feat: implement filter functionality

[crfmc]

• Add filtering interface from configuration file

[dbmi-svc-checkmarx]

Checkmarx One – Scan Summary & Details – f94f8cc0-c210-49af-b830-6652bf9632f6

---

New Issues (44)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-33896	Npm-node-forge-1.3.1	details Recommended version: 1.4.0 Description: `pki.verifyCertificateChain()` does not enforce RFC 5280 basicConstraints requirements when an intermediate certificate lacks both the `basicConstr... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2026-42043	Npm-axios-1.6.2	details Recommended version: 1.15.2 Description: Axios is a promise based HTTP client for the browser and Node.js. In versions prior to 0.31.1 and 1.0.0 prior to 1.15.1 , an attacker who can influ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2026-42043	Npm-axios-0.25.0	details Recommended version: 0.31.1 Description: Axios is a promise based HTTP client for the browser and Node.js. In versions prior to 0.31.1 and 1.0.0 prior to 1.15.1 , an attacker who can influ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2026-4800	Npm-lodash-4.17.21	details Recommended version: 4.18.0 Description: The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to "options.imports" key na... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2026-25535	Npm-jspdf-2.5.1	details Recommended version: 4.2.1 Description: jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the first argument of the `addImage` method results in denial of... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2026-25755	Npm-jspdf-2.5.1	details Recommended version: 4.2.1 Description: jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of the argument of the `addJS` method allows an attacker to inject ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2026-25940	Npm-jspdf-2.5.1	details Recommended version: 4.2.1 Description: jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to in... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8		CVE-2026-26996	Npm-minimatch-3.1.2	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9		CVE-2026-27606	Npm-rollup-2.61.0	details Recommended version: 2.80.0 Description: Rollup is a module bundler for JavaScript. Versions prior to 2.80.0, 3.0.0 prior to 3.30.0, and 4.0.0 prior to 4.59.0 of the Rollup module bundler ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
10		CVE-2026-27903	Npm-minimatch-3.1.2	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
11		CVE-2026-27904	Npm-minimatch-3.1.2	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
12		CVE-2026-29074	Npm-svgo-2.8.0	details Recommended version: 2.8.1 Description: SVGO is a Node.js library and command-line application for optimizing SVG files. Versions 2.1.0 through 2.8.0, 3.0.0 through 3.3.2, and versions pr... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
13		CVE-2026-32141	Npm-flatted-3.2.2	details Recommended version: 3.4.2 Description: flatted is a circular JSON parser. Prior to 3.4.0, flatted's "parse()" function uses a recursive "revive()" phase to resolve circular references in... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
14		CVE-2026-33228	Npm-flatted-3.2.2	details Recommended version: 3.4.2 Description: The "parse()" function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating t... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
15		CVE-2026-33671	Npm-picomatch-2.3.0	details Recommended version: 2.3.2 Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
16		CVE-2026-33671	Npm-picomatch-2.3.1	details Recommended version: 2.3.2 Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
17		CVE-2026-33750	Npm-brace-expansion-1.1.11	details Recommended version: 1.1.13 Description: The brace-expansion library generates arbitrary strings containing a common prefix and suffix. In versions prior to 1.1.13, 2.0.0 prior to 2.0.3, 3... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
18		CVE-2026-33891	Npm-node-forge-1.3.1	details Recommended version: 1.4.0 Description: A Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the "BigInteger.modInverse()" function (inherit... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
19		CVE-2026-33894	Npm-node-forge-1.3.1	details Recommended version: 1.4.0 Description: Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.4.0, RSASSA PKCS#1 v1.5 s... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
20		CVE-2026-33895	Npm-node-forge-1.3.1	details Recommended version: 1.4.0 Description: Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid s... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
21		CVE-2026-34043	Npm-serialize-javascript-6.0.1	details Recommended version: 7.0.5 Description: Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial-of-Service (D... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
22		CVE-2026-42033	Npm-axios-0.25.0	details Recommended version: 0.31.1 Description: Axios is a promise-based HTTP client for the browser and Node.js. In versions prior to 0.31.1 and 1.0.0 prior to 1.15.1, when Object.prototype has ... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
23		CVE-2026-42033	Npm-axios-1.6.2	details Recommended version: 1.15.2 Description: Axios is a promise-based HTTP client for the browser and Node.js. In versions prior to 0.31.1 and 1.0.0 prior to 1.15.1, when Object.prototype has ... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
