Address vulns, add DDog env/stage filtering, collapse more API URLs into single templates, add branch sync script

[lukaszgryglicki]

Address vulns, add DDog env/stage filtering, collapse more API URLs into single templates, add branch sync script

Signed-off-by: Lukasz Gryglicki lgryglicki@cncf.io

Assisted by OpenAI

Assisted by GitHub Copilot

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a05b5a2e-66f8-42e9-bb3e-fb6a3e5b7b47

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch unicron-add-stage-filter-to-ddog-scan-tools-prod

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR focuses on security/maintenance updates across the repo: dependency vulnerability remediation, improved Datadog span querying ergonomics (env/stage filtering + safer JSON payload construction), additional API path-templating to reduce cardinality in telemetry, plus a small Git helper script.

Changes:

• Add --env/--stage support to Datadog span tooling and make JSON payload construction safer.
• Update/override multiple JS/Python dependencies to address known vulnerabilities; adjust backend auth code to use PyJWT with new unit coverage.
• Reduce telemetry cardinality by further normalizing API route templates; add a branch sync helper script.

Reviewed changes

Copilot reviewed 34 out of 38 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
utils/otel_dd/check_spans_in_ddog.sh	Adds strict bash mode, argument parsing, env/service filtering, and jq-built payload for Datadog span search.
utils/otel_dd/api_usage_stats_ddog.py	Adds --env/--stage handling and appends env: to queries when not present.
utils/git_sync_to_branch.sh	Introduces a helper script to sync working tree content from another branch.
tests/rest/yarn.lock	Dependency lock updates for vulnerability remediation.
tests/rest/requirements.freeze.txt	Updates pinned Python packages used by REST tests.
tests/rest/package.json	Adds Yarn resolutions to force patched dependency versions.
tests/functional/yarn.lock	Dependency lock updates for functional test tooling (security bumps).
tests/functional/package.json	Updates deps + adds overrides/resolutions for vulnerable transitive packages.
tests/functional/package-lock.json	Lockfile updates reflecting overrides (incl. newer security-fixed packages).
tests/functional/cypress/e2e/v4/version.cy.ts	Refactors expected-value selection formatting.
tests/functional/cypress/e2e/v4/signatures.cy.ts	Wraps long log message for readability.
tests/functional/cypress/e2e/v4/projects.cy.ts	Refactors expected-value selection formatting.
tests/functional/cypress/e2e/v4/metrics.cy.ts	Refactors expected-value selection formatting.
tests/functional/cypress/e2e/v4/health.cy.ts	Refactors expected-value selection formatting.
tests/functional/cypress/e2e/v4/gitlab-repositories.cy.ts	Refactors expected-value selection formatting.
tests/functional/cypress/e2e/v4/gitlab-organizations.cy.ts	Refactors expected-value selection formatting.
tests/functional/cypress/e2e/v4/github-repositories.cy.ts	Refactors expected-value selection formatting.
tests/functional/cypress/e2e/v4/github-organizations.cy.ts	Refactors expected-value selection formatting.
tests/functional/cypress/e2e/v4/foundation.cy.ts	Refactors expected-value selection formatting.
tests/functional/cypress/e2e/v4/events.cy.ts	Refactors expected-value selection formatting.
tests/functional/cypress/e2e/v4/company.cy.ts	Refactors expected-value selection formatting.
tests/functional/cypress/e2e/v3/project.cy.ts	Replaces cy.skip() with Mocha this.skip() for conditional skips.
tests/functional/cypress/e2e/v3/organization.cy.ts	Wraps long URL template for readability.
cla-backend/yarn.lock	Backend Node dependency lock updates (security).
cla-backend/serverless.yml	Adds serverless-python-requirements dockerized pip build config.
cla-backend/requirements.txt	Updates Python deps (security) and migrates away from python-jose to PyJWT/cryptography.
cla-backend/package.json	Updates Node tooling deps and pins additional vulnerable transitive packages.
cla-backend/cla/utils.py	Reduces sensitive/debug verbosity for OAuth logging.
cla-backend/cla/user_service.py	Reduces sensitive/debug verbosity for access token logging.
cla-backend/cla/user.py	Switches unverified JWT claim extraction to PyJWT decode with verification disabled.
cla-backend/cla/tests/unit/test_jwt_auth.py	Adds unit tests to validate PyJWT migration/auth flows (offline/mocked).
cla-backend/cla/routes.py	Extends route sanitization logic for telemetry (low-cardinality templates).
cla-backend/cla/models/github_models.py	Hardens session handling + reduces sensitive logging; improves OAuth state parsing robustness.
cla-backend/cla/controllers/github_application.py	Migrates GitHub App JWT creation to PyJWT and reduces sensitive logging.
cla-backend/cla/auth.py	Migrates Auth0 JWT verification from python-jose to PyJWT with RSA JWK handling.
cla-backend-go/telemetry/datadog_otlp.go	Extends Go HTTP route sanitization to match templating behavior for telemetry.
cla-backend-go/swagger/.python-version	Adds Python version pin for swagger tooling.
cla-backend-go/events/repository.go	Makes EventType filtering optional when searching by ProjectSFID.

Files not reviewed (1)

• tests/functional/package-lock.json: Language not supported