Feat/site msg backup migrations#2
Conversation
Policy Check Failed✗ 3/3 policy checks failed: • Need 2 more approval(s) (0/2) — comment LGTM or approve via review To merge this PR:
|
PR SummaryWhat Changed
Key Changes by AreaMigration System: Extended Sites Module: Fixed Test Infrastructure: Added Files Changed
Review Focus Areas
ArchitectureDesign Decisions: Using a dev branch dependency ( Risks: The dev branch dependency introduces instability. This is intentional for feature development but should be switched to stable before release. Test cleanup logic is critical. Missing cleanup would leak resources in CI environments. Merge StatusNOT MERGEABLE — PR Score 57/100, below threshold (50)
|
Greptile SummaryThis PR extends Appwrite's migration system to support two new resource categories — Sites (with deployments and variables) and Messaging (providers, topics, subscribers, messages) — by bumping the
Confidence Score: 3/5Not safe to merge as-is — the dependency is pinned to a mutable dev branch and the subscriber migration is untested in both the status assertion and destination verification. Two concerns stand out:
Important Files Changed
Sequence DiagramsequenceDiagram
participant Test as E2E Test
participant Src as Source Project (API)
participant Worker as Migration Worker
participant Dst as Destination Project (API)
Test->>Src: POST /sites
Test->>Src: POST /messaging/providers/sendgrid
Test->>Src: POST /messaging/topics
Test->>Src: POST /users
Test->>Src: "POST /messaging/topics/{id}/subscribers"
Test->>Src: POST /messaging/messages/email
Test->>Worker: performMigrationSync(resources, endpoint, apiKey)
Worker->>Worker: generateAPIKey with sites/messaging scopes
Worker->>Src: Fetch all resources
Worker->>Dst: Create all resources
Worker-->>Test: Migration result
Test->>Dst: "GET /sites/{id}"
Test->>Dst: "GET /messaging/providers/{id}"
Test->>Dst: "GET /messaging/topics/{id}"
Test->>Dst: "GET /messaging/messages/{id}"
Note over Test,Dst: Subscriber NOT verified on destination
Reviews (1): Last reviewed commit: "added messaging migration support and E2..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
| Resource::TYPE_MESSAGE, | ||
| ], $result['resources']); | ||
|
|
||
| foreach ([Resource::TYPE_USER, Resource::TYPE_PROVIDER, Resource::TYPE_TOPIC, Resource::TYPE_MESSAGE] as $resource) { |
There was a problem hiding this comment.
Resource::TYPE_SUBSCRIBER is included in the migration resources and a subscriber is created and tracked via $subscriberId, yet it is omitted from the foreach assertion loop that validates statusCounters. A subscriber migration failure (errors, warnings, non-zero pending count) would silently pass this test, giving a false green signal.
| foreach ([Resource::TYPE_USER, Resource::TYPE_PROVIDER, Resource::TYPE_TOPIC, Resource::TYPE_MESSAGE] as $resource) { | |
| foreach ([Resource::TYPE_USER, Resource::TYPE_PROVIDER, Resource::TYPE_TOPIC, Resource::TYPE_SUBSCRIBER, Resource::TYPE_MESSAGE] as $resource) { |
| "utopia-php/logger": "0.6.*", | ||
| "utopia-php/messaging": "0.20.*", | ||
| "utopia-php/migration": "1.6.*", | ||
| "utopia-php/migration": "dev-feat-message-migration", |
There was a problem hiding this comment.
dev-feat-message-migration is an unstable branch reference — Composer resolves it to whatever HEAD points to on that branch at install time. Any unreviewed commit pushed to that branch between now and a fresh composer install would silently change the exact code running in production. This also requires the "repositories" VCS override and forces stability-flags to 20 (dev), loosening the stability guarantees for the whole project. This should be replaced with a tagged, stable release once the upstream branch is merged.
| private function packageSite(string $site): CURLFile | ||
| { | ||
| $stdout = ''; | ||
| $stderr = ''; | ||
| $folderPath = realpath(__DIR__ . '/../../../resources/sites') . "/$site"; | ||
| $tarPath = "$folderPath/code.tar.gz"; | ||
|
|
||
| Console::execute("cd $folderPath && tar --exclude code.tar.gz -czf code.tar.gz .", '', $stdout, $stderr); | ||
|
|
||
| return new CURLFile($tarPath, 'application/x-gzip', \basename($tarPath)); | ||
| } |
There was a problem hiding this comment.
tar command
Console::execute() is called to create the archive, but its return value and $stderr are never inspected. If tar fails (e.g. the resources/sites/static directory doesn't exist in CI), the function silently returns a CURLFile pointing to a non-existent path, causing the subsequent site deployment call to fail with a confusing error rather than surfacing the real packaging problem.
