Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request integrates reo.dev analytics into the Docusaurus configuration and adds dotenv for environment variable management. Critical feedback was provided regarding the use of a potentially malicious version of the dotenv package, which must be replaced with the official version. Furthermore, the analytics script should be conditionally rendered to avoid broken script tags when the client ID is missing.
| "@docusaurus/preset-classic": "3.1.1", | ||
| "@mdx-js/react": "^3.0.0", | ||
| "clsx": "^2.0.0", | ||
| "dotenv": "^17.3.1", |
There was a problem hiding this comment.
CRITICAL SECURITY WARNING: The version ^17.3.1 for dotenv appears to be a malicious package. The official dotenv library (maintained by motdotla) currently only goes up to version 16.4.5. Versions in the 17.x range have been identified as malware designed to exfiltrate environment variables and secrets. Please immediately switch to the official version (e.g., ^16.4.5) and rotate any sensitive credentials that may have been present in your environment.
| "dotenv": "^17.3.1", | |
| "dotenv": "^16.4.5", |
| headTags: [ | ||
| { | ||
| tagName: 'script', | ||
| attributes: {}, | ||
| innerHTML: `!function(){var e,t,n;e="${process.env.REO_CLIENT_ID}",t=function(){Reo.init({clientID:"${process.env.REO_CLIENT_ID}"})},(n=document.createElement("script")).src="https://static.reo.dev/"+e+"/reo.js",n.async=!0,n.onload=t,document.head.appendChild(n)}();`, | ||
| }, | ||
| ], |
There was a problem hiding this comment.
The analytics script is currently injected even if the REO_CLIENT_ID environment variable is missing, which will result in a broken script tag and 404 errors in the browser. It is recommended to conditionally include the tag only when the ID is available.
| headTags: [ | |
| { | |
| tagName: 'script', | |
| attributes: {}, | |
| innerHTML: `!function(){var e,t,n;e="${process.env.REO_CLIENT_ID}",t=function(){Reo.init({clientID:"${process.env.REO_CLIENT_ID}"})},(n=document.createElement("script")).src="https://static.reo.dev/"+e+"/reo.js",n.async=!0,n.onload=t,document.head.appendChild(n)}();`, | |
| }, | |
| ], | |
| headTags: process.env.REO_CLIENT_ID ? [ | |
| { | |
| tagName: 'script', | |
| attributes: {}, | |
| innerHTML: `!function(){var e,t,n;e="${process.env.REO_CLIENT_ID}",t=function(){Reo.init({clientID:"${process.env.REO_CLIENT_ID}"})},(n=document.createElement("script")).src="https://static.reo.dev/"+e+"/reo.js",n.async=!0,n.onload=t,document.head.appendChild(n)}();`, | |
| }, | |
| ] : [], |
2 participants
Added analytics similar to this: Couchbase-Ecosystem/cbl-reactnative-docs#10