[v6 PROD RELEASE] - dev -> master #4
Conversation
fix(PM-2539): added timeout for prisma client
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| jobs: | ||
| trivy-scan: | ||
| name: Use Trivy | ||
| runs-on: ubuntu-24.04 |
There was a problem hiding this comment.
[maintainability]
Consider using a stable version of the runner, such as ubuntu-latest, instead of ubuntu-24.04 to ensure compatibility and reduce maintenance overhead when new Ubuntu versions are released.
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Run Trivy scanner in repo mode | ||
| uses: aquasecurity/trivy-action@0.33.1 |
There was a problem hiding this comment.
[maintainability]
The Trivy action version 0.33.1 is quite specific. Consider using a more flexible versioning approach, such as v0, to automatically receive minor updates and patches, which can include important security and performance improvements.
| output: "trivy-results.sarif" | ||
| severity: "CRITICAL,HIGH,UNKNOWN" | ||
| scanners: vuln,secret,misconfig,license | ||
| github-pat: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
[❗❗ security]
Ensure that the GITHUB_TOKEN used here has the necessary permissions for the actions being performed, especially since it is being used to write security events.
| AUTOMATED_TESTING_NAME_PREFIX: process.env.AUTOMATED_TESTING_NAME_PREFIX || 'POSTMANE2E-', | ||
| TOPCROWD_CHALLENGE_TEMPLATE_ID: process.env.TOPCROWD_CHALLENGE_TEMPLATE_ID || '517e76b0-8824-4e72-9b48-a1ebde1793a8' | ||
| TOPCROWD_CHALLENGE_TEMPLATE_ID: process.env.TOPCROWD_CHALLENGE_TEMPLATE_ID || '517e76b0-8824-4e72-9b48-a1ebde1793a8', | ||
| RESOURCE_SERVICE_PRISMA_TIMEOUT: process.env.RESOURCE_SERVICE_PRISMA_TIMEOUT ? parseInt(process.env.RESOURCE_SERVICE_PRISMA_TIMEOUT, 10) : 10000 |
There was a problem hiding this comment.
[correctness]
Consider using Number() instead of parseInt() for parsing RESOURCE_SERVICE_PRISMA_TIMEOUT. parseInt() can produce unexpected results when the environment variable is not a valid integer, as it parses until a non-numeric character is encountered. Number() will return NaN for invalid inputs, which might be safer depending on how this value is used.
| USER_CREDENTIALS_PASSWORD: process.env.USER_CREDENTIALS_PASSWORD || '', | ||
| AUTOMATED_TESTING_REPORTERS_FORMAT: process.env.AUTOMATED_TESTING_REPORTERS_FORMAT || ['cli', 'html'] | ||
| AUTOMATED_TESTING_REPORTERS_FORMAT: process.env.AUTOMATED_TESTING_REPORTERS_FORMAT || ['cli', 'html'], | ||
| RESOURCE_SERVICE_PRISMA_TIMEOUT: process.env.RESOURCE_SERVICE_PRISMA_TIMEOUT ? parseInt(process.env.RESOURCE_SERVICE_PRISMA_TIMEOUT, 10) : 10000 |
There was a problem hiding this comment.
[correctness]
Consider using Number() instead of parseInt() for parsing RESOURCE_SERVICE_PRISMA_TIMEOUT to ensure the entire string is converted to a number. parseInt() can produce unexpected results if the environment variable contains non-numeric characters.
|
|
||
| export CHALLENGE_DB_URL="postgresql://johndoe:mypassword@localhost:5732/challengedb" | ||
|
|
||
| export RESOURCE_SERVICE_PRISMA_TIMEOUT=10000 |
There was a problem hiding this comment.
[💡 style]
Consider adding a newline at the end of the file. While this is not a correctness issue, it is a common convention that can prevent potential issues with certain tools or version control systems.
| @@ -1,6 +1,11 @@ | |||
| const { PrismaClient } = require('@prisma/client'); | |||
| const config = require('config') | |||
There was a problem hiding this comment.
[maintainability]
The config module is imported without specifying which configuration file or environment it is loading from. Ensure that the configuration is correctly set up for different environments (e.g., development, production) to avoid runtime issues.
| const prisma = new PrismaClient(); | ||
| const prisma = new PrismaClient({ | ||
| transactionOptions: { | ||
| timeout: config.MEMBER_SERVICE_PRISMA_TIMEOUT, |
There was a problem hiding this comment.
[❗❗ correctness]
Ensure that config.MEMBER_SERVICE_PRISMA_TIMEOUT is defined and has a sensible default value. If this value is not set or is incorrect, it could lead to unexpected behavior in the application.
| CREATE INDEX "resource-roleId-index" ON "resources"."Resource"("roleId"); | ||
|
|
||
| -- CreateIndex | ||
| CREATE INDEX "resource-memberIdChallengeId-index" ON "resources"."Resource"("memberId", "challengeId"); |
There was a problem hiding this comment.
[performance]
Consider the order of columns in the index resource-memberIdChallengeId-index. If queries often filter or sort by challengeId alone, it might be beneficial to reverse the order of columns to optimize those queries.
| CREATE INDEX "resourcerole-isActive-index" ON "resources"."ResourceRole"("isActive"); | ||
|
|
||
| -- CreateIndex | ||
| CREATE INDEX "resourcerole-isActiveSelfObtainable-index" ON "resources"."ResourceRole"("isActive", "selfObtainable"); |
There was a problem hiding this comment.
[performance]
Ensure that the combination of isActive and selfObtainable in the index resourcerole-isActiveSelfObtainable-index aligns with the query patterns. If queries frequently filter by selfObtainable alone, consider the impact on performance.
No description provided.