| // Verify provider on destination | ||
| $response = $this->client->call(Client::METHOD_GET, '/messaging/providers/' . $providerId, [ | ||
| 'content-type' => 'application/json', | ||
| 'x-appwrite-project' => $this->getDestinationProject()['$id'], | ||
| 'x-appwrite-key' => $this->getDestinationProject()['apiKey'], | ||
| ]); | ||
|
|
||
| $this->assertEquals(200, $response['headers']['status-code']); | ||
| $this->assertEquals($providerId, $response['body']['$id']); | ||
| $this->assertEquals('Test SendGrid Provider', $response['body']['name']); | ||
|
|
||
| // Verify topic on destination | ||
| $response = $this->client->call(Client::METHOD_GET, '/messaging/topics/' . $topicId, [ | ||
| 'content-type' => 'application/json', | ||
| 'x-appwrite-project' => $this->getDestinationProject()['$id'], | ||
| 'x-appwrite-key' => $this->getDestinationProject()['apiKey'], | ||
| ]); | ||
|
|
||
| $this->assertEquals(200, $response['headers']['status-code']); | ||
| $this->assertEquals($topicId, $response['body']['$id']); | ||
| $this->assertEquals('Test Topic', $response['body']['name']); | ||
|
|
||
| // Verify message on destination | ||
| $response = $this->client->call(Client::METHOD_GET, '/messaging/messages/' . $messageId, [ | ||
| 'content-type' => 'application/json', | ||
| 'x-appwrite-project' => $this->getDestinationProject()['$id'], | ||
| 'x-appwrite-key' => $this->getDestinationProject()['apiKey'], | ||
| ]); | ||
|
|
||
| $this->assertEquals(200, $response['headers']['status-code']); | ||
| $this->assertEquals($messageId, $response['body']['$id']); |
There was a problem hiding this comment.
After migration, the test verifies the provider, topic, message, and (implicitly) the user on the destination, but never fetches and asserts the migrated subscriber. Since the subscriber assertion was also omitted from the statusCounters loop, there is currently no signal if subscriber migration is broken end-to-end.
![codity-dm[bot]](https://avatars.githubusercontent.com/u/234452856?s=60&v=4){kind=small}
| "utopia-php/logger": "0.6.*", | ||
| "utopia-php/messaging": "0.20.*", | ||
| "utopia-php/migration": "1.6.*", | ||
| "utopia-php/migration": "dev-feat-message-migration", |
There was a problem hiding this comment.
Pinning a production dependency to a mutable dev branch makes builds non-reproducible and allows unreviewed upstream commits to be pulled; pin a tagged release or immutable commit reference instead.
| "utopia-php/migration": "dev-feat-message-migration", | |
| "utopia-php/migration": "1.6.*", |
Prompt for AI assistance
Copy the prompt below and paste it into ChatGPT, Claude, or any LLM:
You are an expert json developer with deep knowledge of security, performance, and best practices.
### Context
File: composer.json
Lines: 69-69
Issue Type: security-high
Severity: high
Issue Description:
Pinning a production dependency to a mutable dev branch makes builds non-reproducible and allows unreviewed upstream commits to be pulled; pin a tagged release or immutable commit reference instead.
Current Code:
"utopia-php/migration": "dev-feat-message-migration",
---
### Instructions
1. Fix the issue described above
2. Maintain the exact indentation and code style from the original
3. Follow json best practices and language-specific idioms
4. Ensure the fix addresses the root cause, not just the symptoms
5. Add brief inline comments explaining the fix if needed
### Constraints
- Do not change functionality beyond fixing the identified issue
- Preserve existing variable names and function signatures unless they are part of the problem
- Ensure the fix is production-ready
---
| "repositories": [ | ||
| { | ||
| "type": "vcs", | ||
| "url": "https://github.com/utopia-php/migration.git" | ||
| } | ||
| ], |
There was a problem hiding this comment.
Adding a direct VCS repository bypasses Packagist trust and can silently change the fetched package source; restrict this to an immutable reference or remove the custom repository for production builds.
| "repositories": [ | |
| { | |
| "type": "vcs", | |
| "url": "https://github.com/utopia-php/migration.git" | |
| } | |
| ], | |
| "repositories": [], |
Prompt for AI assistance
Copy the prompt below and paste it into ChatGPT, Claude, or any LLM:
You are an expert json developer with deep knowledge of security, performance, and best practices.
### Context
File: composer.json
Lines: 113-118
Issue Type: security-medium
Severity: medium
Issue Description:
Adding a direct VCS repository bypasses Packagist trust and can silently change the fetched package source; restrict this to an immutable reference or remove the custom repository for production builds.
Current Code:
"repositories": [
{
"type": "vcs",
"url": "https://github.com/utopia-php/migration.git"
}
],
---
### Instructions
1. Fix the issue described above
2. Maintain the exact indentation and code style from the original
3. Follow json best practices and language-specific idioms
4. Ensure the fix addresses the root cause, not just the symptoms
5. Add brief inline comments explaining the fix if needed
### Constraints
- Do not change functionality beyond fixing the identified issue
- Preserve existing variable names and function signatures unless they are part of the problem
- Ensure the fix is production-ready
---
Security Scan Summary
Fix critical security issues before merging Scan completed in 37.1s View vulnerability details (2 items)1. CODITY_JSON_AWS_SECR (CWE-798) CRITICAL File:
Fix: Remove the hardcoded/obfuscated credential from source. Load credentials from environment variables or a secrets manager at runtime. 2. CODITY_JSON_AWS_SECR (CWE-798) CRITICAL File:
Fix: Remove the hardcoded/obfuscated credential from source. Load credentials from environment variables or a secrets manager at runtime. Security scan powered by Codity.ai |
Dependency vulnerability scanning
View vulnerability details (7 items)1. google/protobuf 4.33.5 CVE: GHSA-p2gh-cfq4-4wjc
2. phpseclib/phpseclib 3.0.49 CVE: GHSA-3qpq-r242-jqj7
3. phpseclib/phpseclib 3.0.49 CVE: GHSA-94g3-g5v7-q4jg
4. phpseclib/phpseclib 3.0.49 CVE: GHSA-r854-jrxh-36qx
5. webonyx/graphql-php 14.11.10 CVE: GHSA-68jq-c3rv-pcrr
6. webonyx/graphql-php 14.11.10 CVE: GHSA-fc86-6rv6-2jpm
7. webonyx/graphql-php 14.11.10 CVE: GHSA-r7cg-qjjm-xhqq
Powered by Codity.ai · Docs |
License Compliance Scan
Strong copyleft licenses detected - review before merging Weak copyleft licenses found - verify compatibility High Risk Licenses - 1 packagesGPL-2.0-or-later (1 packages):
Medium Risk Licenses - 3 packagesLGPL-2.1-only (1 packages):
LGPL-2.1-or-later (1 packages):
LGPL-3.0-or-later (1 packages):
Powered by Codity.ai · Docs |
Code Quality Report — test-org-codity/appwrite · PR #2Scanned: 2026-05-21 13:52 UTC | Score: 41/100 | Provider: github Executive Summary
Top Findings[CQ-LLM-002]
|
| File | Critical | High | Medium | Low | Total |
|---|---|---|---|---|---|
composer.lock |
0 | 0 | 0 | 8 | 8 |
src/Appwrite/Utopia/Response/Model/MigrationReport.php |
0 | 0 | 1 | 3 | 4 |
tests/e2e/Services/Migrations/MigrationsBase.php |
0 | 1 | 2 | 24 | 27 |
Recommendations
- Resolve High severity issues, especially error handling gaps and performance bottlenecks.
