feat: Update CODEOWNERS and sync submodules

[killev]

• Add @vasilyyaremchuk as code reviewer to CODEOWNERS
• Update .cursor/rules/common submodule to latest commit
• Update website-pages submodule

This update expands the code review team by adding @vasilyyaremchuk as a reviewer alongside @killev, ensuring better code coverage and review distribution. The submodule updates bring in the latest changes from the common rules and website-pages repositories.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

• Updated two submodule commit pointers: .cursor/rules/common and website-pages.
• Modified .github/CODEOWNERS to add @vasilyyaremchuk alongside @killev.
• Appended tmp/ to .gitignore.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Add CODEOWNERS file to set default code reviewer #77: Earlier change to .github/CODEOWNERS adding @killev; this PR extends that by adding @vasilyyaremchuk.
• feat: Add website-pages submodule for content management #82: Prior update to website-pages submodule commit; this PR advances that submodule to a newer commit.

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these settings in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c0bf980 and 1bc8872.

📒 Files selected for processing (2)

• .gitignore (1 hunks)
• website-pages (1 hunks)

✅ Files skipped from review due to trivial changes (2)

• .gitignore
• website-pages

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: sonarqube
• GitHub Check: e2e-tests

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update-codeowners-and-submodules

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

🔍 Vulnerabilities of apostrophe-cms:test

📦 Image Reference apostrophe-cms:test

digest	sha256:b63a98f9afb0fb958a2e61953bac7cf28e7fd0a34f73943a749287d1069d2b8e
vulnerabilities
platform	linux/amd64
size	291 MB
packages	985

📦 Base Image node:23-alpine

also known as	23-alpine3.22 23.11-alpine 23.11-alpine3.22 23.11.1-alpine 23.11.1-alpine3.22
digest	sha256:b9d38d589853406ff0d4364f21969840c3e0397087643aef8eede40edbb6c7cd
vulnerabilities

form-data 4.0.2 (npm) pkg:npm/[email protected] Use of Insufficiently Random Values Affected range >=4.0.0 <4.0.4 Fixed version 4.0.4 CVSS Score 9.4 CVSS Vector CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N EPSS Score 0.076% EPSS Percentile 23rd percentile Description Summary form-data uses Math.random() to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker: can observe other values produced by Math.random in the target application, and can control one field of a request made using form-data Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request. This is largely the same vulnerability as was recently found in undici by parrot409 -- I'm not affiliated with that researcher but want to give credit where credit is due! My PoC is largely based on their work. Details The culprit is this line here: https://github.com/form-data/form-data/blob/426ba9ac440f95d1998dac9a5cd8d738043b048f/lib/form_data.js#L347 An attacker who is able to predict the output of Math.random() can predict this boundary value, and craft a payload that contains the boundary value, followed by another, fully attacker-controlled field. This is roughly equivalent to any sort of improper escaping vulnerability, with the caveat that the attacker must find a way to observe other Math.random() values generated by the application to solve for the state of the PRNG. However, Math.random() is used in all sorts of places that might be visible to an attacker (including by form-data itself, if the attacker can arrange for the vulnerable application to make a request to an attacker-controlled server using form-data, such as a user-controlled webhook -- the attacker could observe the boundary values from those requests to observe the Math.random() outputs). A common example would be a x-request-id header added by the server. These sorts of headers are often used for distributed tracing, to correlate errors across the frontend and backend. Math.random() is a fine place to get these sorts of IDs (in fact, opentelemetry uses Math.random for this purpose) PoC PoC here: https://github.com/benweissmann/CVE-2025-7783-poc Instructions are in that repo. It's based on the PoC from https://hackerone.com/reports/2913312 but simplified somewhat; the vulnerable application has a more direct side-channel from which to observe Math.random() values (a separate endpoint that happens to include a randomly-generated request ID). Impact For an application to be vulnerable, it must: Use form-data to send data including user-controlled data to some other system. The attacker must be able to do something malicious by adding extra parameters (that were not intended to be user-controlled) to this request. Depending on the target system's handling of repeated parameters, the attacker might be able to overwrite values in addition to appending values (some multipart form handlers deal with repeats by overwriting values instead of representing them as an array) Reveal values of Math.random(). It's easiest if the attacker can observe multiple sequential values, but more complex math could recover the PRNG state to some degree of confidence with non-sequential values. If an application is vulnerable, this allows an attacker to make arbitrary requests to internal systems.

async 0.9.2 (npm) pkg:npm/[email protected] OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.907% EPSS Percentile 75th percentile Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

linkifyjs 4.2.0 (npm) pkg:npm/[email protected] Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Affected range <4.3.2 Fixed version 4.3.2 CVSS Score 8.8 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N EPSS Score 0.060% EPSS Percentile 19th percentile Description Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2.