24		CVE-2026-42035	Npm-axios-0.25.0	details Recommended version: 0.31.1 Description: Axios is a promise-based HTTP client for the browser and Node.js. In versions prior to 0.31.1 and 1.0.0 prior to 1.15.1, a prototype pollution gadg... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
25		CVE-2026-42035	Npm-axios-1.6.2	details Recommended version: 1.15.2 Description: Axios is a promise-based HTTP client for the browser and Node.js. In versions prior to 0.31.1 and 1.0.0 prior to 1.15.1, a prototype pollution gadg... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
26		CVE-2026-42038	Npm-axios-1.6.2	details Recommended version: 1.15.2 Description: Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.1 and 1.0.0 prior to 1.15.1, he fix for no_proxy hostname normalisa... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
27		CVE-2026-42038	Npm-axios-0.25.0	details Recommended version: 0.31.1 Description: Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.1 and 1.0.0 prior to 1.15.1, he fix for no_proxy hostname normalisa... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
28		CVE-2026-44431	Python-urllib3-1.26.15	details Recommended version: 2.7.0 Description: When following cross-origin redirects for requests made using urllib3's high-level APIs, such as `urllib3.request()`, `PoolManager.request()`, and ... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
29		CVE-2026-4867	Npm-path-to-regexp-0.1.7	details Recommended version: 0.1.13 Description: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a peri... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
30		Cxf5fb15b0-6576	Npm-serialize-javascript-6.0.1	details Recommended version: 7.0.5 Description: serialize-javascript through 7.0.2 contains a code injection vulnerability due to improper escaping of "RegExp.flags" during serialization. Althoug... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
31		CVE-2025-62718	Npm-axios-0.25.0	details Recommended version: 0.31.1 Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when chec... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
32		CVE-2025-62718	Npm-axios-1.6.2	details Recommended version: 1.15.2 Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when chec... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
33		CVE-2026-31898	Npm-jspdf-2.5.1	details Recommended version: 4.2.1 Description: jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of arguments of the `createAnnotation` method allows users ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
34		CVE-2026-31938	Npm-jspdf-2.5.1	details Recommended version: 4.2.1 Description: jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the `options` argument of the `output` function allows a... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
35		CVE-2026-33532	Npm-yaml-1.10.2	details Recommended version: 1.10.3 Description: yaml is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of yaml on the 1.x branch prior to 1.10.3 or on the 2.x... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
36		CVE-2026-33672	Npm-picomatch-2.3.1	details Recommended version: 2.3.2 Description: Picomatch is a glob matcher written JavaScript. Versions prior to 2.3.2, 3.0.0 prior to 3.0.2 and 4.0.0 prior to 4.0.4, are vulnerable to a method ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
37		CVE-2026-33672	Npm-picomatch-2.3.0	details Recommended version: 2.3.2 Description: Picomatch is a glob matcher written JavaScript. Versions prior to 2.3.2, 3.0.0 prior to 3.0.2 and 4.0.0 prior to 4.0.4, are vulnerable to a method ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
38		CVE-2026-40175	Npm-axios-1.6.2	details Recommended version: 1.15.2 Description: Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.0 and 1.x prior to 1.15.0, the Axios library is vulnerable to a spe... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
39		CVE-2026-40175	Npm-axios-0.25.0	details Recommended version: 0.31.1 Description: Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.0 and 1.x prior to 1.15.0, the Axios library is vulnerable to a spe... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
40		CVE-2026-40895	Npm-follow-redirects-1.15.3	details Recommended version: 1.16.0 Description: follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to versio... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
41		CVE-2026-40895	Npm-follow-redirects-1.15.2	details Recommended version: 1.16.0 Description: follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to versio... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
42		CVE-2026-42039	Npm-axios-1.6.2	details Recommended version: 1.15.2 Description: Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.1 and 1.0.0 prior to 1.15.1, FormData recursively walks nested obje... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
43		CVE-2026-42039	Npm-axios-0.25.0	details Recommended version: 0.31.1 Description: Axios is a promise-based HTTP client for the browser and Node.js. Prior to 0.31.1 and 1.0.0 prior to 1.15.1, FormData recursively walks nested obje... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
44		CVE-2026-41988	Npm-uuid-8.3.2	details Recommended version: 14.0.0 Description: uuid prior to 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID vers... Attack Vector: LOCAL Attack Complexity: HIGH Vulnerable Package

