Conversation
paoloredis
requested review from
andy-stark-redis,
dwdougherty and
mich-elle-luna
🛡️ Jit Security Scan Results
✅ No security findings were detected in this PR
Security scan by Jit
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
dwdougherty
left a comment
dwdougherty
left a comment
There was a problem hiding this comment.
I didn't heavily scrutinize the code, but the results look great!
andy-stark-redis
left a comment
andy-stark-redis
left a comment
There was a problem hiding this comment.
This is excellent, but if you can fix the issues I mentioned then that would be very helpful :-)
|
Thank you this is looking great |
| {{ $binderLine := index $binderMatches 0 }} | ||
| {{ $binder = replaceRE (printf `^%s BINDER_ID ` $commentPrefix) "" $binderLine }} | ||
| {{/* Store binder ref in page scratch for use in baseof.html */}} | ||
| {{ .Page.Scratch.Set "binderRef" $binder }} |
There was a problem hiding this comment.
Scratch vs Store inconsistency breaks incremental rebuilds
Medium Severity
binderRef and kernelName are stored via .Page.Scratch.Set in the shortcode and read via .Scratch.Get in baseof.html, while hasThebe correctly uses .Page.Store. In Hugo, .Scratch values are reset on incremental rebuilds (e.g., during hugo server when editing layout files), but .Store values persist. This means hasThebe will be true (rendering the entire Thebe script block), but binderRef will be empty, so the {{ if $binderRef }} guard skips setting window.thebeBinderRef, causing the JavaScript to early-return at the missing-binder check and silently disable all interactive functionality.
Additional Locations (2)
| {{ end }} | ||
|
|
||
| <script type="text-x-clean-source" style="display:none">{{ $stepCode | safeHTML }}</script> | ||
| <script type="text-x-full-file-source" style="display:none">{{ $fullFileCode | safeHTML }}</script> |
There was a problem hiding this comment.
Using safeHTML in script tags risks HTML breakage
Medium Severity
The safeHTML pipe inside <script> elements means source code containing </script> (e.g., a Python string like html = "</script>") would prematurely close the tag and break the page HTML. Since <script> content is raw text, HTML entity escaping doesn't work either—a different encoding strategy (like base64 or escaping </ sequences) is needed to safely embed arbitrary source code.
| const stepLines = lines.slice(currentStepRange.start, currentStepRange.end + 1); | ||
| stepCode = stepLines.join('\n'); | ||
| } | ||
| } |
There was a problem hiding this comment.
Stale line ranges after user edits step code
Low Severity
The lineRanges JSON is static (computed at build time), but CodeMirror content is dynamic. If a user adds or removes lines within the editable step section while in expanded view, lines.slice(currentStepRange.start, currentStepRange.end + 1) extracts incorrect code—either truncating added lines or including lines from adjacent sections. This affects both execution and the collapse toggle in toggleJupyterVisibility.
Additional Locations (1)
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
There are 5 total unresolved issues (including 3 from previous reviews).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
| {{ $noOutput := .Get "no_output" | default "false" }} | ||
| {{ $quickstartUrl := .Get "quickstart_url" | default "" }} | ||
| {{ $quickstartTitle := .Get "quickstart_title" | default "" }} | ||
| {{ $inner := .Inner | default "" }} |
There was a problem hiding this comment.
Unused $inner and $hlLines variables are dead code
Low Severity
$inner (from .Inner) is assigned but never referenced anywhere in the template. Similarly, $hlLines, $currentStepStartLine, and $currentStepEndLine are computed but never used in the template output. These are dead code that adds confusion about the template's intent.
Additional Locations (1)
| run: make deps | ||
|
|
||
| - name: Generate components | ||
| run: make components |
There was a problem hiding this comment.
Missing make components in setup_and_build_latest CI job
High Severity
The make components step was added to the matrix build jobs (kubernetes, rs, rdi, redisvl), but NOT to the setup_and_build_latest job which also builds the latest docs — including the redis-py page that now contains jupyter-example shortcodes. That shortcode calls errorf if data/examples.json (generated by make components) is missing, so the setup_and_build_latest job will fail at Hugo build time.
4 participants
Note
Medium Risk
Adds a large amount of new client-side JS/CSS and templating in
baseof.htmlto support interactive Thebe/Binder execution, which could impact site-wide rendering/performance and introduce subtle UI regressions. CI changes also affect all versioned doc builds by adding amake componentsstep.Overview
Introduces a new
jupyter-exampleshortcode that renders step-based, toggleable code blocks backed by Thebe/Binder, including per-page Binder ref/kernel configuration derived from example metadata.Updates the base layout to conditionally load and configure Thebe (lazy-loaded) and adds substantial styling/JS to manage kernel sessions, execution, output placement, and step/full-file toggling behavior.
Migrates the
redis-pylanding examples to usejupyter-example, tweaks global copy-button injection to skip Thebe blocks, adds CSS for Thebe visibility/highlight behavior, and updates CI to runmake componentsin versioned build jobs.Written by Cursor Bugbot for commit 0bd9a00. This will update automatically on new commits. Configure here.