connect-multiparty 2.2.0 (npm) pkg:npm/[email protected] Unrestricted Upload of File with Dangerous Type Affected range <=2.2.0 Fixed version Not Fixed CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.320% EPSS Percentile 54th percentile Description An arbitrary file upload vulnerability in the file upload module of Express Connect-Multiparty 2.2.0 allows attackers to execute arbitrary code via a crafted PDF file. NOTE: the Supplier has not verified this vulnerability report.

async 1.5.2 (npm) pkg:npm/[email protected] OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range <2.6.4 Fixed version 2.6.4, 3.2.2 CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 0.907% EPSS Percentile 75th percentile Description A vulnerability exists in Async through 3.2.1 (fixed in 3.2.2), which could let a malicious user obtain privileges via the mapValues() method.

[Copilot]

Pull Request Overview

This PR adds @vasilyyaremchuk as a code reviewer to improve code review coverage and distribution, updates the common rules submodule to the latest commit, and creates a comprehensive documentation file tracking previous PR conversations.

• Added @vasilyyaremchuk as a code reviewer alongside @killev in CODEOWNERS
• Updated .cursor/rules/common submodule to latest commit (0048a59)
• Created PR_CONVERSATIONS.md documenting historical PR feedback and resolution status

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
.github/CODEOWNERS	Added @vasilyyaremchuk as code reviewer alongside @killev
.cursor/rules/common	Updated submodule to latest commit
tmp/PR_CONVERSATIONS.md	Added comprehensive documentation of previous PR conversations and their resolution status

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

There are spelling errors in this line: 'happed' should be 'happened' and 'damadge' should be 'damage'.

Suggested change

	Decision: Resolve this. it works good enough, and mistake (even if happed) wouldn't cause any damadge.
	Decision: Resolve this. it works good enough, and mistake (even if happened) wouldn't cause any damage.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (7)

.github/CODEOWNERS (1)

6-6: Default rule with multiple owners looks correct; consider team alias and protection checks

The syntax is valid and will request both users. Two optional improvements:

• Prefer a GitHub Team alias (e.g., @org/reviewers) for resiliency if onboarding/offboarding happens often.
• Ensure this rule remains last if you later add path-specific rules, and verify branch protection has “Require review from Code Owners” enabled so auto-requesting happens.

No change required if current setup matches your workflow.

Please verify:

• Both @killev and @vasilyyaremchuk have at least Triage or Write access in this repo or owning org.
• Branch protection rules for your default branch have “Require review from Code Owners” enabled.

tmp/PR_CONVERSATIONS.md (6)

1-3: Fix trailing punctuation in headings (markdownlint MD026)

Remove trailing colons from headings to satisfy markdownlint and keep titles clean.

-# All Conversations for PR #207:
+# All Conversations for PR #207

-## ❌ OUTDATED (Fixed by previous changes):
+## ❌ OUTDATED (Fixed by previous changes)

---

8-21: Avoid setext-style headings and nonstandard ```suggestion fences

• The “----” line can be parsed as a setext heading underline depending on surrounding blanks. Prefer a proper horizontal rule with surrounding blank lines or retain as a thematic break consistently.
• “```suggestion” is a GitHub PR review fence; in plain Markdown it renders as an untyped code block. Use a language fence like js for syntax highlighting.

-----
+---
 Using forEach for control flow with early returns or exceptions is an anti-pattern. Consider using a for...of loop which allows proper control flow.
-```suggestion
+```js
   for (const arg of args) {
     if (arg.startsWith('--env=')) options.envPath = arg.split('=')[1];
     else if (arg === '--help' || arg === '-h') options.help = true;
     else if (arg === '--dry-run') options.dryRun = true;
     else if (arg === '--verbose' || arg === '-v') options.verbose = true;
     else if (arg.startsWith('--')) throw new Error(`Unknown argument: ${arg}`);
   }

---

+---

Note: Ensure there is a blank line before and after the thematic break for consistent rendering.