- Run automated tests after applying fixes to verify no regressions.
|
@codity review |
Policy Check Failed✗ 3/3 policy checks failed: • Need 2 more approval(s) (0/2) — comment LGTM or approve via review To merge this PR:
|
PR SummaryWhat Changed
Key Changes by AreaMigration Worker: Added API key permissions for sites, providers, topics, subscribers, messages, and targets in API Response Model: Extended Dependency Management: Switched Test Coverage: Added Files Changed
Review Focus Areas
ArchitectureDesign Decisions: Using a dev branch dependency is intentional to access unreleased migration features. The parallel cleanup pattern in tests (source and destination) trades test runtime for isolation. Risks: Dev branch dependency introduces instability. Acceptable if this PR targets a feature branch, but should block production releases. Merge StatusNOT MERGEABLE — PR Score 47/100, below threshold (50)
|
| { | ||
| "name": "utopia-php/migration", | ||
| "version": "1.6.1", | ||
| "version": "dev-feat-message-migration", |
There was a problem hiding this comment.
This lockfile now pins utopia-php/migration to a mutable dev branch, so replace it with a tagged stable release or an exact commit constraint in composer.json and regenerate the lockfile.
Also reported at: composer.json L69
| "version": "dev-feat-message-migration", | |
| "version": "1.6.1", |
Prompt for AI assistance
Copy the prompt below and paste it into ChatGPT, Claude, or any LLM:
You are an expert json developer with deep knowledge of security, performance, and best practices.
### Context
File: composer.lock
Lines: 4467-4467
Issue Type: security-high
Severity: high
Issue Description:
This lockfile now pins `utopia-php/migration` to a mutable dev branch, so replace it with a tagged stable release or an exact commit constraint in composer.json and regenerate the lockfile.
_Also reported at: `composer.json` L69_
Current Code:
"version": "dev-feat-message-migration",
---
### Instructions
1. Fix the issue described above
2. Maintain the exact indentation and code style from the original
3. Follow json best practices and language-specific idioms
4. Ensure the fix addresses the root cause, not just the symptoms
5. Add brief inline comments explaining the fix if needed
### Constraints
- Do not change functionality beyond fixing the identified issue
- Preserve existing variable names and function signatures unless they are part of the problem
- Ensure the fix is production-ready
---
| "stability-flags": { | ||
| "utopia-php/migration": 20 | ||
| }, |
There was a problem hiding this comment.
Allowing unstable packages via a stability flag weakens supply chain guarantees, so remove the flag and lock to a stable tagged version.
| "stability-flags": { | |
| "utopia-php/migration": 20 | |
| }, | |
| "stability-flags": [], |
Prompt for AI assistance
Copy the prompt below and paste it into ChatGPT, Claude, or any LLM:
You are an expert json developer with deep knowledge of security, performance, and best practices.
### Context
File: composer.lock
Lines: 8906-8908
Issue Type: security-medium
Severity: medium
Issue Description:
Allowing unstable packages via a stability flag weakens supply chain guarantees, so remove the flag and lock to a stable tagged version.
Current Code:
"stability-flags": {
"utopia-php/migration": 20
},
---
### Instructions
1. Fix the issue described above
2. Maintain the exact indentation and code style from the original
3. Follow json best practices and language-specific idioms
4. Ensure the fix addresses the root cause, not just the symptoms
5. Add brief inline comments explaining the fix if needed
### Constraints
- Do not change functionality beyond fixing the identified issue
- Preserve existing variable names and function signatures unless they are part of the problem
- Ensure the fix is production-ready
---
| foreach ([Resource::TYPE_USER, Resource::TYPE_PROVIDER, Resource::TYPE_TOPIC, Resource::TYPE_MESSAGE] as $resource) { | ||
| $this->assertArrayHasKey($resource, $result['statusCounters']); | ||
| $this->assertEquals(0, $result['statusCounters'][$resource]['error']); | ||
| $this->assertEquals(0, $result['statusCounters'][$resource]['pending']); | ||
| $this->assertEquals(1, $result['statusCounters'][$resource]['success']); | ||
| $this->assertEquals(0, $result['statusCounters'][$resource]['processing']); | ||
| $this->assertEquals(0, $result['statusCounters'][$resource]['warning']); | ||
| } |
There was a problem hiding this comment.
