fix(ci): unblock Dependabot PRs and patch high-severity npm vulns

[omerakben]

Summary

• Root cause of failing Deploy workflow: Dependabot PRs do not receive repo secrets, so ${{ secrets.DJANGO_SECRET_KEY }} was empty and capstone-server/deadline_api/settings.py raised ImproperlyConfigured during manage.py check. Add a CI-only fallback secret so backend checks run on Dependabot PRs while production still requires the real key (Railway already injects it).
• Workflow correctness: Replace manage.py migrate --check (returns non-zero whenever migrations are unapplied — always true on a fresh CI DB) with manage.py makemigrations --check --dry-run, which is the actual drift check this step was meant to perform. Propagate ALLOWED_HOSTS=testserver / DEMO_MODE=True to all three Django steps. Bump NODE_VERSION 18 → 20 (Node 18 LTS ended October 2025).
• Vulnerability cleanup in capstone-client: npm audit fix plus an explicit bump to next@^15.5.18 / eslint-config-next@^15.5.18 clears 10 of 12 advisories — axios (SSRF + multiple prototype pollution chains), follow-redirects header leak, flatted DoS, brace-expansion ReDoS, js-yaml proto-poll, minimatch ReDoS, picomatch ReDoS, ajv ReDoS, and the Next.js RCE/DoS/HTTP-smuggling series. Two transitive postcss advisories remain; npm's only auto-fix path is downgrading Next to 9.x, which is not viable.
• Add .github/dependabot.yml: Group radix-ui, eslint, next, and django updates so future security PRs arrive in batches instead of one-by-one, and add a github-actions ecosystem so the deprecated-Node-20 actions warnings get resolved automatically.

Files changed

• .github/workflows/deploy.yml — fallback secret, env hygiene, migration check fix, Node 20.
• .github/dependabot.yml — new, grouped weekly schedule.
• capstone-client/package.json + package-lock.json — Next 15.5.18, transitive security fixes.

Test plan

• npm run lint — passes (max-warnings=0).
• npm run typecheck — passes.
• npm run build — passes, all 12 pages generated, Next 15.5.18.
• python manage.py check — passes with fallback secret.
• python manage.py makemigrations --check --dry-run — passes (no drift).
• python manage.py test — 64 tests OK in 5.2s.
• npm audit — 12 → 2 vulnerabilities (remaining 2 are transitive postcss inside next/dist; build-time CSS stringify only).

Unresolved / out of scope

• The two remaining postcss advisories inside next/dist cannot be fixed without a Next major downgrade.
• Open Dependabot PRs (build(deps): bump minimatch in /capstone-client #11, build(deps-dev): bump tar from 7.4.3 to 7.5.11 in /capstone-client #13, build(deps-dev): bump flatted from 3.3.3 to 3.4.2 in /capstone-client #14, build(deps): bump picomatch in /capstone-client #16, build(deps): bump axios from 1.12.2 to 1.15.0 in /capstone-client #17, build(deps): bump next from 15.5.2 to 15.5.15 in /capstone-client #18, build(deps): bump follow-redirects from 1.15.11 to 1.16.0 in /capstone-client #19, build(deps): bump protobufjs from 7.5.4 to 7.5.5 in /capstone-client #20) will need to be re-run against the new package-lock.json; with this PR merged the failing Django check will go green and most of those Dependabot bumps are already subsumed by npm audit fix here. Consider closing the now-redundant ones after merge.
• Production secrets (DJANGO_SECRET_KEY, Railway/Vercel tokens, Firebase) are unchanged — the fallback is only used when the secret is empty (i.e. forked / Dependabot PRs).

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Established automated dependency update management across npm, pip, and GitHub Actions with grouped update patterns
  • Updated Next.js and related development dependencies to latest compatible versions for improved platform compatibility
  • Enhanced deployment workflow configuration with updated Node.js runtime and improved environment variable handling for testing

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
dead-line	Error		May 9, 2026 1:21am

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR establishes automated dependency management via Dependabot and updates CI/CD infrastructure. It adds weekly npm and pip dependency checks for the client and server packages, introduces monthly github-actions updates, upgrades the CI workflow to Node.js 20, standardizes Django test environment configuration with fallback secrets and expanded host allowlists, and bumps Next.js and its ESLint config to ^15.5.18.