---

`56-56`: **Normalize horizontal rules to avoid accidental setext headings (markdownlint MD003)**

Standardize the separators to thematic breaks. This avoids accidental setext headings if blank lines are missing.


```diff
-----
+---

Apply this replacement to each of the highlighted separator lines throughout the document.

Also applies to: 71-71, 89-89, 103-103, 125-125, 169-169, 217-217

---

59-59: Fix trailing punctuation in heading (markdownlint MD026)

Remove the trailing colon for consistency with the earlier heading.

-## ✅ STILL RELEVANT (Need to be fixed):
+## ✅ STILL RELEVANT (Need to be fixed)

---

113-113: Use a proper heading instead of bold emphasis (markdownlint MD036)

Replace an emphasized line with a heading for clarity and consistency.

-**Invalid @aws-sdk/client-s3 version in package.json**
+### Invalid @aws-sdk/client-s3 version in package.json

---

220-220: Fix typos and clarity in the decision note

Correct spelling and make the phrasing clear.

-Decision: Resolve this. it works good enough, and mistake (even if happed) wouldn't cause any damadge.
+Decision: Won’t fix. It works well enough, and a mistake (even if it happened) wouldn’t cause any damage.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these settings in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b60dca9 and c0bf980.

📒 Files selected for processing (3)

• .cursor/rules/common (1 hunks)
• .github/CODEOWNERS (1 hunks)
• tmp/PR_CONVERSATIONS.md (1 hunks)

🧰 Additional context used

🪛 LanguageTool

tmp/PR_CONVERSATIONS.md

[grammar] ~5-~5: There might be a mistake here.
Context: ... website/scripts/mongo-migrate.js:null Id: PRRT_kwDOOXKRxs5VQm9e Author: copilo...

(QB_NEW_EN)

---

[grammar] ~6-~6: There might be a mistake here.
Context: ...ate.js:null** Id: PRRT_kwDOOXKRxs5VQm9e Author: copilot-pull-request-reviewer De...

(QB_NEW_EN)

---

[grammar] ~7-~7: There might be a mistake here.
Context: ...9e Author: copilot-pull-request-reviewer Description: Suggested replacing forEach...

(QB_NEW_EN)

---

[grammar] ~23-~23: There might be a mistake here.
Context: ... website/scripts/mongo-migrate.js:null Id: PRRT_kwDOOXKRxs5VQqYd Author: codera...

(QB_NEW_EN)

---

[grammar] ~24-~24: There might be a mistake here.
Context: ...ate.js:null** Id: PRRT_kwDOOXKRxs5VQqYd Author: coderabbitai Description: Fix er...

(QB_NEW_EN)

---

[grammar] ~25-~25: There might be a mistake here.
Context: ...RT_kwDOOXKRxs5VQqYd Author: coderabbitai Description: Fix error counting in batch...

(QB_NEW_EN)

---

[grammar] ~61-~61: There might be a mistake here.
Context: ...d): ### website/scripts/s3-copy.js:42 Id: PRRT_kwDOOXKRxs5VQm-G Author: copilo...

(QB_NEW_EN)

---

[grammar] ~62-~62: There might be a mistake here.
Context: ...-copy.js:42** Id: PRRT_kwDOOXKRxs5VQm-G Author: copilot-pull-request-reviewer De...

(QB_NEW_EN)

---

[grammar] ~63-~63: There might be a mistake here.
Context: ...-G Author: copilot-pull-request-reviewer Description: Temporal coupling issue whe...

(QB_NEW_EN)

---

[grammar] ~76-~76: There might be a mistake here.
Context: ...his ### website/scripts/s3-copy.js:48 Id: PRRT_kwDOOXKRxs5VQm-W Author: copilo...

(QB_NEW_EN)

---

[grammar] ~77-~77: There might be a mistake here.
Context: ...-copy.js:48** Id: PRRT_kwDOOXKRxs5VQm-W Author: copilot-pull-request-reviewer De...

(QB_NEW_EN)

---

[grammar] ~78-~78: There might be a mistake here.
Context: ...-W Author: copilot-pull-request-reviewer Description: Magic number 3 for COPY_BAT...

(QB_NEW_EN)

---

[grammar] ~94-~94: There might be a mistake here.
Context: ...### website/scripts/mongo-migrate.js:5 Id: PRRT_kwDOOXKRxs5VQm-j Author: copilo...

(QB_NEW_EN)

---

[grammar] ~95-~95: There might be a mistake here.
Context: ...igrate.js:5** Id: PRRT_kwDOOXKRxs5VQm-j Author: copilot-pull-request-reviewer De...

(QB_NEW_EN)

---

[grammar] ~96-~96: There might be a mistake here.
Context: ...-j Author: copilot-pull-request-reviewer Description: Magic number 1000 for BATCH...

(QB_NEW_EN)

---

[grammar] ~108-~108: There might be a mistake here.
Context: ...hange it. ### website/package.json:41 Id: PRRT_kwDOOXKRxs5VQqYR Author: codera...

(QB_NEW_EN)

---

[grammar] ~109-~109: There might be a mistake here.
Context: ...age.json:41** Id: PRRT_kwDOOXKRxs5VQqYR Author: coderabbitai Description: Invali...

