fix: resolve code-scanning alerts + update deps (minor/patch)#885
Merged
Conversation
Address GitHub code-scanning alerts across the monorepo: - polynomial-redos: remove ambiguous `\s*` in the fenced-block regex (generative-ui.ts) - bad-tag-filter / double-escaping / incomplete-multi-character- sanitization: rewrite HTML stripping to loop until stable and decode `&` last (fetch-url.ts, web-search.ts) - incomplete-sanitization: harden markdown-table cells, Mermaid labels, redis key-pattern and regex escaping (reporters.ts, flow.ts, redis.test.ts, check-for-agents-coverage.mjs) - incomplete-url-substring-sanitization: match the OpenAI host exactly via URL parsing instead of a prefix check (openai.ts) - stack-trace-exposure: return a generic error, log details server-side (ask-docs/route.ts) - file-system-race: use the `wx` open flag for atomic create (config.ts, docs-new.mjs) - insecure-temporary-file: create test dirs with mkdtemp (config.test.ts, scaffold.test.ts) - unused-local-variable: drop dead imports and variables The two js/file-access-to-http alerts (embedders.ts, check-links.mjs) are intentional outbound requests; documented inline and dismissed.
Run `pnpm -r update` to pull minor/patch updates within existing semver ranges across all packages: - @types/node 25.9.0 -> 25.9.1 - vitest / @vitest/coverage-v8 4.1.6 -> 4.1.7 - @types/react 19.2.14 -> 19.2.15 - vite 8.0.13 -> 8.0.14 - fumadocs-core / fumadocs-ui 16.8.12 -> 16.9.0 - motion 12.39.0 -> 12.40.0 - svelte 5.55.8 -> 5.55.9 - @angular/core 21.2.13 -> 21.2.14 - @cloudflare/workers-types 4.20260519.1 -> 4.20260521.1 marked (15 -> 18) is a major bump and was intentionally skipped.
|
The latest updates on your projects. Learn more about Vercel for GitHub. 1 Skipped Deployment
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
- resync pnpm-lock.yaml so `next` importer specifier matches the overridden `>=16.2.6` (CI frozen-lockfile install was failing) - stripHtml: drop unterminated `<!--` comments and loop comment + tag removal until stable (CodeQL incomplete-multi-character- sanitization, alert 62) - reporters.ts: escape backslashes before pipes in Markdown table cells (CodeQL incomplete string escaping, alert 63) - add changeset for the code-scanning fixes + dependency sweep
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two parts, one commit each.
1. Security — code-scanning alerts (
9d3ddbb)Resolves open GitHub code-scanning alerts:
polynomial-redos\s*in fence regexbad-tag-filter/double-escaping/incomplete-multi-character-sanitization&lastincomplete-sanitizationincomplete-url-substring-sanitizationURLstack-trace-exposurefile-system-racewxflaginsecure-temporary-filemkdtempfor test dirsunused-local-variableThe two
js/file-access-to-httpalerts (embedders.ts, check-links.mjs) areintentional outbound requests — the embedder and the link-checker exist to
make them. Documented inline; alerts dismissed as won't-fix.
2. Dependency updates — minor/patch (
e0152e7)pnpm -r updatewithin existing semver ranges.@types/node,vitest,@vitest/coverage-v8,@types/react,vite,fumadocs-core/ui,motion,svelte,@angular/core,@cloudflare/workers-types.marked15→18 skipped (major).Test plan
pnpm build— 36/36 ✅pnpm test— 37/37 ✅