ROX-33816: query active deployments in VM 1.0

[stehessel]

Description

change me!

User-facing documentation

• CHANGELOG.md is updated OR update is not needed
• documentation PR is created and is linked above OR is not needed

Testing and quality

• the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
• CI results are inspected

Automated testing

• added unit tests
• added e2e tests
• added regression tests
• added compatibility tests
• modified existing tests

How I validated my change

change me!

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[stehessel]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[github-actions]

🚀 Build Images Ready

Images are ready for commit 214b13b. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-930-g214b13bb15

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• New Features
  • Added feature flag-controlled deployment soft deletion filtering to vulnerability management views, enabling conditional exclusion of deleted deployments from vulnerability analysis across clusters, CVEs, images, components, deployments, namespaces, and node assessments.

Walkthrough

This PR introduces feature-flag-driven deployment soft deletion support across the Vulnerability Management (VulnMgmt) system. The ROX_DEPLOYMENT_SOFT_DELETION feature flag gates a new deployment query behavior that is threaded through GraphQL operations, utility functions, and query variable construction in entity views, list pages, and widgets.

Changes

Deployment Soft Deletion Feature Flag Integration

Layer / File(s)	Summary
Query Utility Enhancement src/Containers/VulnMgmt/Entity/VulnMgmtPolicyQueryUtil.js	tryUpdateQueryWithVulMgmtPolicyClause function signature extended to accept entityContext and optional isDeploymentSoftDeletionEnabled parameter; deployment entities now wrap the query using withActiveDeploymentQuery when the flag is enabled.
GraphQL Fragment Schema src/Containers/VulnMgmt/VulnMgmt.fragments.js	All affected fragments updated to use deploymentCount(query: $deploymentQuery) instead of deploymentCount or deploymentCount(query: $query), creating a consistent field signature across cluster, image, CVE, component, and namespace fragments.
Entity Overview/Detail Components src/Containers/VulnMgmt/Entity/Cluster/VulnMgmtEntityCluster.jsx, Entity/Image/VulnMgmtEntityImage.jsx, Entity/Namespace/VulnMgmtEntityNamespace.jsx, Entity/Deployment/VulnMgmtEntityDeployment.jsx, Entity/Cve/VulnMgmtEntityCve.jsx, Entity/Node/VulnMgmtEntityNode.jsx	Each component imports useFeatureFlags and withActiveDeploymentQuery, reads the ROX_DEPLOYMENT_SOFT_DELETION flag, extends GraphQL query variables to accept $deploymentQuery, and wires the flag through query construction and tryUpdateQueryWithVulMgmtPolicyClause.
Entity Sub-type Components Entity/Component/VulnMgmtEntityImageComponent.jsx, Entity/Component/VulnMgmtEntityNodeComponent.jsx, Entity/TableWidgetFixableCves.jsx	Apply the same integration pattern: import feature flag and deployment query utilities, compute isDeploymentSoftDeletionEnabled, extend GraphQL query signatures, and pass deploymentQuery through queryOptions.
List View Components List/Clusters/VulnMgmtListClusters.jsx, List/Components/VulnMgmtListComponents.jsx, List/Cves/VulnMgmtListCves.jsx, List/Deployments/VulnMgmtListDeployments.jsx, List/ImageComponents/VulnMgmtListImageComponents.jsx, List/Images/VulnMgmtListImages.jsx, List/Namespaces/VulnMgmtListNamespaces.jsx	Each list component extends GraphQL query signatures with $deploymentQuery, reads the ROX_DEPLOYMENT_SOFT_DELETION flag, and includes deploymentQuery in queryOptions.variables via withActiveDeploymentQuery.
Widget Components widgets/TopRiskiestEntities.jsx, widgets/TopRiskyEntitiesByVulnerabilities.jsx	Import withActiveDeploymentQuery and useFeatureFlags, read the deployment soft deletion flag, and wrap existing query construction to conditionally apply deployment-scoped filtering.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description has not been filled out beyond the template placeholder text 'change me!' and lacks any substantive details about the changes, testing, or validation.	Replace placeholder text with a detailed description of the deployment soft-deletion feature flag integration, testing approach, and validation steps performed.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: adding support for querying active deployments in Vulnerability Management 1.0, which aligns with the multiple file changes across the VulnMgmt module.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ROX-33816/soft-deletes-ui-vm-1.0

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

ui/apps/platform/src/Containers/VulnMgmt/Entity/TableWidgetFixableCves.jsx (1)

68-94: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

$deploymentQuery declared unconditionally but unused for NODE_CVE and CLUSTER_CVE — runtime GraphQL validation failure.

