Issue #53: Resolve security vulnerabilities#56
Merged
jonrandahl merged 39 commits intomasterfrom Oct 17, 2025
Merged
Conversation
- Update external links to use https for better security - Avoids mixed content and improves user trust - No functional or visual changes expected
- Add type="button" to the lookup control - Prevents unintended form submission when clicked - Improves accessibility and keyboard behaviour
- Update project author to organisation and add contributors list - Add frontend package manager to development deps - Add postinstall hook to install frontend assets - Bump lint and task runner configs to latest compatible minors - Remove empty runtime deps block - Reformat metadata arrays for readability - Tidy JSON for consistency
- Define a default task that triggers the dependency setup - Allow running the common workflow with a bare command - Keep existing task names and behaviour unchanged
- Replace install-time hook with pre-run and run entries. - Add a pre-run step to install dependencies on demand. - Standardise local run to invoke the task runner directly.
- Rewrapped long warning and link lines for readability - Added developer notes with CLI install instructions - Clarified that CLI delegates to the local task runner - Included footnote on elevated permissions guidance - Added a horizontal rule and consistent section heading
- Delete outdated compatibility meta from the head - Rely on modern engines' default rendering mode - Reduce markup noise with no change to behaviour - Avoids carrying legacy, non-functional markup
- Associate the examples control with its section heading via aria-labelledby - Associate the results format control with its visible label via aria-labelledby - Preserve existing visuals and interactions - Improve screen reader context and navigation
- Add tasks for CSS and JS minification - Update dependency copying rules to use minified assets where possible - Include minification steps in workflow - Adjust asset references for consistency and improved performance
- Update and add frontend library dependencies - Ensure correct versions of new and old dependencies - Organise library order for clarity
- Remove legacy padding and prefix styles - Add custom panel, heading, and CodeMirror fold marker styles - Improve visual separation for results block - Add new gutter and folding marker styles for editor
- Switch styles and scripts to minified versions - Add local style overrides for legacy layout - Update configuration object to use https and const - Improve accessibility and labels in demo markup
- Enable auto-refresh for the code editor - Update loader paths to point to minified or unminified assets as needed - Remove reference to missing asset
- Add required packages for new minification tasks - Include CORS library for server compatibility - Tidy up scripts formatting
- Add ruby version file for toolchain consistency - Replace and update all project gem dependencies - Add gems for rack server and modern test stack - Remove legacy test dependencies and unused gems
- Add configuration for static rack server - Introduce rake tasks for starting server and running integration tests - Automate starting and stopping app for integration tests
- Add a readme with setup and execution instructions for tests - Describe integration and selenium ide sections - Document expectations and override details
- Switch to modern capybara with headless chrome for browser automation - Remove usage of deprecated capybara-webkit driver - Update environment variable usage for the test page - Refactor assertions to use minitest/capybara idioms - Improve waiting and result assertions for robustness
- Set up automation for running integration tests on key branches - Install all required dependencies including browser - Automate running of integration tests on code pushes and PRs - Include optional node step as comment for future updates
- Upgrades Ruby and Node dependencies to resolve known security issues. - Replaces deprecated testing tools with supported alternatives. - Adds build tasks to minify CSS and JS, reducing asset size. - Enables cross-origin support for local development. - Removes outdated packages no longer required. - Improves build reproducibility with updated lockfiles. Fixes #53
- Add a badge displaying build status in the docs - Introduce sections explaining available user interface tests and usage - Clarify browser and environment prerequisites for running tests - Modernise instructions with tips about headless browser compatibility - Summarise steps to run integration tests and optional selenium suite
- Replace hardcoded versions for setup with dynamic config - Upgrade checkout and node setup actions to newer versions - Enable node step by default instead of commenting out
- Add a dedicated file to specify node version for all setups
- Add option to override port for local server via environment variable - Ensure test commands use selected port dynamically - Adjust readiness checks to be port-sensitive - Make test page URL configurable from environment variable
- Update node version specification to use major version only - Simplify environment setup by aligning with the latest major release - Remove patch and minor versions from version setting
- Quote the node version setting to handle parsing correctly - Aligns with recommended style for workflow files
- Use the correct parameter for specifying Node version from file - Improve compatibility with node version management
…nt proxy - Remove dev, dev-open, dev-watch, dev-live targets from Makefile and help text - Drop scripts.dev-live from package.json (start still runs grunt) - Add README section documenting config.ru’s /sparql proxy and env vars No change to proxy behavior in this commit; this is a developer workflow cleanup + docs improvement.