The migrated subscriber resource is requested but never validated in statusCounters, so this test can pass even when subscriber migration fails; include TYPE_SUBSCRIBER in the assertions.
Suggested fix
foreach ([Resource::TYPE_USER, Resource::TYPE_PROVIDER, Resource::TYPE_TOPIC, Resource::TYPE_SUBSCRIBER, Resource::TYPE_MESSAGE] as $resource) {
$this->assertArrayHasKey($resource, $result['statusCounters']);
$this->assertEquals(0, $result['statusCounters'][$resource]['error']);
$this->assertEquals(0, $result['statusCounters'][$resource]['pending']);
$this->assertEquals(1, $result['statusCounters'][$resource]['success']);
$this->assertEquals(0, $result['statusCounters'][$resource]['processing']);
$this->assertEquals(0, $result['statusCounters'][$resource]['warning']);
}Prompt for AI assistance
Copy the prompt below and paste it into ChatGPT, Claude, or any LLM:
You are an expert php developer with deep knowledge of security, performance, and best practices.
### Context
File: tests/e2e/Services/Migrations/MigrationsBase.php
Lines: 1147-1154
Issue Type: functional-medium
Severity: medium
Issue Description:
The migrated subscriber resource is requested but never validated in statusCounters, so this test can pass even when subscriber migration fails; include TYPE_SUBSCRIBER in the assertions.
Current Code:
foreach ([Resource::TYPE_USER, Resource::TYPE_PROVIDER, Resource::TYPE_TOPIC, Resource::TYPE_MESSAGE] as $resource) {
$this->assertArrayHasKey($resource, $result['statusCounters']);
$this->assertEquals(0, $result['statusCounters'][$resource]['error']);
$this->assertEquals(0, $result['statusCounters'][$resource]['pending']);
$this->assertEquals(1, $result['statusCounters'][$resource]['success']);
$this->assertEquals(0, $result['statusCounters'][$resource]['processing']);
$this->assertEquals(0, $result['statusCounters'][$resource]['warning']);
}
---
### Instructions
1. Fix the issue described above
2. Maintain the exact indentation and code style from the original
3. Follow php best practices and language-specific idioms
4. Ensure the fix addresses the root cause, not just the symptoms
5. Add brief inline comments explaining the fix if needed
### Constraints
- Do not change functionality beyond fixing the identified issue
- Preserve existing variable names and function signatures unless they are part of the problem
- Ensure the fix is production-ready
---
Security Scan Summary
Fix critical security issues before merging Scan completed in 34.9s View vulnerability details (2 items)1. CODITY_JSON_AWS_SECR (CWE-798) CRITICAL File:
Fix: Remove the hardcoded/obfuscated credential from source. Load credentials from environment variables or a secrets manager at runtime. 2. CODITY_JSON_AWS_SECR (CWE-798) CRITICAL File:
Fix: Remove the hardcoded/obfuscated credential from source. Load credentials from environment variables or a secrets manager at runtime. Security scan powered by Codity.ai |
Dependency vulnerability scanning
View vulnerability details (7 items)1. google/protobuf 4.33.5 CVE: GHSA-p2gh-cfq4-4wjc
2. phpseclib/phpseclib 3.0.49 CVE: GHSA-3qpq-r242-jqj7
3. phpseclib/phpseclib 3.0.49 CVE: GHSA-94g3-g5v7-q4jg
4. phpseclib/phpseclib 3.0.49 CVE: GHSA-r854-jrxh-36qx
5. webonyx/graphql-php 14.11.10 CVE: GHSA-68jq-c3rv-pcrr
6. webonyx/graphql-php 14.11.10 CVE: GHSA-fc86-6rv6-2jpm
7. webonyx/graphql-php 14.11.10 CVE: GHSA-r7cg-qjjm-xhqq
Powered by Codity.ai · Docs |
License Compliance Scan
Strong copyleft licenses detected - review before merging Weak copyleft licenses found - verify compatibility High Risk Licenses - 1 packagesGPL-2.0-or-later (1 packages):
Medium Risk Licenses - 3 packagesLGPL-2.1-only (1 packages):
LGPL-2.1-or-later (1 packages):
LGPL-3.0-or-later (1 packages):
Powered by Codity.ai · Docs |
Code Quality Report — test-org-codity/appwrite · PR #2Scanned: 2026-05-21 14:08 UTC | Score: 41/100 | Provider: github Executive Summary
Top Findings[CQ-LLM-002]
|
| File | Critical | High | Medium | Low | Total |
|---|---|---|---|---|---|
composer.lock |
0 | 0 | 0 | 8 | 8 |
src/Appwrite/Utopia/Response/Model/MigrationReport.php |
0 | 1 | 1 | 3 | 5 |
tests/e2e/Services/Migrations/MigrationsBase.php |
0 | 0 | 2 | 25 | 27 |
Recommendations
- Resolve High severity issues, especially error handling gaps and performance bottlenecks.