$deploymentQuery: String is always emitted in the operation signature (line 76), but only IMAGE_CVE_LIST_FRAGMENT references deploymentCount(query: $deploymentQuery). When vulnType is CLUSTER_CVE or NODE_CVE, neither the fragment nor the operation body uses $deploymentQuery, making it an unused variable. All variables defined by an operation must be used in that operation or a fragment transitively included by that operation — unused variables cause a validation error. The existing unusedVarSink in CLUSTER_CVE_DETAIL_FRAGMENT confirms the server enforces this rule, so these two widget cases will fail at runtime.

Apply the same conditional-inclusion pattern already used for $query (lines 71–75):

🐛 Proposed fix — guard `$deploymentQuery` like `$query`

-            $deploymentQuery: String
+            ${
+                vulnType !== entityTypes.CLUSTER_CVE && vulnType !== entityTypes.NODE_CVE
+                    ? '$deploymentQuery: String'
+                    : ''
+            }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ui/apps/platform/src/Containers/VulnMgmt/Entity/TableWidgetFixableCves.jsx`
around lines 68 - 94, The GraphQL operation string in fixableCvesQuery declares
$deploymentQuery unconditionally which causes unused-variable validation
failures for vulnType === NODE_CVE or CLUSTER_CVE; update the operation
signature to include $deploymentQuery only when it is needed (mirror the
existing conditional used for $query): emit '$deploymentQuery: String' only when
vulnType is not NODE_CVE and not CLUSTER_CVE (so IMAGE_CVE cases that reference
deploymentCount can use it), leaving the rest of the query and the referenced
queryFragment/IMAGE_CVE_LIST_FRAGMENT unchanged.

ui/apps/platform/src/Containers/VulnMgmt/Entity/Component/VulnMgmtEntityImageComponent.jsx (1)

33-52: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update deploymentCount in the overview query to use $deploymentQuery for consistency with the sibling Image entity.

The overview query defines parameters ($id: ID!, $query: String, $scopeQuery: String) but does not include $deploymentQuery, yet the code constructs and passes deploymentQuery: withActiveDeploymentQuery('', isDeploymentSoftDeletionEnabled) in queryOptions (line 80). The sibling file VulnMgmtEntityImage.jsx correctly includes $deploymentQuery in its overview query parameters and uses it for deploymentCount(query: $deploymentQuery) on line 42. To apply active-deployment filtering consistently when ROX_DEPLOYMENT_SOFT_DELETION is enabled, the overview query should match this pattern.

♻️ Suggested change

    const overviewQuery = gql`
-        query getImageComponent($id: ID!, $query: String, $scopeQuery: String) {
+        query getImageComponent($id: ID!, $query: String, $deploymentQuery: String, $scopeQuery: String) {
             result: imageComponent(id: $id) {
                 id
                 name
                 version
                 fixedIn
                 location(query: $scopeQuery)
                 priority
-                deploymentCount(query: $query)
+                deploymentCount(query: $deploymentQuery)
                 imageVulnerabilityCount(query: $query, scopeQuery: $scopeQuery)
                 imageCount(query: $query)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ui/apps/platform/src/Containers/VulnMgmt/Entity/Component/VulnMgmtEntityImageComponent.jsx`
around lines 33 - 52, The overviewQuery for imageComponent is missing the
$deploymentQuery variable and still calls deploymentCount(query: $query); update
the GraphQL operation signature to include ($deploymentQuery: String) and change
the deploymentCount field to use deploymentCount(query: $deploymentQuery) so the
call that passes deploymentQuery: withActiveDeploymentQuery('',
isDeploymentSoftDeletionEnabled) is honored; adjust any variable usage in the
same component (overviewQuery) accordingly to match the sibling
VulnMgmtEntityImage.jsx pattern.

🧹 Nitpick comments (2)

ui/apps/platform/src/Containers/VulnMgmt/List/Components/VulnMgmtListComponents.jsx (1)

200-214: ⚡ Quick win

Make $deploymentQuery usage explicit in this operation.