- Introduced a proxy for sparql requests with endpoint selection via environment - Added advanced configuration for certificates, TLS verification, and debug logging - Allowed POST fallback in dev, with better handling of query size - Passed appropriate Accept headers based on output param - Supported redirects and safe proxy-specific headers to client - Provided environment-based options for local, dev, and production use
- CI: Add `make assets` step to build static assets before running integration tests - Tests: Select `/sparql` local proxy endpoint when available to avoid CORS/external flakiness This aligns CI with local runs and makes the query step reliable.
- Remove redundant dependency between install and asset build in CI - Ensure server always prepares dependencies before starting
- Clarify grunt-cli as optional; Make targets use local grunt via npm - Prereqs: simplify Node/npm wording - Use `make server` and `make test` in examples; keep rake as alternative - Note CI mirrors `make assets` prior to tests in Testing section - Minor formatting/lint-friendly line wraps
- Makefile: Rename `test` target to `tests`; added depepndency targets (bundles/install/assets) so it works from clean checkout - Help and .PHONY lists organised alphabetically - README: Update to use `make tests` and reflect pluralised target in the table and examples
- Replace separate install and build steps with a single make command - Update end-to-end workflow to set up only necessary environments - Remove unnecessary comments and commands for clarity
- Update example test command to use the new make target - Ensure documentation matches the latest workflow changes
- Removes duplicate local serving section and updates step numbering - Reorders task list for a clearer install flow - Shortens wording around alternative serve command - Adds note that any static server can be used
- Uses relative paths for assets to improve portability and avoid cross-origin assumptions - Prefers same-origin proxy on localhost to avoid CORS and reduce exposure - Lowers init logging to debug - Refreshes example query content - Tidies build script comments
- Add step to save screenshots from failed system tests - Upload screenshots as artifact only if tests fail - Ensure screenshots directory is ignored if empty
ajtucker
reviewed
Oct 17, 2025
| on: | ||
| push: | ||
| branches: [ main, master ] | ||
| paths: |
Contributor
There was a problem hiding this comment.
Where did this pattern of adding paths here come from? Isn't it a bit of an anti-pattern that could lead to more WTF/minute?
Contributor
Author
There was a problem hiding this comment.
Again, as discussing in slack - I have added this to allow future updates - I want to leave this until we decide we need/want to change the primary branch name.
ajtucker
approved these changes
Oct 17, 2025
Contributor
ajtucker
left a comment
ajtucker
left a comment
There was a problem hiding this comment.
Thanks for doing this @jonrandahl, especially getting the integration tests running again.
A quick check through suggests that this had got to be better than what we had before, so we should merge and update and then see what is left to do.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request, specific to ticket #53, introduces a comprehensive overhaul of the development, build, and testing infrastructure for Qonsole, modernising dependencies, automating integration tests, and improving developer onboarding.
The changes include a new GitHub Actions workflow for integration testing, updates to Ruby and Node versions, significant improvements to asset management and build scripts, and expanded documentation. The overall effect is a more maintainable, reliable, and developer-friendly project setup.
Continuous Integration & Testing
.github/workflows/integration-tests.yml) to automatically run integration tests on pushes and pull requests tomain/master, improving reliability and visibility of test results.Rakefileand enhancedMakefileto automate starting the local server, running integration tests, and building assets, streamlining local development and CI. [1] [2]Dependency & Environment Modernization
3.4.4(.ruby-version), Node version to24(.nvmrc), and modernized Gemfile dependencies (switching toselenium-webdriver,capybara,minitest, and updating server gems) to ensure compatibility and security. [1] [2] [3]bower.jsonto clarify and correct frontend dependencies, ensuring asset builds work with current versions.Asset Build Improvements
Gruntfile.jsto add CSS and JS minification (cssmin,uglify), improved asset copying logic, and ensured all build steps run consistently via Grunt and Makefile targets. [1] [2] [3] [4]Local Server & Proxy
config.ru) with a same-origin SPARQL proxy, supporting CORS avoidance, TLS options, and debug logging for local development and testing.Documentation & Developer Experience
README.mdwith setup instructions, CI badge, testing details, and environment variable explanations to help new contributors get started quickly and understand the test and proxy setup.Frontend/UI Tweaks