Fix es5 ext

[weshayutin]

Description

Eliminate es5-ext via pnpm Override

Background

• Problem: es5-ext@0.10.64 is a transitive dependency pulled in via vue-reader -> epubjs@0.3.93 -> event-emitter -> es5-ext
• CVE-2024-27088 (ReDoS, CVSS 0.0) is already patched in the installed version, but eliminating es5-ext entirely removes future risk

Chosen Approach: pnpm Override with @likecoin/epub-ts

@likecoin/epub-ts (v0.6.3, Apr 2026) is a TypeScript rewrite of epubjs v0.3.93 that:

• Has the exact same API (drop-in replacement, "change one import line")
• Has only 1 runtime dependency (jszip) -- no es5-ext, no event-emitter, no d, no es6-iterator
• Is 56.7% smaller bundle, significantly faster
• Exports all the same classes: Book, Rendition, Themes, Contents, etc.
• Supports requestCredentials, getRendition, themes.override -- everything used in frontend/src/views/files/Preview.vue

Summary by CodeRabbit

Release Notes

• New Features

  • Added option to disable user profile functionality in branding settings
  • Added configurable default login user for streamlined authentication
  • Help menu now dynamically displays available actions based on user permissions

• Chores

  • Enhanced container builds with improved health checks and multi-stage compilation
  • Updated CI/CD workflows and dependency management for better compatibility

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: weshayutin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [weshayutin]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@weshayutin: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	f39aed0	link	true	/test images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d066c794-855a-4fc0-842f-3b2465115659

📥 Commits

Reviewing files that changed from the base of the PR and between 5919ff8 and f39aed0.

⛔ Files ignored due to path filters (2)

• frontend/package-lock.json is excluded by !**/package-lock.json
• frontend/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (21)

• .github/workflows/ci.yaml
• .github/workflows/lint-pr.yaml
• Containerfile
• OWNERS
• cmd/config.go
• doc/eliminate-es5-ext.md
• docker/ubi/healthcheck.sh
• frontend/index.html
• frontend/package.json
• frontend/src/components/Sidebar.vue
• frontend/src/components/prompts/Help.vue
• frontend/src/i18n/en.json
• frontend/src/router/index.ts
• frontend/src/types/settings.d.ts
• frontend/src/utils/constants.ts
• frontend/src/views/Login.vue
• frontend/src/views/Settings.vue
• frontend/src/views/settings/Global.vue
• http/static.go
• konflux.Dockerfile
• settings/branding.go

---

📝 Walkthrough

Walkthrough

This PR implements user profile control branding features while introducing containerization infrastructure, updating CI toolchain versions, establishing code ownership, and addressing a frontend dependency security issue. The changes span backend configuration, HTTP template injection, and frontend UI gating to conditionally disable user profile access and support pre-filled login credentials.

Changes

User Profile Control Feature

Layer / File(s)	Summary
Backend branding configuration settings/branding.go, cmd/config.go, http/static.go, frontend/index.html	Branding struct adds DisableUserProfile and DefaultLoginUser fields; CLI flags wire these values into the configuration; HTTP handler injects them into the frontend template context.
Frontend configuration contracts frontend/src/types/settings.d.ts, frontend/src/utils/constants.ts	SettingsBranding TypeScript interface extends with new boolean and string fields; frontend constants extract DisableUserProfile and DefaultLoginUser from window.FileBrowser configuration.
Frontend UI implementation frontend/src/i18n/en.json, frontend/src/router/index.ts, frontend/src/components/Sidebar.vue, frontend/src/components/prompts/Help.vue, frontend/src/views/Login.vue, frontend/src/views/Settings.vue, frontend/src/views/settings/Global.vue	Router guards redirect profile and settings navigation when disableUserProfile is true; sidebar profile button conditionally hidden; login view hides username input when defaultLoginUser is pre-filled; global settings expose branding configuration UI; help prompts respect user permissions; translations added for new setting label.

Infrastructure, Build & Dependency Updates

Layer / File(s)	Summary
Multi-stage container builds Containerfile, konflux.Dockerfile, docker/ubi/healthcheck.sh	Two production-ready multi-stage Dockerfile definitions compile frontend assets with pnpm and backend binary with Go; emit minimal UBI-based runtime images with non-root execution, persistent volumes, port 8080, and health checks.
CI workflow and code ownership .github/workflows/ci.yaml, .github/workflows/lint-pr.yaml, OWNERS	Go toolchain downgraded from 1.26 to 1.25 across lint, test, build, and release jobs; PR title validation disabled; OWNERS file establishes approvers and reviewers for codebase governance.
Frontend dependency security and documentation frontend/package.json, doc/eliminate-es5-ext.md	pnpm override aliases epubjs to @likecoin/epub-ts@^0.6.3 to eliminate the es5-ext transitive dependency and CVE-2024-27088; documentation describes the dependency chain, API compatibility, and implementation steps.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• OWNERS file oadp-cli#152: The PR adds an OWNERS file with explicitly configured approvers and reviewers lists, directly implementing the code ownership structure requested in that issue.

Poem

🐰 A profile that hides when you wish it away,
Default logins appear without delay,
Containers are built in stages so neat,
While dependencies shrink with a security feat,
The filebrowser dances in style today!

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

⚔️ Resolve merge conflicts

• Resolve merge conflict in branch fix_es5-ext

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}