Right now this query depends on ...componentFields being the only place that consumes $deploymentQuery. That makes the operation brittle: a fragment edit can turn this into a runtime GraphQL validation failure without any change in this file. The other list queries in this PR avoid that by sinking the variable locally.

Suggested change

     const query = gql`
         query getComponents($query: String, $deploymentQuery: String, $pagination: Pagination) {
             results: components(query: $query, pagination: $pagination) {
                 ...componentFields
+                unusedVarSink(query: $deploymentQuery)
             }
             count: componentCount(query: $query)
         }
         ${VULN_COMPONENT_LIST_FRAGMENT}
     `;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ui/apps/platform/src/Containers/VulnMgmt/List/Components/VulnMgmtListComponents.jsx`
around lines 200 - 214, The GraphQL operation getComponents declares
$deploymentQuery but only uses it indirectly inside the
VULN_COMPONENT_LIST_FRAGMENT, which is brittle; make $deploymentQuery usage
explicit by adding it to the components field arguments (the components(...)
call inside the getComponents query) so the operation directly consumes
$deploymentQuery, and ensure the queryOptions.variables still passes
deploymentQuery via withActiveDeploymentQuery; update the getComponents query
(and its components(...) argument list) and keep references to
VULN_COMPONENT_LIST_FRAGMENT, queryOptions.variables, withActiveDeploymentQuery,
and the query constant named query.

ui/apps/platform/src/Containers/VulnMgmt/Entity/VulnMgmtPolicyQueryUtil.js (1)

11-25: ⚡ Quick win

Add focused coverage for the deployment filter helper.

This function is now the switch point for whether VM deployment lists exclude soft-deleted rows. A small flag-on/flag-off test here would catch regressions before they skew results across every page wired up in this PR.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ui/apps/platform/src/Containers/VulnMgmt/Entity/VulnMgmtPolicyQueryUtil.js`
around lines 11 - 25, Add a focused unit test for
tryUpdateQueryWithVulMgmtPolicyClause that verifies the deployment soft-deletion
filter behavior: call tryUpdateQueryWithVulMgmtPolicyClause with entityType ===
entityTypes.DEPLOYMENT and isDeploymentSoftDeletionEnabled true and assert the
returned query was passed through withActiveDeploymentQuery (i.e., includes the
active-deployment constraint), then call it again with
isDeploymentSoftDeletionEnabled false and assert the returned query equals the
raw query (no active filter). Also add a complementary case for a non-DEPLOYMENT
entityType to confirm the function returns the normal
queryService.objectToWhereClause result (and for POLICY ensure the Category:
'Vulnerability Management' clause is present). Use the existing helper names
tryUpdateQueryWithVulMgmtPolicyClause, withActiveDeploymentQuery, entityTypes,
and queryService in the test to locate and exercise the logic.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ui/apps/platform/src/Containers/VulnMgmt/widgets/TopRiskiestEntities.jsx`:
- Around line 347-351: The withActiveDeploymentQuery deployment-state filter is
being applied to all queries but this widget never queries DEPLOYMENT; remove
the deployment-filtering call by replacing the wrapped expression so that query
is set directly from queryService.objectToWhereClause(queryObject) (i.e., stop
calling withActiveDeploymentQuery), and also remove the now-unused
isDeploymentSoftDeletionEnabled variable/import if it becomes unused; target
symbols: withActiveDeploymentQuery, isDeploymentSoftDeletionEnabled, query, and
queryService.objectToWhereClause.

---

Outside diff comments:
In
`@ui/apps/platform/src/Containers/VulnMgmt/Entity/Component/VulnMgmtEntityImageComponent.jsx`:
- Around line 33-52: The overviewQuery for imageComponent is missing the
$deploymentQuery variable and still calls deploymentCount(query: $query); update
the GraphQL operation signature to include ($deploymentQuery: String) and change
the deploymentCount field to use deploymentCount(query: $deploymentQuery) so the
call that passes deploymentQuery: withActiveDeploymentQuery('',
isDeploymentSoftDeletionEnabled) is honored; adjust any variable usage in the
same component (overviewQuery) accordingly to match the sibling
VulnMgmtEntityImage.jsx pattern.

