Release 0.2.3 — CodeQL hardening + Node 24/v5 actions#6
Merged
Conversation
added 3 commits
June 26, 2026 16:25
actions/checkout@v4→v5, actions/setup-node@v4→v5, node-version 20→24 across publish/ci/codeql. The v5 actions target Node 24 natively, so GitHub no longer force-runs them on a deprecated Node-20 shim.
…ing)
- url-substring-sanitization: parse + exact hostname match (===/.endsWith) instead
of bypassable url.includes("domain") — resume-parser, sourced-scanner,
tracker-data, capture-search-sources (new hostnameMatches helper)
- double-escaping: single-pass replace in yaml.mjs unescape + sourced-scanner HTML
entity decode (no cascade re-decode)
- incomplete-(multi-char-)sanitization: global/loop strip + escape the matched char
($&) — dashboard-data cleanContactName, packet, sourced-intake, sourced-delta
- bad-tag-filter: separate opening-tag attrs from content in the script-strip regex
- xss-through-dom: validate the logo base is an https URL before using it as img src
Dismissed 8 test-fixture alerts as 'used in tests'. 95/95 guard+parser tests green.
Security: 17 CodeQL high alerts resolved (URL/escape/XSS hardening) + Actions bumped to v5 / Node 24 (clears the Node-20 deprecation).
biggest-littlest
approved these changes
Jun 26, 2026
biggest-littlest
left a comment
biggest-littlest
left a comment
Member
There was a problem hiding this comment.
Code-owner — 0.2.3 security.
ALARGECOMPANY
approved these changes
Jun 26, 2026
ALARGECOMPANY
left a comment
ALARGECOMPANY
left a comment
Member
There was a problem hiding this comment.
Second approval — 0.2.3.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| /** Escape pipe characters inside a markdown table cell. */ | ||
| function escapeCell(text) { | ||
| return String(text ?? "").replace(/\|/g, "\\|"); | ||
| return String(text ?? "").replace(/\|/g, "\\$&"); |
| export function htmlToText(html = "") { | ||
| return String(html) | ||
| .replace(/<script\b[\s\S]*?<\/script>/gi, " ") | ||
| .replace(/<script\b[^>]*>[\s\S]*?<\/script>/gi, " ") |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Promotes
devtomainfor 0.2.3.includes), single-pass escaping (no double-decode), full tag-strip, https-validated logo src. 8 test-fixture alerts dismissed as 'used in tests'. 95/95 guard+parser tests green.The CodeQL run on this PR re-scans the fixed files (expect the 17 to clear). The required
structure-guardscheck must pass to merge.