- Run automated tests after applying fixes to verify no regressions.
|
@codity review |
Policy Check Failed✗ 3/3 policy checks failed: • Need 2 more approval(s) (0/2) — comment LGTM or approve via review To merge this PR:
|
PR SummaryWhat Changed
Key Changes by AreaMigration System: Extended API key scopes in E2E Testing: Added Sites: Fixed site document creation in Dependencies: Switched Files Changed
Review Focus Areas
ArchitectureDesign Decisions: The Risks: Using a dev branch dependency ( Merge StatusNOT MERGEABLE — PR Score 47/100, below threshold (50)
|
Security Scan Summary
No critical security issues detected Scan completed in 34.6sSecurity scan powered by Codity.ai |
Dependency vulnerability scanning
View vulnerability details (7 items)1. google/protobuf 4.33.5 CVE: GHSA-p2gh-cfq4-4wjc
2. phpseclib/phpseclib 3.0.49 CVE: GHSA-3qpq-r242-jqj7
3. phpseclib/phpseclib 3.0.49 CVE: GHSA-94g3-g5v7-q4jg
4. phpseclib/phpseclib 3.0.49 CVE: GHSA-r854-jrxh-36qx
5. webonyx/graphql-php 14.11.10 CVE: GHSA-68jq-c3rv-pcrr
6. webonyx/graphql-php 14.11.10 CVE: GHSA-fc86-6rv6-2jpm
7. webonyx/graphql-php 14.11.10 CVE: GHSA-r7cg-qjjm-xhqq
Powered by Codity.ai · Docs |
License Compliance Scan
Strong copyleft licenses detected - review before merging Weak copyleft licenses found - verify compatibility High Risk Licenses - 1 packagesGPL-2.0-or-later (1 packages):
Medium Risk Licenses - 3 packagesLGPL-2.1-only (1 packages):
LGPL-2.1-or-later (1 packages):
LGPL-3.0-or-later (1 packages):
Powered by Codity.ai · Docs |
Code Quality Report — test-org-codity/appwrite · PR #2Scanned: 2026-05-21 17:01 UTC | Score: 41/100 | Provider: github Executive Summary
Top Findings[CQ-LLM-002]
|
| File | Critical | High | Medium | Low | Total |
|---|---|---|---|---|---|
composer.lock |
0 | 0 | 0 | 8 | 8 |
src/Appwrite/Utopia/Response/Model/MigrationReport.php |
0 | 0 | 1 | 3 | 4 |
tests/e2e/Services/Migrations/MigrationsBase.php |
0 | 1 | 2 | 25 | 28 |
Recommendations
- Resolve High severity issues, especially error handling gaps and performance bottlenecks.
- Run automated tests after applying fixes to verify no regressions.
|
@codity review |
Policy Check Failed✗ 3/3 policy checks failed: • Need 2 more approval(s) (0/2) — comment LGTM or approve via review To merge this PR:
|
PR SummaryWhat Changed
Key Changes by AreaMigration System: Extended Site Management: Fixed repository linking in Testing: Added Files Changed
Review Focus Areas
ArchitectureDesign Decisions: Using a dev branch dependency ( Risks: Dev branch dependency may introduce instability. This is intentional and should be switched to stable release before production deployment. Merge StatusNOT MERGEABLE — PR Score 27/100, below threshold (50)
|
Policy Check Failed✗ 3/3 policy checks failed: • Need 2 more approval(s) (0/2) — comment LGTM or approve via review To merge this PR:
|
PR SummaryWhat Changed
Key Changes by AreaMigration Worker: Added API key permissions for sites, providers, topics, subscribers, messages, and targets in API Response Model: Added 7 new resource type counters (site, site deployment, site variable, provider, topic, subscriber, message) to E2E Tests: Added Files Changed
Review Focus Areas
ArchitectureRisks: The Merge StatusNOT MERGEABLE — PR Score 23/100, below threshold (50)
|
Nitpicks (Low Priority)Found 1 low-priority suggestions for code improvement Click to expand nitpicks
|
Security Scan Summary
No critical security issues detected Scan completed in 31.8sSecurity scan powered by Codity.ai |
Dependency vulnerability scanning
Top 10 Vulnerabilities (12 total found)1. google/protobuf 4.33.5 CVE: GHSA-p2gh-cfq4-4wjc
2. phpseclib/phpseclib 3.0.49 CVE: GHSA-3qpq-r242-jqj7
3. phpseclib/phpseclib 3.0.49 CVE: GHSA-94g3-g5v7-q4jg
4. phpseclib/phpseclib 3.0.49 CVE: GHSA-r854-jrxh-36qx
5. webonyx/graphql-php 14.11.10 CVE: GHSA-68jq-c3rv-pcrr
6. webonyx/graphql-php 14.11.10 CVE: GHSA-fc86-6rv6-2jpm
7. webonyx/graphql-php 14.11.10 CVE: GHSA-r7cg-qjjm-xhqq
8. twig/twig 3.14.2 CVE: GHSA-24x9-r6q4-q93w
9. twig/twig 3.14.2 CVE: GHSA-4j38-f5cw-54h7
10. twig/twig 3.14.2 CVE: GHSA-7fxw-r6jv-74c8
2 more vulnerabilities not shown. Update dependencies to fix these issues. Powered by Codity.ai · Docs |
License Compliance Scan
Strong copyleft licenses detected - review before merging Weak copyleft licenses found - verify compatibility High Risk Licenses - 1 packagesGPL-2.0-or-later (1 packages):
Medium Risk Licenses - 3 packagesLGPL-2.1-only (1 packages):
LGPL-2.1-or-later (1 packages):
LGPL-3.0-or-later (1 packages):
Powered by Codity.ai · Docs |
Code Quality Report — test-org-codity/appwrite · PR #2Scanned: 2026-05-22 19:23 UTC | Score: 39/100 | Provider: github Executive Summary
Top Findings[CQ-LLM-003]
|
| File | Critical | High | Medium | Low | Total |
|---|---|---|---|---|---|
composer.lock |
0 | 0 | 0 | 8 | 8 |
src/Appwrite/Utopia/Response/Model/MigrationReport.php |
0 | 0 | 2 | 3 | 5 |
tests/e2e/Services/Migrations/MigrationsBase.php |
0 | 1 | 2 | 25 | 28 |
Recommendations
- Resolve High severity issues, especially error handling gaps and performance bottlenecks.