In `@ui/apps/platform/src/Containers/VulnMgmt/Entity/TableWidgetFixableCves.jsx`:
- Around line 68-94: The GraphQL operation string in fixableCvesQuery declares
$deploymentQuery unconditionally which causes unused-variable validation
failures for vulnType === NODE_CVE or CLUSTER_CVE; update the operation
signature to include $deploymentQuery only when it is needed (mirror the
existing conditional used for $query): emit '$deploymentQuery: String' only when
vulnType is not NODE_CVE and not CLUSTER_CVE (so IMAGE_CVE cases that reference
deploymentCount can use it), leaving the rest of the query and the referenced
queryFragment/IMAGE_CVE_LIST_FRAGMENT unchanged.

---

Nitpick comments:
In `@ui/apps/platform/src/Containers/VulnMgmt/Entity/VulnMgmtPolicyQueryUtil.js`:
- Around line 11-25: Add a focused unit test for
tryUpdateQueryWithVulMgmtPolicyClause that verifies the deployment soft-deletion
filter behavior: call tryUpdateQueryWithVulMgmtPolicyClause with entityType ===
entityTypes.DEPLOYMENT and isDeploymentSoftDeletionEnabled true and assert the
returned query was passed through withActiveDeploymentQuery (i.e., includes the
active-deployment constraint), then call it again with
isDeploymentSoftDeletionEnabled false and assert the returned query equals the
raw query (no active filter). Also add a complementary case for a non-DEPLOYMENT
entityType to confirm the function returns the normal
queryService.objectToWhereClause result (and for POLICY ensure the Category:
'Vulnerability Management' clause is present). Use the existing helper names
tryUpdateQueryWithVulMgmtPolicyClause, withActiveDeploymentQuery, entityTypes,
and queryService in the test to locate and exercise the logic.

In
`@ui/apps/platform/src/Containers/VulnMgmt/List/Components/VulnMgmtListComponents.jsx`:
- Around line 200-214: The GraphQL operation getComponents declares
$deploymentQuery but only uses it indirectly inside the
VULN_COMPONENT_LIST_FRAGMENT, which is brittle; make $deploymentQuery usage
explicit by adding it to the components field arguments (the components(...)
call inside the getComponents query) so the operation directly consumes
$deploymentQuery, and ensure the queryOptions.variables still passes
deploymentQuery via withActiveDeploymentQuery; update the getComponents query
(and its components(...) argument list) and keep references to
VULN_COMPONENT_LIST_FRAGMENT, queryOptions.variables, withActiveDeploymentQuery,
and the query constant named query.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: eb477577-e0f6-4c84-8e81-32595515c42c

📥 Commits

Reviewing files that changed from the base of the PR and between 5a4f95b and 214b13b.

📒 Files selected for processing (20)

• ui/apps/platform/src/Containers/VulnMgmt/Entity/Cluster/VulnMgmtEntityCluster.jsx
• ui/apps/platform/src/Containers/VulnMgmt/Entity/Component/VulnMgmtEntityImageComponent.jsx
• ui/apps/platform/src/Containers/VulnMgmt/Entity/Component/VulnMgmtEntityNodeComponent.jsx
• ui/apps/platform/src/Containers/VulnMgmt/Entity/Cve/VulnMgmtEntityCve.jsx
• ui/apps/platform/src/Containers/VulnMgmt/Entity/Deployment/VulnMgmtEntityDeployment.jsx
• ui/apps/platform/src/Containers/VulnMgmt/Entity/Image/VulnMgmtEntityImage.jsx
• ui/apps/platform/src/Containers/VulnMgmt/Entity/Namespace/VulnMgmtEntityNamespace.jsx
• ui/apps/platform/src/Containers/VulnMgmt/Entity/Node/VulnMgmtEntityNode.jsx
• ui/apps/platform/src/Containers/VulnMgmt/Entity/TableWidgetFixableCves.jsx
• ui/apps/platform/src/Containers/VulnMgmt/Entity/VulnMgmtPolicyQueryUtil.js
• ui/apps/platform/src/Containers/VulnMgmt/List/Clusters/VulnMgmtListClusters.jsx
• ui/apps/platform/src/Containers/VulnMgmt/List/Components/VulnMgmtListComponents.jsx
• ui/apps/platform/src/Containers/VulnMgmt/List/Cves/VulnMgmtListCves.jsx
• ui/apps/platform/src/Containers/VulnMgmt/List/Deployments/VulnMgmtListDeployments.jsx
• ui/apps/platform/src/Containers/VulnMgmt/List/ImageComponents/VulnMgmtListImageComponents.jsx
• ui/apps/platform/src/Containers/VulnMgmt/List/Images/VulnMgmtListImages.jsx
• ui/apps/platform/src/Containers/VulnMgmt/List/Namespaces/VulnMgmtListNamespaces.jsx
• ui/apps/platform/src/Containers/VulnMgmt/VulnMgmt.fragments.js
• ui/apps/platform/src/Containers/VulnMgmt/widgets/TopRiskiestEntities.jsx
• ui/apps/platform/src/Containers/VulnMgmt/widgets/TopRiskyEntitiesByVulnerabilities.jsx

