refactor: Upgrade underscore to 1.13.8 (GHSA-qpx9-hpmf-5gmw)

[mtrezza]

Security Fix

Advisory: GHSA-qpx9-hpmf-5gmw
Severity: high (CWE-674, CWE-770)
Vulnerability: Unlimited recursion DoS in _.flatten and _.isEqual
Package: underscore 1.13.6 → 1.13.8
Dependency path: jsdoc > underscore

Exposure in This Project

Not exposed — underscore is only used by jsdoc (devDependency for documentation generation). Not reachable in production.

Changes

• Updated underscore from 1.13.6 to 1.13.8 within jsdoc dependency tree (lock file only)
• Version 1.13.8 adds recursion depth limits to _.flatten and _.isEqual

Code Changes Required

None — the upgrade is a drop-in replacement (lock file change only).

Verification

• npm audit no longer reports this advisory
• npm run build passes

Summary by CodeRabbit

• Chores
  • Updated the underscore library from v1.13.6 to v1.13.8 (patch release).
  • Refreshed dependency metadata, including licensing and package integrity information, to ensure the package lock is current and secure.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 57ce5ee6-d2fc-43fc-a8d8-8d3da882c147

📥 Commits

Reviewing files that changed from the base of the PR and between 4322764 and c95a61d.

📒 Files selected for processing (1)

• package-lock.json

---

📝 Walkthrough

Walkthrough

Updated underscore entries in package-lock.json from 1.13.6 to 1.13.8: adjusted resolved tarball URL and integrity hash; added an explicit license: "MIT" field to the node_modules/underscore block.

Changes

Cohort / File(s)	Summary
Dependency Update package-lock.json	Bumped underscore from 1.13.6 → 1.13.8; updated resolved tarball URL and integrity hash; added license: "MIT" to the node_modules/underscore entry.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Engage In Review Feedback	❓ Inconclusive	GitHub PR review comments and discussions are not accessible through the git repository, preventing verification of whether feedback was addressed.	Access the actual GitHub PR #10364 page to review comments, threads, and whether review feedback was addressed through commits or discussions.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title begins with the 'refactor:' prefix as required and clearly describes the main change: upgrading underscore to version 1.13.8 to address a security vulnerability.
Description check	✅ Passed	The pull request description is well-structured and comprehensive, covering the security advisory, exposure analysis, changes made, and verification steps. While it does not strictly follow the repository template structure (which includes Issue, Approach, and Tasks sections), it provides all essential context needed to understand the PR and exceeds the template in relevant detail for a security fix.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Human Review	✅ Passed	Human review was performed on this PR. The PR opener personally authored the commit, and the PR description explicitly documents verification steps (npm audit and npm run build), indicating manual testing and validation were conducted.
Security Check	✅ Passed	PR addresses GHSA-qpx9-hpmf-5gmw by upgrading underscore to 1.13.8, adding recursion limits to _.flatten and _.isEqual functions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

package-lock.json (1)

26027-26031: Consider updating the PR title to better reflect the change type.

The current PR title uses refactor:, but dependency security upgrades are typically categorized as chore(deps): (for devDependencies with no production impact) or fix(security): (for production dependencies). Since underscore is only a devDependency used by jsdoc for documentation generation, consider:

Suggested title:

chore(deps): upgrade underscore to 1.13.8 for GHSA-qpx9-hpmf-5gmw

This follows Angular commit convention and creates a clearer changelog entry indicating this is dependency maintenance addressing a security advisory in the development toolchain.

Based on learnings: For Parse Server PRs, always suggest an Angular commit convention PR title that would make a meaningful changelog entry for developers.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package-lock.json` around lines 26027 - 26031, Update the PR title to follow
Angular commit conventions for dependency maintenance: replace the current
"refactor:" prefix with "chore(deps):" and use a descriptive title such as
"chore(deps): upgrade underscore to 1.13.8 for GHSA-qpx9-hpmf-5gmw" (underscore,
version 1.13.8, devDependency used by jsdoc) so the changelog correctly reflects
a devDependency/security-related upgrade.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@package-lock.json`:
- Around line 26027-26031: Update the PR title to follow Angular commit
conventions for dependency maintenance: replace the current "refactor:" prefix
with "chore(deps):" and use a descriptive title such as "chore(deps): upgrade
underscore to 1.13.8 for GHSA-qpx9-hpmf-5gmw" (underscore, version 1.13.8,
devDependency used by jsdoc) so the changelog correctly reflects a
devDependency/security-related upgrade.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2c7a2f62-5e1a-42ce-a361-7fe7a9208fb1

📥 Commits

Reviewing files that changed from the base of the PR and between 4d7f594 and 4322764.

📒 Files selected for processing (1)

• package-lock.json

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.52%. Comparing base (8a581e9) to head (c95a61d).

Additional details and impacted files

@@            Coverage Diff             @@
##            alpha   #10364      +/-   ##
==========================================
+ Coverage   92.11%   92.52%   +0.41%     
==========================================
  Files         192      192              
  Lines       16566    16566              
  Branches      231      231              
==========================================
+ Hits        15259    15327      +68     
+ Misses       1281     1217      -64     
+ Partials       26       22       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.