- Run automated tests after applying fixes to verify no regressions.
|
@codity review |
Policy Check Failed✗ 3/3 policy checks failed: • Need 2 more approval(s) (0/2) — comment LGTM or approve via review To merge this PR:
|
PR SummaryWhat Changed
Key Changes by AreaMigration Engine: Extended Sites: Fixed Messaging: New migration coverage for SendGrid providers, topics, subscribers, and draft email messages with user-target resolution. Testing: Added Files Changed
Review Focus Areas
ArchitectureDesign Decisions: Using a dev branch dependency for the migration package is intentional to access unreleased messaging features. The Risks: Dev branch dependency creates stability risk until Merge StatusNOT MERGEABLE — PR Score 25/100, below threshold (50)
|
Security Scan Summary
No critical security issues detected Scan completed in 29.3sSecurity scan powered by Codity.ai |
Dependency vulnerability scanning
Top 10 Vulnerabilities (12 total found)1. google/protobuf 4.33.5 CVE: GHSA-p2gh-cfq4-4wjc
2. phpseclib/phpseclib 3.0.49 CVE: GHSA-3qpq-r242-jqj7
3. phpseclib/phpseclib 3.0.49 CVE: GHSA-94g3-g5v7-q4jg
4. phpseclib/phpseclib 3.0.49 CVE: GHSA-r854-jrxh-36qx
5. webonyx/graphql-php 14.11.10 CVE: GHSA-68jq-c3rv-pcrr
6. webonyx/graphql-php 14.11.10 CVE: GHSA-fc86-6rv6-2jpm
7. webonyx/graphql-php 14.11.10 CVE: GHSA-r7cg-qjjm-xhqq
8. twig/twig 3.14.2 CVE: GHSA-24x9-r6q4-q93w
9. twig/twig 3.14.2 CVE: GHSA-4j38-f5cw-54h7
10. twig/twig 3.14.2 CVE: GHSA-7fxw-r6jv-74c8
2 more vulnerabilities not shown. Update dependencies to fix these issues. Powered by Codity.ai · Docs |
License Compliance Scan
Strong copyleft licenses detected - review before merging Weak copyleft licenses found - verify compatibility High Risk Licenses - 1 packagesGPL-2.0-or-later (1 packages):
Medium Risk Licenses - 3 packagesLGPL-2.1-only (1 packages):
LGPL-2.1-or-later (1 packages):
LGPL-3.0-or-later (1 packages):
Powered by Codity.ai · Docs |
Code Quality Report — test-org-codity/appwrite · PR #2Scanned: 2026-05-22 19:45 UTC | Score: 41/100 | Provider: github Executive Summary
Top Findings[CQ-LLM-003]
|
| File | Critical | High | Medium | Low | Total |
|---|---|---|---|---|---|
composer.lock |
0 | 0 | 0 | 8 | 8 |
src/Appwrite/Platform/Workers/Migrations.php |
0 | 0 | 1 | 0 | 1 |
src/Appwrite/Utopia/Response/Model/MigrationReport.php |
0 | 0 | 0 | 4 | 4 |
tests/e2e/Services/Migrations/MigrationsBase.php |
0 | 1 | 2 | 24 | 27 |
Recommendations
- Resolve High severity issues, especially error handling gaps and performance bottlenecks.
- Run automated tests after applying fixes to verify no regressions.
|
@codity review |
Policy Check Failed✗ 3/3 policy checks failed: • Need 2 more approval(s) (0/2) — comment LGTM or approve via review To merge this PR:
|
PR SummaryWhat Changed
Key Changes by AreaMigration System: Added API key permissions for sites, providers, topics, subscribers, messages, and targets in Testing: Added comprehensive E2E tests for site and messaging migrations in Dependencies: Updated Files Changed
Review Focus Areas
ArchitectureDesign Decisions: Using a dev branch dependency is intentional to access unreleased migration features. This is a temporary state pending upstream release. Risks: Dev branch dependency introduces instability and makes builds non-reproducible. This is an intentional short-term tradeoff that should be tracked for resolution before release. Merge StatusNOT MERGEABLE — PR Score 32/100, below threshold (50)
|
Security Scan Summary
No critical security issues detected Scan completed in 31.4sSecurity scan powered by Codity.ai |
Dependency vulnerability scanning
Top 10 Vulnerabilities (12 total found)1. google/protobuf 4.33.5 CVE: GHSA-p2gh-cfq4-4wjc
2. phpseclib/phpseclib 3.0.49 CVE: GHSA-3qpq-r242-jqj7
3. phpseclib/phpseclib 3.0.49 CVE: GHSA-94g3-g5v7-q4jg
4. phpseclib/phpseclib 3.0.49 CVE: GHSA-r854-jrxh-36qx
5. webonyx/graphql-php 14.11.10 CVE: GHSA-68jq-c3rv-pcrr
6. webonyx/graphql-php 14.11.10 CVE: GHSA-fc86-6rv6-2jpm
7. webonyx/graphql-php 14.11.10 CVE: GHSA-r7cg-qjjm-xhqq
8. twig/twig 3.14.2 CVE: GHSA-24x9-r6q4-q93w
9. twig/twig 3.14.2 CVE: GHSA-4j38-f5cw-54h7
10. twig/twig 3.14.2 CVE: GHSA-7fxw-r6jv-74c8
2 more vulnerabilities not shown. Update dependencies to fix these issues. Powered by Codity.ai · Docs |
License Compliance Scan
Strong copyleft licenses detected - review before merging Weak copyleft licenses found - verify compatibility High Risk Licenses - 1 packagesGPL-2.0-or-later (1 packages):
Medium Risk Licenses - 3 packagesLGPL-2.1-only (1 packages):
LGPL-2.1-or-later (1 packages):
LGPL-3.0-or-later (1 packages):
Powered by Codity.ai · Docs |
Code Quality Report — test-org-codity/appwrite · PR #2Scanned: 2026-05-22 20:18 UTC | Score: 53/100 | Provider: github Executive Summary
Top Findings[CQ-009]
|
| File | Critical | High | Medium | Low | Total |
|---|---|---|---|---|---|
composer.lock |
0 | 0 | 0 | 8 | 8 |
src/Appwrite/Utopia/Response/Model/MigrationReport.php |
0 | 0 | 0 | 3 | 3 |
tests/e2e/Services/Migrations/MigrationsBase.php |
0 | 0 | 0 | 24 | 24 |
Recommendations
- Run automated tests after applying fixes to verify no regressions.
