rusackas opened a new pull request, #40547: URL: https://github.com/apache/superset/pull/40547
### SUMMARY Resolves the remaining two high-severity CodeQL findings: - **Dynamic dispatch (`asyncEvent.ts`):** the async-event middleware looked up a listener by a server-supplied job id and invoked it. Now the dynamic property access is guarded with an own-property check, so the lookup can only resolve to a listener the app actually registered (not an inherited object method). - **Regex backtracking (`boxplotOperator.ts`):** the boxplot percentile pattern used unbounded digit quantifiers. Since these values are always in the 0–100 range, the quantifiers are now bounded, removing the backtracking risk while preserving matching behavior. Both are minimal, behavior-preserving changes. ### TESTING INSTRUCTIONS - [ ] CI passes (frontend lint / type-check / unit tests) - [ ] Boxplot "X/Y percentiles" whisker option still parses correctly - [ ] Async event listeners still fire for registered job ids - [ ] The relevant CodeQL alerts no longer appear after the next scan ### ADDITIONAL INFORMATION - [ ] Has associated issue: addresses code-scanning alerts - [ ] Required feature flags: n/a - [ ] Changes UI: No - [ ] Includes DB Migration: No - [ ] Introduces new feature or API: No - [ ] Removes existing feature or API: No 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