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Inspect withActiveDeploymentQuery to understand what it appends
# when enabled, so we can determine whether it is safe to apply to non-deployment queries.
rg -n "withActiveDeploymentQuery" --type js -A 10 -B 2
fd "deploymentUtils" --type f --exec cat {}

Repository: stackrox/stackrox

Length of output: 50373

---

🏁 Script executed:

fd "deploymentUtils" --type f

Repository: stackrox/stackrox

Length of output: 177

---

🏁 Script executed:

cat -n ui/apps/platform/src/utils/deploymentUtils.ts

Repository: stackrox/stackrox

Length of output: 1538

---

🏁 Script executed:

sed -n '1,100p' ui/apps/platform/src/Containers/VulnMgmt/widgets/TopRiskiestEntities.jsx | head -50

Repository: stackrox/stackrox

Length of output: 1979

---

🏁 Script executed:

sed -n '320,370p' ui/apps/platform/src/Containers/VulnMgmt/widgets/TopRiskiestEntities.jsx

Repository: stackrox/stackrox

Length of output: 1669

---

🏁 Script executed:

sed -n '1,330p' ui/apps/platform/src/Containers/VulnMgmt/widgets/TopRiskiestEntities.jsx | grep -A 50 "getQueryBySelectedEntityVulns\|getEntitiesByContext"

Repository: stackrox/stackrox

Length of output: 2166

---

🏁 Script executed:

sed -n '260,280p' ui/apps/platform/src/Containers/VulnMgmt/widgets/TopRiskyEntitiesByVulnerabilities.jsx

Repository: stackrox/stackrox

Length of output: 786

---

Gate the deployment soft-deletion filter to deployment queries only.

The withActiveDeploymentQuery call applies a deployment-specific state filter (Deployment State:DEPLOYMENT_STATE_ACTIVE) to all queries from this widget. However, selectedEntity is constrained to IMAGE, NODE, IMAGE_COMPONENT, or NODE_COMPONENT — never DEPLOYMENT. This filter should not be applied to images(), nodes(), or component queries as it will either corrupt the query syntax or cause backend errors.

Since this widget never queries deployments, either:

• Remove the withActiveDeploymentQuery call entirely, or
• Gate it to match TopRiskyEntitiesByVulnerabilities.jsx (line 270): isDeploymentSoftDeletionEnabled && selectedEntityType === entityTypes.DEPLOYMENT (though this condition would always be false here and effectively disables the filter).

The correct approach is to remove the deployment filter application entirely from this widget.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ui/apps/platform/src/Containers/VulnMgmt/widgets/TopRiskiestEntities.jsx`
around lines 347 - 351, The withActiveDeploymentQuery deployment-state filter is
being applied to all queries but this widget never queries DEPLOYMENT; remove
the deployment-filtering call by replacing the wrapped expression so that query
is set directly from queryService.objectToWhereClause(queryObject) (i.e., stop
calling withActiveDeploymentQuery), and also remove the now-unused
isDeploymentSoftDeletionEnabled variable/import if it becomes unused; target
symbols: withActiveDeploymentQuery, isDeploymentSoftDeletionEnabled, query, and
queryService.objectToWhereClause.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.63%. Comparing base (5a4f95b) to head (214b13b).

Additional details and impacted files

@@                        Coverage Diff                        @@
##           ROX-33816/soft-deletes-ui-vm-2.0   #20428   +/-   ##
=================================================================
  Coverage                             49.63%   49.63%           
=================================================================
  Files                                  2802     2802           
  Lines                                213115   213115           
=================================================================
+ Hits                                 105769   105774    +5     
+ Misses                                99595    99592    -3     
+ Partials                               7751     7749    -2     

Flag	Coverage Δ
go-unit-tests	49.63% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.