---

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2025-50537	Npm-eslint-7.32.0

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

[maigiclab]

Overview

Good feature addition — the filter system is well-structured overall, with clean separation between filter state management, option count calculation, and the
display layer. The accessNestedField utility and getBinnedValues logic are solid. Here are the issues I found:

---

Bugs

1. Sort comparator is broken (OverviewFilter.tsx:219)

// Current (broken):
return ('' + valA).localeCompare('' + valB) ? 1 : -1;

// Fixed:
return ('' + valA).localeCompare('' + valB);

localeCompare returns 0 for equal strings. 0 ? 1 : -1 evaluates to -1, meaning equal elements are treated as "less than" — the sort is unstable and incorrect.

---

2. Type mismatch: filters array vs. dictionary (App.tsx:70 vs OverviewPanel.tsx:75)

In App.tsx:

export type Cohort = {
    filters?: CohortFilter[]; // Array
};

But in OverviewPanel.tsx:

  const cohortFiltersObject = cohorts?.[selectedCohort]?.filters || {};
  const filterIdentifiers = Object.keys(cohortFiltersObject); // ["0", "1", ...]

The code treats filters as a dictionary but it's typed as an array. Object.keys([...]) gives numeric string indices ("0", "1"...), so filterIdentifier ends up
being "0" etc. This works accidentally in JS (arrays are objects) but is fragile, and the TypeScript type is misleading. Either the type should be { [key:
string]: CohortFilter } or the code should use filters.map(...) with explicit identifiers.

---

3. active prop always wrong (OverviewPanel.tsx:353)
   active={Object.keys(activeFilters).includes(field || '')}
   activeFilters is keyed by filterIdentifier (array index "0", "1"...), but this checks for field (e.g., "cancer"), which will never match. Since OverviewFilter
   internally computes isFilterActive = identifier in activeFilters (correct), the active prop is both wrong and unused. The prop should either be removed or
   computed as identifier in activeFilters.

---

4. isTransitioning never reset on the click handler path (App.tsx)

When the SV click handler fires, setIsTransitioning(true) is set, but setIsTransitioning(false) only happens in the useEffect on selectedSvId. If selectedSvId
doesn't change (user clicks same SV), the effect doesn't re-run, isTransitioning stays true, and the overlay never clears. Consider always resetting in the
timeout directly, not via useEffect.

---

Issues

5. Nested elements — invalid HTML (OverviewFilter.tsx:250–252)

<label className="dropdown-item-checkbox">
    <label htmlFor={`${identifier}-${option.value}`} ...>

Nested elements are invalid HTML per spec. The outer should be a

.

---

6. getBinaryOptionValue return type is string but returns null (OverviewFilter.tsx:28)

  export const getBinaryOptionValue = (option: Primitive): string => {
      // ...
      return null; // ← type error
  };

---

7. BinaryFilter.tsx appears to be dead code

The component is never imported/used anywhere (binary filters are handled inline in OverviewFilter). It also has:

• A commented-out onClick prop
• An uncontrolled without onChange (React warning)

If it was a stepping stone that's been superseded, it should be removed.

---

8. new-sample-added animation fires on every filter change (OverviewPanel.tsx:293–301)

useEffect(() => {
     // Fires whenever filteredSamples changes — including on filter toggles
     overviewContainer.classList.add('new-sample-added');
 }, [filteredSamples]);

This plays the animation any time a filter is applied, not only when a new sample is uploaded. A separate state or ref tracking "samples were genuinely added"
would be needed.

---

9. Hardcoded cohort name for CSS class (OverviewPanel.tsx:400)
   className={overview-container ${selectedCohort === 'PCAWG: Cancer Cohort' ? 'with-filters' : ''}}
   Should use filterIdentifiers.length > 0 instead of a hardcoded string, otherwise the layout won't work correctly for the MSK SPECTRUM cohort (which also has
   filters) or any user-uploaded cohort with filters.

---

10. cohortFiltersObject reference instability (OverviewPanel.tsx:75)
    const cohortFiltersObject = cohorts?.[selectedCohort]?.filters || {};
    The || {} fallback creates a new object reference every render. Since cohortFiltersObject is in the dependency arrays of baseSubsets and optionCounts useMemos,
    those will recompute on every render when there are no filters. Should be memoized or the fallback moved inside the memos.

---

Minor

• OverviewFilter.tsx:8 — nullValue?: string is in the type but never used in the component body.
• OverviewFilter.tsx:120 — setShowDropdown(false) in handleOptionSelection closes the dropdown after every checkbox selection in a multi-select context. Users
  likely expect to keep it open while selecting multiple options.
• CohortSelector.tsx:58–60 — The .catch() comes after .finally(). While it works due to how promise chains evaluate, conventionally .catch() should come before
  .finally().