chore: add ESLint, CodeQL, and npm audit to CI#180
Open
jakebromberg wants to merge 5 commits intomainfrom
Open
chore: add ESLint, CodeQL, and npm audit to CI#180jakebromberg wants to merge 5 commits intomainfrom
jakebromberg wants to merge 5 commits intomainfrom
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Deploying wxyc-dj with
|
| Latest commit: |
ef201a9
|
| Status: | 🚫 Build failed. |
jakebromberg
force-pushed
the
chore/static-analysis
branch
4 times, most recently
from
1e45da0 to
2cbeef1
Compare
jakebromberg
force-pushed
the
chore/static-analysis
branch
from
0496c8d to
efb51dd
Compare
jakebromberg
force-pushed
the
chore/static-analysis
branch
from
efb51dd to
26ebc21
Compare
added 5 commits
March 19, 2026 10:32
Set up ESLint with eslint-config-next (core-web-vitals + typescript), CodeQL for security scanning, and npm audit for dependency vulnerabilities. Fix all lint violations across the codebase. - Add eslint.config.mjs with flat config format - Add CI workflow with lint, typecheck, and audit steps - Add CodeQL workflow with weekly scheduled scans - Fix ~200 lint violations (unused vars/imports, console.log, unescaped entities, missing alt text, exhaustive-deps, etc.) - Add eslint-disable comments for SDK-related any casts - Disable React Compiler rules pending adoption
Run npm audit fix to update transitive dependencies: - minimatch 3.1.2 -> 3.1.5, 8.0.4 -> 8.0.7, 9.0.5 -> 9.0.8 (ReDoS) - rollup 4.57.1 -> 4.59.0 (path traversal) - fast-xml-parser 5.3.4 -> 5.3.6 via @aws-sdk/xml-builder (DoS, entity bypass) - ajv 6.12.6 -> 6.14.0 (ReDoS) Remaining 9 vulnerabilities are low/moderate with no non-breaking fix.
The @wxyc/shared package is hosted on GitHub Packages, which requires authentication. Add registry-url and NPM_TOKEN env vars to the CI workflow, matching the pattern used in PR #224.
- Replace `Function` type with explicit parameter types in rightbar test - Replace `any` with typed parameters in organization-utils.ts - Replace `any` cast with typed object in conversions.ts default case - Fix `play_freq` -> `rotation_bin` rename in BinContent test - Fix `SearchIn` value "Both" -> "All" in catalogSearchQuery test - Fix mock return types to match async signatures in test files - Add required fields to mock objects for type compatibility
…sting lint errors to warnings
jakebromberg
force-pushed
the
chore/static-analysis
branch
from
26ebc21 to
ef201a9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #238
Summary
eslint-config-next(core-web-vitals + typescript presets) via flat config (eslint.config.mjs).github/workflows/ci.yml) with lint, typecheck, andnpm audit --audit-level=highsteps.github/workflows/codeql.yml) withsecurity-extendedqueries and weekly scheduled scansconsole.log, unescaped entities, missing alt text, exhaustive-deps,no-explicit-anysuppressions for SDK types, etc.)npm run lint/npm run lint:fixscriptsnpm auditfinding (@isaacs/brace-expansion)Notable decisions
react-hooksv7 (shipped witheslint-config-next16) includes new rules (set-state-in-effect,refs,purity,preserve-manual-memoization) that are too strict for the current codebase. Disabled until React Compiler is adopted.no-explicit-anysuppressed for SDK types: ~49 instances whereanyis required due to better-auth SDK missing types, RTK Query untyped backend responses, and vendor-prefixed browser APIs. Each has a justification comment.@next/next/no-img-elementsuppressed for external image URLs (album art from Discogs/iTunes/Last.fm) wherenext/imageremote patterns aren't practical.Test plan
npx eslint .-- 0 errors, 0 warningsnpm run build-- passesnpm audit --audit-level=high-- exit code 0npm run test:run-- pre-existing failures only (unchanged)npx tsc --noEmit-- pre-existing failures only (unchanged)