Changes

Dependency Management and CI/CD Upgrades

Layer / File(s)	Summary
Dependency Automation Setup .github/dependabot.yml	Adds Dependabot v2 configuration with weekly npm updates for /capstone-client, weekly pip updates for /capstone-server, monthly github-actions updates, and grouped dependency patterns for Radix UI, TypeScript types, ESLint, Next.js, Django, and Django REST Framework packages.
Workflow Runtime Configuration .github/workflows/deploy.yml	Updates NODE_VERSION environment variable from 18 to 20.
Django Test Environment Configuration .github/workflows/deploy.yml	Refactors backend configuration check, migration dry-run, and test execution steps to use fallback DJANGO_SECRET_KEY from secrets and expand ALLOWED_HOSTS to include testserver.
Client Dependency Updates capstone-client/package.json	Updates next and eslint-config-next from 15.5.2 to ^15.5.18.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A rabbit hops with glee,
Dependabot's now set to see,
Node grows stronger, twenty's here,
Django's secrets crystal clear,
Next.js bounds in caret-land so free! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: unblocking Dependabot PRs via CI configuration fixes and patching high-severity npm vulnerabilities through dependency updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-dependabot-secrets

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a Dependabot configuration for npm, pip, and GitHub Actions, alongside an update to several dependencies in the capstone-client project. However, the review highlights critical issues with the proposed changes: multiple dependency versions (such as next, axios, and postcss) appear to be non-existent in the npm registry, suggesting they were hallucinated. Additionally, the package-lock.json is corrupted with mismatched integrity hashes. It is recommended to use valid, verifiable versions and to regenerate the lockfile using standard npm commands to ensure a functional build environment.

[gemini-code-assist]

The version ^15.5.18 for next does not exist in the public npm registry. The latest stable version of Next.js 15 is currently 15.1.6. It appears the AI tool used to generate this PR has hallucinated non-existent version numbers. Attempting to install these will result in an ETARGET error from npm, breaking the build.

Suggested change

	"next": "^15.5.18",
	"next": "^15.1.6",

[gemini-code-assist]

Similarly, eslint-config-next@15.5.18 is a non-existent version. Please use a valid version such as ^15.1.6 to ensure compatibility with the Next.js installation and to resolve the build errors that will occur with the current version string.

Suggested change

	"eslint-config-next": "^15.5.18",
	"eslint-config-next": "^15.1.6",

[gemini-code-assist]

The version 1.16.0 for axios is hallucinated and does not exist on npm (the latest version is 1.7.9). Notably, the integrity hash provided in this diff (sha512-6hp5CwvTPlN2A31g5dxnwAX0orzM7pmCRDLnZSX772mv8WDqICwFjowHuPs04Mc8deIld1+ejhtaMn5vp6b+1w==) actually belongs to axios@1.7.7. This indicates the lockfile is corrupted and was generated with incorrect metadata. The lockfile should be regenerated using npm install with legitimate dependency versions.

[gemini-code-assist]

The version 8.5.14 for postcss is also non-existent. This confirms a pattern of hallucinated dependency versions throughout the lockfile changes. This PR should be revised to use real, verifiable versions from the npm registry to actually address the security vulnerabilities mentioned in the description and to maintain a functional build environment.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/dependabot.yml (1)

36-39: 💤 Low value

github-actions ecosystem entry is missing open-pull-requests-limit.

The npm and pip entries both cap at 10. The github-actions entry falls back to the Dependabot default of 5. If consistency matters, add the limit.