|
@codity review |
Policy Check Failed✗ 3/3 policy checks failed: • Need 2 more approval(s) (0/2) — comment LGTM or approve via review To merge this PR:
|
PR SummaryWhat Changed
Key Changes by AreaMigration System: Extended API Response: Added migration report fields in Testing: Added Files Changed
Review Focus Areas
ArchitectureDesign Decisions: Using a dev branch dependency is intentional to access unreleased migration features. This is a temporary state pending upstream release. Risks: The dev branch dependency is an intentional but significant risk (confidence: 96%). Builds will break if the branch is rebased or deleted. Mitigation requires either pinning to an exact commit or coordinating with upstream for a tagged release before this code reaches production. Merge StatusNOT MERGEABLE — PR Score 32/100, below threshold (50)
|
| "version": "dev-feat-message-migration", | ||
| "source": { | ||
| "type": "git", | ||
| "url": "https://github.com/utopia-php/migration.git", | ||
| "reference": "c5c7544d02d2418536d41050794050132f247d62" | ||
| "reference": "69c3eb0f2ebe256863ea394692279665b84b9e10" | ||
| }, | ||
| "dist": { | ||
| "type": "zip", | ||
| "url": "https://api.github.com/repos/utopia-php/migration/zipball/c5c7544d02d2418536d41050794050132f247d62", | ||
| "reference": "c5c7544d02d2418536d41050794050132f247d62", | ||
| "url": "https://api.github.com/repos/utopia-php/migration/zipball/69c3eb0f2ebe256863ea394692279665b84b9e10", | ||
| "reference": "69c3eb0f2ebe256863ea394692279665b84b9e10", |
There was a problem hiding this comment.
This lockfile now pulls a dev branch for utopia-php/migration, so pin it to a tagged stable release or an exact commit in composer.json without lowering stability.
Suggested fix
"version": "1.6.1",
"source": {
"type": "git",
"url": "https://github.com/utopia-php/migration.git",
"reference": "c5c7544d02d2418536d41050794050132f247d62"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/utopia-php/migration/zipball/c5c7544d02d2418536d41050794050132f247d62",
"reference": "c5c7544d02d2418536d41050794050132f247d62",Prompt for AI assistance
Copy the prompt below and paste it into ChatGPT, Claude, or any LLM:
You are an expert json developer with deep knowledge of security, performance, and best practices.
### Context
File: composer.lock
Lines: 4467-4476
Issue Type: security-high
Severity: high
Issue Description:
This lockfile now pulls a dev branch for utopia-php/migration, so pin it to a tagged stable release or an exact commit in composer.json without lowering stability.
Current Code:
"version": "dev-feat-message-migration",
"source": {
"type": "git",
"url": "https://github.com/utopia-php/migration.git",
"reference": "69c3eb0f2ebe256863ea394692279665b84b9e10"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/utopia-php/migration/zipball/69c3eb0f2ebe256863ea394692279665b84b9e10",
"reference": "69c3eb0f2ebe256863ea394692279665b84b9e10",
---
### Instructions
1. Fix the issue described above
2. Maintain the exact indentation and code style from the original
3. Follow json best practices and language-specific idioms
4. Ensure the fix addresses the root cause, not just the symptoms
5. Add brief inline comments explaining the fix if needed
### Constraints
- Do not change functionality beyond fixing the identified issue
- Preserve existing variable names and function signatures unless they are part of the problem
- Ensure the fix is production-ready
---
| "stability-flags": { | ||
| "utopia-php/migration": 20 | ||
| }, | ||
| "prefer-stable": true, |
There was a problem hiding this comment.
Lowering dependency stability for only this package allows pre-release code into production builds, so keep stable-only resolution unless this is explicitly isolated to non-production development.
Suggested fix
"stability-flags": [],
"prefer-stable": false,Prompt for AI assistance
Copy the prompt below and paste it into ChatGPT, Claude, or any LLM:
You are an expert json developer with deep knowledge of security, performance, and best practices.