(QB_NEW_EN)

---

[grammar] ~110-~110: There might be a mistake here.
Context: ...RT_kwDOOXKRxs5VQqYR Author: coderabbitai Description: Invalid AWS SDK version 3.8...

(QB_NEW_EN)

---

[grammar] ~130-~130: There might be a mistake here.
Context: ...ion ### website/scripts/s3-copy.js:39 Id: PRRT_kwDOOXKRxs5VQqYo Author: codera...

(QB_NEW_EN)

---

[grammar] ~131-~131: There might be a mistake here.
Context: ...-copy.js:39** Id: PRRT_kwDOOXKRxs5VQqYo Author: coderabbitai Description: AWS cr...

(QB_NEW_EN)

---

[grammar] ~132-~132: There might be a mistake here.
Context: ...RT_kwDOOXKRxs5VQqYo Author: coderabbitai Description: AWS credentials should be v...

(QB_NEW_EN)

---

[grammar] ~174-~174: There might be a mistake here.
Context: ...is ### website/scripts/s3-copy.js:131 Id: PRRT_kwDOOXKRxs5VQqYx Author: codera...

(QB_NEW_EN)

---

[grammar] ~175-~175: There might be a mistake here.
Context: ...copy.js:131** Id: PRRT_kwDOOXKRxs5VQqYx Author: coderabbitai Description: stream...

(QB_NEW_EN)

---

[grammar] ~220-~220: There might be a mistake here.
Context: ...on: Resolve this. it works good enough, and mistake (even if happed) wouldn't cause...

(QB_NEW_EN)

---

[grammar] ~220-~220: Ensure spelling is correct
Context: ...works good enough, and mistake (even if happed) wouldn't cause any damadge.

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

---

[grammar] ~220-~220: Ensure spelling is correct
Context: ...ake (even if happed) wouldn't cause any damadge.

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🪛 markdownlint-cli2 (0.17.2)

tmp/PR_CONVERSATIONS.md

1-1: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)

---

3-3: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)

---

6-6: Heading style
Expected: atx; Actual: setext

(MD003, heading-style)

---

24-24: Heading style
Expected: atx; Actual: setext

(MD003, heading-style)

---

59-59: Trailing punctuation in heading
Punctuation: ':'

(MD026, no-trailing-punctuation)

---

62-62: Heading style
Expected: atx; Actual: setext

(MD003, heading-style)

---

77-77: Heading style
Expected: atx; Actual: setext

(MD003, heading-style)

---

95-95: Heading style
Expected: atx; Actual: setext

(MD003, heading-style)

---

109-109: Heading style
Expected: atx; Actual: setext

(MD003, heading-style)

---

113-113: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

---

124-124: Heading style
Expected: atx; Actual: setext

(MD003, heading-style)

---

124-124: Trailing punctuation in heading
Punctuation: '.'

(MD026, no-trailing-punctuation)

---

131-131: Heading style
Expected: atx; Actual: setext

(MD003, heading-style)

---

175-175: Heading style
Expected: atx; Actual: setext

(MD003, heading-style)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: e2e-tests
• GitHub Check: lint
• GitHub Check: unit-tests
• GitHub Check: security-scan

🔇 Additional comments (3)

.cursor/rules/common (1)

1-1: Cannot verify submodule pointer — .cursor/rules/common is missing

I ran the verification script; it exited with:
"Submodule pointer file missing: .cursor/rules/common". I couldn't parse the pointer commit or check the remote.

Please:

• Add/commit the submodule pointer file .cursor/rules/common (it should contain "Subproject commit <40-hex-hash>"), or confirm the submodule was intentionally removed.
• Verify .gitmodules has an entry for path=".cursor/rules/common" with a correct url (and branch if used).
• Re-run the verification script or provide the pointer file content / commit hash so I can confirm the remote commit exists.

.github/CODEOWNERS (1)

2-2: LGTM: added co-owner is correctly reflected in comments

The explanatory comment accurately reflects the new review ownership arrangement.

tmp/PR_CONVERSATIONS.md (1)

108-129: Incorrect claim — @aws-sdk/[email protected] is published; latest is 3.864.0

I checked the npm registry: dist-tags.latest = 3.864.0 and version 3.850.0 is present.

• File: website/package.json (around line 41) — currently contains "^3.850.0"

Suggested (optional) update:

- "@aws-sdk/client-s3": "^3.850.0",
+ "@aws-sdk/client-s3": "^3.864.0",  # optional — 3.850.0 is valid but not the latest

Likely an incorrect or invalid review comment.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud