Hotfixes release v2025.08.14 #5300
Conversation
in favor of default templates from .github repo
in favor of the default .github CONTRIBUTING.md
from 5.0.0 through 5.0.1, 5.0.2, 5.1.0 to 5.2.0. Release notes: https://github.com/learningequality/kolibri-design-system/releases/tag/v5.0.1 https://github.com/learningequality/kolibri-design-system/releases/tag/v5.0.2 https://github.com/learningequality/kolibri-design-system/releases/tag/v5.1.0 https://github.com/learningequality/kolibri-design-system/releases/tag/v5.2.0
Improve clarity and remove dependencies of tests on wrapper internal implementation
issue-5063 changes
Remove custom issue templates, turn on issue header automation, reference new contributing guidelines
…8.4.0 Bump pytest from 8.3.5 to 8.4.0
….2.0 Bump redis from 6.1.0 to 6.2.0
…5.5.3 Bump celery from 5.5.2 to 5.5.3
…n/babel-f525feed9f Bump the babel group with 4 updates
…ema-4.24.0 Bump jsonschema from 4.23.0 to 4.24.0
…s-2.32.4 Bump requests from 2.32.3 to 2.32.4
Bumps [webpack-dev-server](https://github.com/webpack/webpack-dev-server) from 5.2.0 to 5.2.2. - [Release notes](https://github.com/webpack/webpack-dev-server/releases) - [Changelog](https://github.com/webpack/webpack-dev-server/blob/master/CHANGELOG.md) - [Commits](webpack/webpack-dev-server@v5.2.0...v5.2.2) --- updated-dependencies: - dependency-name: webpack-dev-server dependency-version: 5.2.2 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
Confirm None handling for attribution fields.
Add thumbnail placeholder to recommendation card
…sdk-2.34.1 chore(deps): bump sentry-sdk from 2.34.0 to 2.34.1
Bumps [redis](https://github.com/redis/redis-py) from 6.2.0 to 6.3.0. - [Release notes](https://github.com/redis/redis-py/releases) - [Changelog](https://github.com/redis/redis-py/blob/master/CHANGES) - [Commits](redis/redis-py@v6.2.0...v6.3.0) --- updated-dependencies: - dependency-name: redis dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
….3.0 chore(deps): bump redis from 6.2.0 to 6.3.0
…ls-7.5.0 chore(deps-dev): bump pip-tools from 7.4.1 to 7.5.0
…n/eslint-config-prettier-10.1.8 chore(deps-dev): bump eslint-config-prettier from 10.1.5 to 10.1.8
…n/node-vibrant-4.0.3 chore(deps): bump node-vibrant from 3.1.6 to 4.0.3
Ensure that file_format and preset match during file_upload requests.
Improve query that checks storage space before channel deploy
Merge down Hotfixes
* Updated collection link and modal in channelSetList
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
Adds missing KPub string
| uses: learningequality/.github/.github/workflows/contributor-issue-comment.yml@main | ||
| secrets: | ||
| LE_BOT_APP_ID: ${{ secrets.LE_BOT_APP_ID }} | ||
| LE_BOT_PRIVATE_KEY: ${{ secrets.LE_BOT_PRIVATE_KEY }} | ||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | ||
| SLACK_COMMUNITY_NOTIFICATIONS_WEBHOOK_URL: ${{ secrets.SLACK_COMMUNITY_NOTIFICATIONS_WEBHOOK_URL }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, add a permissions block to the workflow file .github/workflows/call-contributor-issue-comment.yml. This block should be placed at the root level (above jobs:) to apply to all jobs in the workflow, unless a job overrides it. The permissions should be set to the minimum required for the workflow to function. Since the workflow is triggered by issue_comment and likely interacts with issues, a minimal starting point would be:
permissions:
issues: write
contents: readThis grants read access to repository contents and write access to issues, which is typically sufficient for workflows responding to issue comments. If the workflow requires additional permissions (e.g., for pull requests), those can be added as needed. The change should be made at the top of the file, after the name: and before the on: block.
| @@ -1,5 +1,9 @@ | ||
| name: Handle contributor comment on GitHub issue | ||
|
|
||
| permissions: | ||
| issues: write | ||
| contents: read | ||
|
|
||
| on: | ||
| issue_comment: | ||
| types: [created] |
| name: Call shared workflow | ||
| uses: learningequality/.github/.github/workflows/manage-issue-header.yml@main | ||
| secrets: | ||
| LE_BOT_APP_ID: ${{ secrets.LE_BOT_APP_ID }} | ||
| LE_BOT_PRIVATE_KEY: ${{ secrets.LE_BOT_PRIVATE_KEY }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, add a permissions block to the workflow or job definition to explicitly set the minimum required permissions for the GITHUB_TOKEN. Since this workflow only calls a reusable workflow and does not perform any direct actions, the safest minimal permissions are contents: read. This can be set at the workflow level (applies to all jobs) or at the job level (applies only to the specific job). The best practice is to set it at the workflow level unless a job requires different permissions. Edit the .github/workflows/call-manage-issue-header.yml file to add the following block after the name: line and before the on: block:
permissions:
contents: readNo additional imports, methods, or definitions are needed.
| @@ -1,3 +1,5 @@ | ||
| permissions: | ||
| contents: read | ||
| name: Manage issue header | ||
|
|
||
| on: |
| uses: learningequality/.github/.github/workflows/community-contribution-label.yml@main | ||
| secrets: | ||
| LE_BOT_APP_ID: ${{ secrets.LE_BOT_APP_ID }} | ||
| LE_BOT_PRIVATE_KEY: ${{ secrets.LE_BOT_PRIVATE_KEY }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, you should add a permissions block to the workflow file .github/workflows/community-contribution-labeling.yml. The block can be added at the root level (applies to all jobs) or at the job level (applies only to the specific job). Since this workflow only contains a single job that calls a reusable workflow, the best practice is to add the permissions block at the root level, immediately after the name and before the on key. The minimal starting point is to set all permissions to read unless the workflow requires write access to specific resources. For workflows that label issues, you typically need issues: write and possibly contents: read. Therefore, add:
permissions:
contents: read
issues: writeimmediately after the name line.
| @@ -1,3 +1,6 @@ | ||
| permissions: | ||
| contents: read | ||
| issues: write | ||
| name: Community Contribution Label | ||
|
|
||
| on: |
| name: Path match check | ||
| runs-on: ubuntu-latest | ||
| # Map a step output to a job output | ||
| outputs: | ||
| should_skip: ${{ steps.skip_check.outputs.should_skip }} | ||
| steps: | ||
| - id: skip_check | ||
| uses: fkirc/skip-duplicate-actions@master | ||
| with: | ||
| github_token: ${{ github.token }} | ||
| paths_ignore: '["**.po", "**.json"]' | ||
| linting: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, add a permissions block to the workflow file. The block should be placed at the top level (applies to all jobs) or at the job level (for each job that needs specific permissions). The minimal and safest starting point is permissions: {} (no permissions), but most workflows require at least contents: read to check out code. Since this workflow uses actions/checkout and does not appear to require write access, set permissions: contents: read at the top level, which will apply to all jobs unless overridden. This change should be made near the top of the file, after the name: and before on:.
| @@ -1,3 +1,5 @@ | ||
| permissions: | ||
| contents: read | ||
| name: Linting | ||
|
|
||
| on: |
| name: All file linting | ||
| needs: pre_job | ||
| if: ${{ needs.pre_job.outputs.should_skip != 'true' }} | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/setup-python@v5 | ||
| with: | ||
| python-version: '3.10' | ||
| - name: Use pnpm | ||
| uses: pnpm/action-setup@v4 | ||
| - name: Use Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '20.x' | ||
| cache: 'pnpm' | ||
| - name: Install dependencies | ||
| run: | | ||
| pnpm install --frozen-lockfile | ||
| pnpm rebuild node-sass | ||
| - uses: pre-commit/[email protected] | ||
| - name: Run pre-commit-ci-lite | ||
| uses: pre-commit-ci/[email protected] | ||
| if: always() |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, add a permissions block to the workflow to explicitly set the minimum required permissions for the GITHUB_TOKEN. Since the workflow only performs linting and pre-commit checks, it likely only needs read access to repository contents. The best way to fix this is to add permissions: contents: read at the top level of the workflow file, just below the name field and before the on block. This will apply the least privilege principle to all jobs in the workflow, unless a job overrides it with its own permissions block.
| @@ -1,3 +1,5 @@ | ||
| permissions: | ||
| contents: read | ||
| name: Linting | ||
|
|
||
| on: |
| uses: learningequality/.github/.github/workflows/unassign-inactive-issues.yaml@main | ||
| secrets: | ||
| LE_BOT_APP_ID: ${{ secrets.LE_BOT_APP_ID }} | ||
| LE_BOT_PRIVATE_KEY: ${{ secrets.LE_BOT_PRIVATE_KEY }} | ||
| SLACK_COMMUNITY_NOTIFICATIONS_WEBHOOK_URL: ${{ secrets.SLACK_COMMUNITY_NOTIFICATIONS_WEBHOOK_URL }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, add a permissions block to the workflow file. The best practice is to set the minimal permissions required for the workflow to function. Since the job is using a reusable workflow, and we do not know the exact permissions required by unassign-inactive-issues.yaml, the safest minimal starting point is to set permissions: read-all at the workflow level. This can be further restricted if the reusable workflow's documentation specifies more limited needs (e.g., only issues: write). The permissions block should be added at the top level of the workflow file, after the name and run-name fields and before the on field.
| @@ -1,5 +1,8 @@ | ||
| name: "Unassign Inactive Contributors" | ||
| run-name: Unassign Inactive Contributors | ||
| permissions: | ||
| contents: read | ||
| issues: write | ||
|
|
||
| on: | ||
| schedule: |
| uses: learningequality/.github/.github/workflows/update-pr-spreadsheet.yml@main | ||
| secrets: | ||
| CONTRIBUTIONS_SPREADSHEET_ID: ${{ secrets.CONTRIBUTIONS_SPREADSHEET_ID }} | ||
| CONTRIBUTIONS_SHEET_NAME: ${{ secrets.CONTRIBUTIONS_SHEET_NAME }} | ||
| GH_UPLOADER_GCP_SA_CREDENTIALS: ${{ secrets.GH_UPLOADER_GCP_SA_CREDENTIALS }} |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, add a permissions block to the workflow or the specific job to explicitly set the minimal required permissions for the GITHUB_TOKEN. Since the job is calling a reusable workflow that likely needs to update a spreadsheet and possibly interact with pull requests, a safe minimal starting point is to grant contents: read and pull-requests: write permissions. This should be added at the job level (under call-update-spreadsheet:) or at the root of the workflow (applies to all jobs). The best practice is to add it at the job level for clarity and least privilege. No other changes are needed.
| @@ -5,6 +5,9 @@ | ||
|
|
||
| jobs: | ||
| call-update-spreadsheet: | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| uses: learningequality/.github/.github/workflows/update-pr-spreadsheet.yml@main | ||
| secrets: | ||
| CONTRIBUTIONS_SPREADSHEET_ID: ${{ secrets.CONTRIBUTIONS_SPREADSHEET_ID }} |
contentcuration/contentcuration/management/commands/setup.py
Dismissed
Show dismissed
Hide dismissed
Address user-supplied CodeQL issues
| ) | ||
| except KeyError as e: | ||
| return HttpResponseBadRequest( | ||
| "Required attribute missing from data | {}".format(str(e)) |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To avoid revealing potentially sensitive internal information, the handler for KeyError in the api_create_channel_endpoint function should not return the string representation of the exception object as part of the HTTP error response. Instead, it should return a generic error message (e.g., "Required attribute missing from data"), optionally logging the actual exception server-side for debugging. This involves editing lines 224–227 to remove str(e) from the response message, and possibly adding a server-side logging call for the exception.
- Change the return value of the
except KeyError as e:block to a generic message:"Required attribute missing from data". - Optionally, log the error (using
logging.exceptionor similar). - Do not include the missing key name or stringified exception in the HTTP response body.
| @@ -222,9 +222,8 @@ | ||
| } | ||
| ) | ||
| except KeyError as e: | ||
| return HttpResponseBadRequest( | ||
| "Required attribute missing from data | {}".format(str(e)) | ||
| ) | ||
| logging.exception("Missing required attribute in channel create request.") | ||
| return HttpResponseBadRequest("Required attribute missing from data") | ||
| except Exception as e: | ||
| handle_server_error(e, request) | ||
| return HttpResponseServerError(content=str(e), reason=str(e)) |
| return HttpResponseBadRequest("Required attribute missing from data: {}".format(data)) | ||
| except KeyError as e: | ||
| return HttpResponseBadRequest( | ||
| "Required attribute missing from data | {}".format(str(e)) |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the problem, the function should return a generic error message to the client when a KeyError is caught, rather than interpolating the exception message which can leak information about internal variable names or input data structure. The actual error details (including the exception message) should be recorded in logs and/or sent to Sentry for developer diagnostics.
Detailed steps:
- Replace the
except KeyError as e:block such that it logs or reports the error (using the existinghandle_server_errororreport_exceptionmethods, as appropriate). - The HTTP response should return a generic error message like "Required attribute missing from data" without any dynamic content (i.e., do not interpolate
str(e)into the message).
Files/lines to change:
- Only make changes inside
contentcuration/contentcuration/views/internal.pywithin theapi_commit_channelfunction and do not alter code that is not shown. - Add logging/reporting of the actual exception for admin/developer reference.
| @@ -295,8 +295,9 @@ | ||
| except (Channel.DoesNotExist, PermissionDenied): | ||
| return HttpResponseNotFound("No channel matching: {}".format(channel_id)) | ||
| except KeyError as e: | ||
| handle_server_error(e, request) | ||
| return HttpResponseBadRequest( | ||
| "Required attribute missing from data | {}".format(str(e)) | ||
| "Required attribute missing from data" | ||
| ) | ||
| except Exception as e: | ||
| handle_server_error(e, request) |
| return HttpResponseBadRequest("Required attribute missing from data: {}".format(data)) | ||
| except KeyError as e: | ||
| return HttpResponseBadRequest( | ||
| "Required attribute missing from data | {}".format(str(e)) |
Check warning
Code scanning / CodeQL
Information exposure through an exception Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
The best fix is to replace the HttpResponseBadRequest in the except KeyError as e: block so that it does not return the exception detail (str(e)) to the user. Instead, it should return a generic "Required attribute missing from request data" message. The detail can be logged server-side using the Python logging module or sent to Sentry if available.
Specifically:
- In
api_add_nodes_to_tree(lines ~354-357), replace the return statement so the user response does not includestr(e). - Optionally, add a call to
logging.error()(or use the existing Sentry report facility as imported) to capture the original exception detail for diagnostics. - No additional dependencies are needed, as
loggingis already imported and Sentry reporting appears available. - No changes outside this block are required.
| @@ -352,9 +352,8 @@ | ||
| except ValidationError as e: | ||
| return HttpResponseBadRequest(content=str(e)) | ||
| except KeyError as e: | ||
| return HttpResponseBadRequest( | ||
| "Required attribute missing from data | {}".format(str(e)) | ||
| ) | ||
| logging.error("Required attribute missing in api_add_nodes_to_tree: %s", str(e)) | ||
| return HttpResponseBadRequest("Required attribute missing from request data") | ||
| except NodeValidationError as e: | ||
| return HttpResponseBadRequest(str(e)) | ||
| except Exception as e: |
…are KA only markdown elements. Ensure relative path is used during QTI item generation.
Fix image export in QTI exercise publishing
Summary
import modal for importing search recommendations
Dependency PRs