chore: dependabot security-update grouping + ruff CodeQL fixes (QZP)

[Prekzursil]

User description

Summary

Part of the quality-zero-platform (QZP) drive-to-zero campaign. This is a leveraged, safe, behavior-preserving fix focused on the highest-leverage plays available in this repo.

Leverage plays applied

1. Dependabot security-update grouping (the dominant lever)

The repo has 45 open Dependabot alerts (3 critical / 22 high / 18 moderate / 2 low), all npm, plus per-package pip updates — and ~35 of the 37 open PRs are individual Dependabot PRs. Root cause: the existing groups in .github/dependabot.yml had no applies-to, so they govern version-updates only. Dependabot security-update PRs (the ones that fix the CVEs) were therefore ungrouped — one PR per alert.

Fix (config-only, no version bumps in this PR):

• Added a per-ecosystem / per-directory applies-to: security-updates group (patterns: ['*']) for all 7 entries (npm x2, pip x3, cargo, github-actions).
• Made the existing groups explicitly applies-to: version-updates (no behavior change).

Result: future security-update PRs collapse into a few grouped PRs per ecosystem instead of one per CVE.

2. ruff / CodeQL alert fixes (Python)

• scripts/quality/check_visual_zero.py: removed unused import os (py/unused-import, ruff F401).
• apps/api/tests/test_project_collaboration.py: removed the unused collaborator = binding (py/unused-local-variable, ruff F841), keeping the side-effecting _register(...) call that creates the editor account used later in the test.

Deliberately NOT changed (reported as residual — false-positive / needs-care)

• apps/api/app/publish_api.py:206,227 py/test-equals-none: == None inside SQLModel/SQLAlchemy query expressions compiles to SQL IS NULL; is None would break the query. Already # noqa: E711. CodeQL false positive — must not change.
• apps/api/app/api.py:1675 py/empty-except: bare except Exception: pass needs a manual explanatory comment, not a mechanical autofix.
• The version-update:semver-major ignore blocks were left intact: every open CVE patches to a same-major version, so removing them would flood unverifiable major-bump PRs (e.g. vitest v3->v4) without clearing any alert.

Verification

• ruff check passes on both changed Python files; python -m py_compile clean.
• .github/dependabot.yml validated as YAML: 7 update entries, each with 1 version-updates + 1 security-updates group (LF-normalized).
• Format drift reported by ruff format --check on the two .py files is pre-existing (present at unmodified HEAD) and intentionally left untouched to keep the diff minimal.

Findings impact

• CodeQL alerts cleared on merge+rescan: ~2 (py/unused-import, py/unused-local-variable).
• Dependabot grouping: 0 alerts cleared immediately (alerts close only when the lockfile is bumped) — this is a structural improvement that collapses the per-CVE remediation PR flood into a few grouped PRs.

Operator reviews/merges. No auto-merge enabled; no secrets touched.

---

Summary by cubic

Groups security-update PRs by ecosystem in .github/dependabot.yml to replace the per‑CVE flood with a few focused PRs. Also clears two Python ruff/CodeQL alerts with no behavior changes.

• Dependencies

  • Added applies-to: security-updates groups with patterns: ['*'] for npm (apps/web, apps/desktop), pip (apps/api, services/worker, packages/media-core), cargo (apps/desktop/src-tauri), and github-actions (root).
  • Marked existing groups as applies-to: version-updates. No version bumps.

• Refactors

  • Removed unused import in scripts/quality/check_visual_zero.py (ruff F401).
  • Dropped unused variable in apps/api/tests/test_project_collaboration.py (ruff F841) while keeping the _register(...) side effect.

^{Written for commit 560e467. Summary will update on new commits.}

---

CodeAnt-AI Description

Group security update PRs and remove leftover unused test code

What Changed

• Security updates from Dependabot are now grouped by project area instead of opening one PR per alert, which should reduce PR noise for future dependency fixes
• Existing dependency groups are kept for regular version updates, so patch and minor updates still stay grouped as before
• Removed unused test and utility code that no longer affected behavior

Impact

✅ Fewer Dependabot PRs
✅ Easier security update review
✅ Less dependency queue noise

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[devloai]

Unable to trigger custom agent "Code Reviewer". You have run out of credits 😔
Please upgrade your plan or buy additional credits from the subscription page.

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Warning

Review limit reached

@Prekzursil, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 12 minutes and 27 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9772bc50-2294-4794-8d4d-ce0ea06f0762

📥 Commits

Reviewing files that changed from the base of the PR and between df95284 and 560e467.

📒 Files selected for processing (3)

• .github/dependabot.yml
• apps/api/tests/test_project_collaboration.py
• scripts/quality/check_visual_zero.py

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/leveraged-fix-dependabot-grouping-ruff

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Dependabot security grouping and ruff CodeQL fixes

✨ Enhancement 🐞 Bug fix

Walkthroughs

Description

• Add Dependabot security-update grouping across 7 ecosystems
  - Prevents one PR per CVE by collapsing security alerts into grouped PRs
  - Explicitly marks existing groups as version-updates only
• Remove unused Python imports and variable bindings
  - Delete unused import os from check_visual_zero.py (ruff F401)
  - Remove unused collaborator = binding while preserving side-effect (ruff F841)

Diagram

flowchart LR
  A["Dependabot Config"] -->|Add applies-to security-updates| B["7 Ecosystems Grouped"]
  C["Python Files"] -->|Remove unused imports/bindings| D["CodeQL Alerts Cleared"]
  B -->|Collapse per-CVE PRs| E["Fewer Grouped Security PRs"]

Loading

File Changes

1. .github/dependabot.yml ⚙️ Configuration changes +35/-0

Add security-update grouping to all Dependabot entries

• Added applies-to: security-updates group with patterns: ['*'] to all 7 ecosystem entries
• Made existing groups explicitly applies-to: version-updates for clarity
• Prevents ungrouped security-update PRs (one per CVE) by routing them to dedicated security groups
• Collapses ~35 individual Dependabot security PRs into a few grouped PRs per ecosystem

.github/dependabot.yml

---

2. scripts/quality/check_visual_zero.py 🐞 Bug fix +0/-1

Remove unused os import

• Removed unused import os statement (ruff F401 / CodeQL py/unused-import)
• File validated with ruff check and py_compile

scripts/quality/check_visual_zero.py

---

3. apps/api/tests/test_project_collaboration.py 🐞 Bug fix +1/-1

Remove unused collaborator variable binding

• Removed unused collaborator = variable binding (ruff F841 / CodeQL py/unused-local-variable)
• Preserved the side-effecting _register(...) call that creates the editor account used later in
 test
• File validated with ruff check and py_compile

apps/api/tests/test_project_collaboration.py

---

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[cubic-dev-ai]

No issues found across 3 files

_{Re-trigger cubic}

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!