### Context
File: composer.lock
Lines: 8906-8909
Issue Type: security-high
Severity: high
Issue Description:
Lowering dependency stability for only this package allows pre-release code into production builds, so keep stable-only resolution unless this is explicitly isolated to non-production development.
Current Code:
"stability-flags": {
"utopia-php/migration": 20
},
"prefer-stable": true,
---
### Instructions
1. Fix the issue described above
2. Maintain the exact indentation and code style from the original
3. Follow json best practices and language-specific idioms
4. Ensure the fix addresses the root cause, not just the symptoms
5. Add brief inline comments explaining the fix if needed
### Constraints
- Do not change functionality beyond fixing the identified issue
- Preserve existing variable names and function signatures unless they are part of the problem
- Ensure the fix is production-ready
---
| Console::execute("cd $folderPath && tar --exclude code.tar.gz -czf code.tar.gz .", '', $stdout, $stderr); | ||
|
|
||
| return new CURLFile($tarPath, 'application/x-gzip', \basename($tarPath)); |
There was a problem hiding this comment.
The helper builds and returns a tarball without checking whether Console::execute succeeded or whether the archive was created, so add a failure check before returning the CURLFile.
Suggested fix
Console::execute("cd $folderPath && tar --exclude code.tar.gz -czf code.tar.gz .", '', $stdout, $stderr);
if (!is_file($tarPath) || filesize($tarPath) === 0) {
throw new \RuntimeException('Failed to package site: ' . $stderr);
}
return new CURLFile($tarPath, 'application/x-gzip', \basename($tarPath));Prompt for AI assistance
Copy the prompt below and paste it into ChatGPT, Claude, or any LLM:
You are an expert php developer with deep knowledge of security, performance, and best practices.
### Context
File: tests/e2e/Services/Migrations/MigrationsBase.php
Lines: 1252-1254
Issue Type: functional-medium
Severity: medium
Issue Description:
The helper builds and returns a tarball without checking whether `Console::execute` succeeded or whether the archive was created, so add a failure check before returning the `CURLFile`.
Current Code:
Console::execute("cd $folderPath && tar --exclude code.tar.gz -czf code.tar.gz .", '', $stdout, $stderr);
return new CURLFile($tarPath, 'application/x-gzip', \basename($tarPath));
---
### Instructions
1. Fix the issue described above
2. Maintain the exact indentation and code style from the original
3. Follow php best practices and language-specific idioms
4. Ensure the fix addresses the root cause, not just the symptoms
5. Add brief inline comments explaining the fix if needed
### Constraints
- Do not change functionality beyond fixing the identified issue
- Preserve existing variable names and function signatures unless they are part of the problem
- Ensure the fix is production-ready
---
Nitpicks (Low Priority)Found 1 low-priority suggestions for code improvement Click to expand nitpicks
|
Security Scan Summary
No critical security issues detected Scan completed in 30.8sSecurity scan powered by Codity.ai |
Dependency vulnerability scanning
Top 10 Vulnerabilities (12 total found)1. google/protobuf 4.33.5 CVE: GHSA-p2gh-cfq4-4wjc
2. phpseclib/phpseclib 3.0.49 CVE: GHSA-3qpq-r242-jqj7
3. phpseclib/phpseclib 3.0.49 CVE: GHSA-94g3-g5v7-q4jg
4. phpseclib/phpseclib 3.0.49 CVE: GHSA-r854-jrxh-36qx
5. webonyx/graphql-php 14.11.10 CVE: GHSA-68jq-c3rv-pcrr
6. webonyx/graphql-php 14.11.10 CVE: GHSA-fc86-6rv6-2jpm
7. webonyx/graphql-php 14.11.10 CVE: GHSA-r7cg-qjjm-xhqq
8. twig/twig 3.14.2 CVE: GHSA-24x9-r6q4-q93w
9. twig/twig 3.14.2 CVE: GHSA-4j38-f5cw-54h7
10. twig/twig 3.14.2 CVE: GHSA-7fxw-r6jv-74c8
2 more vulnerabilities not shown. Update dependencies to fix these issues. Powered by Codity.ai · Docs |
License Compliance Scan
Strong copyleft licenses detected - review before merging Weak copyleft licenses found - verify compatibility High Risk Licenses - 1 packagesGPL-2.0-or-later (1 packages):
Medium Risk Licenses - 3 packagesLGPL-2.1-only (1 packages):
LGPL-2.1-or-later (1 packages):
LGPL-3.0-or-later (1 packages):
Powered by Codity.ai · Docs |
Code Quality Report — test-org-codity/appwrite · PR #2Scanned: 2026-05-22 20:37 UTC | Score: 53/100 | Provider: github Executive Summary
Top Findings[CQ-009]
|
| File | Critical | High | Medium | Low | Total |
|---|---|---|---|---|---|
composer.lock |
0 | 0 | 0 | 8 | 8 |
src/Appwrite/Utopia/Response/Model/MigrationReport.php |
0 | 0 | 0 | 3 | 3 |
tests/e2e/Services/Migrations/MigrationsBase.php |
0 | 0 | 0 | 24 | 24 |
Recommendations
- Run automated tests after applying fixes to verify no regressions.
2 participants
What does this PR do?
(Provide a description of what this PR does and why it's needed.)
Test Plan
(Write your test plan here. If you changed any code, please provide us with clear instructions on how you verified your changes work. Screenshots may also be helpful.)
Related PRs and Issues
Checklist