pin it consistently).

Suggested change
# Logging
structlog

Copilot uses AI. Check for mistakes.
Comment thread ai-engine/pyproject.toml
Comment on lines 292 to +293
"isort",
"structlog",
Copy link

Copilot AI Mar 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

structlog is already a core dependency of ai-engine (structlog>=24.0.0 in [project].dependencies). Adding it again in the dev optional-deps list is redundant and (without a version spec) can create confusion about which version is intended; consider removing it from dev (or pin it to match the main dependency constraint if you truly need it duplicated).

Suggested change
"isort",
"structlog",
"isort"

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/ci.yml
;;
"lint")
# Clear node_modules/.cache to fix zod-validation-error export issue
rm -rf frontend/node_modules/.cache
Copy link

Copilot AI Mar 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this step you already cd frontend before the case statement, so rm -rf frontend/node_modules/.cache will resolve to frontend/frontend/node_modules/.cache and won’t clear the intended cache. Change this to remove node_modules/.cache relative to the current directory (or move the removal before the cd frontend).

Suggested change
rm -rf frontend/node_modules/.cache
rm -rf node_modules/.cache

Copilot uses AI. Check for mistakes.
@anchapin anchapin merged commit cfedb16 into main Mar 8, 2026
30 of 33 checks passed
@anchapin anchapin deleted the feat/add-ruff-linter-678 branch March 8, 2026 01:27
@anchapin anchapin mentioned this pull request Mar 8, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CI: Frontend Lint failing due to zod-validation-error package export issue

3 participants

@anchapin @openhands-agent