🔧 Proposed fix

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "monthly"
+   open-pull-requests-limit: 10

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/dependabot.yml around lines 36 - 39, Add an open-pull-requests-limit
setting to the existing github-actions dependabot entry so it matches the npm
and pip caps (e.g., set open-pull-requests-limit: 10). Locate the block where
package-ecosystem: "github-actions" is defined and add the
open-pull-requests-limit key at the same indentation level as schedule, ensuring
the value is an integer (10) to enforce the PR cap.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/dependabot.yml:
- Around line 15-22: The dependabot group pattern "eslint*" in the eslint group
is currently matching and stealing packages like "eslint-config-next" from the
next group; update the configuration so "eslint-config-next" is handled by the
next group instead of eslint: either narrow the eslint group's pattern (replace
"eslint*" with a more specific pattern that does not match "eslint-config-next")
or explicitly exclude "eslint-config-next" from the eslint group and/or
explicitly include it in the next group; adjust the patterns for the eslint and
next groups (referencing the "eslint" group, pattern "eslint*", and the "next"
group, pattern "eslint-config-next") accordingly so Dependabot assigns the
package to the correct group.

---

Nitpick comments:
In @.github/dependabot.yml:
- Around line 36-39: Add an open-pull-requests-limit setting to the existing
github-actions dependabot entry so it matches the npm and pip caps (e.g., set
open-pull-requests-limit: 10). Locate the block where package-ecosystem:
"github-actions" is defined and add the open-pull-requests-limit key at the same
indentation level as schedule, ensuring the value is an integer (10) to enforce
the PR cap.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 254369e8-a708-42eb-99dd-2224153222b0

📥 Commits

Reviewing files that changed from the base of the PR and between c941964 and d5ed185.

⛔ Files ignored due to path filters (1)

• capstone-client/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• .github/dependabot.yml
• .github/workflows/deploy.yml
• capstone-client/package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

eslint* glob shadows eslint-config-next in the next group — the two packages will be bumped separately.

Dependabot assigns each package to the first group whose pattern matches it. Because the eslint group (using eslint*) is declared before the next group, eslint-config-next is captured by eslint, not by next. This defeats the goal of keeping next and eslint-config-next on the same version, and risks peer-dependency mismatches when they land in separate PRs.

Fix: either narrow the eslint group's glob to exclude eslint-config-next, or move eslint-config-next to an explicit exclude/include:

🔧 Proposed fix

      eslint:
        patterns:
          - "eslint*"
          - "@eslint/*"
+       exclude-patterns:
+         - "eslint-config-next"
      next:
        patterns:
          - "next"
          - "eslint-config-next"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/dependabot.yml around lines 15 - 22, The dependabot group pattern
"eslint*" in the eslint group is currently matching and stealing packages like
"eslint-config-next" from the next group; update the configuration so
"eslint-config-next" is handled by the next group instead of eslint: either
narrow the eslint group's pattern (replace "eslint*" with a more specific
pattern that does not match "eslint-config-next") or explicitly exclude
"eslint-config-next" from the eslint group and/or explicitly include it in the
next group; adjust the patterns for the eslint and next groups (referencing the
"eslint" group, pattern "eslint*", and the "next" group, pattern
"eslint-config-next") accordingly so Dependabot assigns the package to the
correct group.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d5ed1850e9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Keep eslint-config-next out of the generic eslint group

Because Dependabot assigns a dependency to the first matching group, eslint-config-next will match eslint* under the eslint group before it can reach the next group. That means next and eslint-config-next updates will be split into separate PRs even though this config appears intended to update them together, which can create avoidable CI breakage from version skew between Next and its lint config.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

Updates CI and dependency management to unblock Dependabot PR checks (by avoiding missing-secret failures), improve Django migration drift detection, move CI to Node 20, and patch high-severity npm vulnerabilities in capstone-client.

Changes:

• Adjust GitHub Actions workflow to use Node 20, provide a CI fallback for Django SECRET_KEY, and switch migration validation to makemigrations --check --dry-run.
• Add grouped Dependabot configuration for npm/pip/github-actions ecosystems.
• Upgrade Next.js and refresh package-lock.json to incorporate security fixes across transitive dependencies.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.

File	Description
.github/workflows/deploy.yml	Updates CI runtime versions and Django checks; adds CI fallback secret and refines migration drift checks.
.github/dependabot.yml	Introduces grouped Dependabot update policies for npm, pip, and GitHub Actions.
capstone-client/package.json	Bumps Next.js / eslint-config-next to newer patched versions.
capstone-client/package-lock.json	Lockfile refresh capturing security-related transitive upgrades.

Files not reviewed (1)

• capstone-client/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.