ci(security): fix codeql alerts and lockfile drift (#107)

Author: anand-testcompare

.github/workflows/ci.yml

@@ -18,6 +18,9 @@ on:
       - ".codex/**"
       - ".opencode/**"
 
+permissions:
+  contents: read
+
 concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true

.github/workflows/org-required-checks.yml

@@ -10,18 +10,19 @@ on:
       - ready_for_review
   deployment_status:
 
+permissions:
+  checks: read
+  contents: read
+  pull-requests: read
+  statuses: read
+
 jobs:
   verify:
     name: Check
     if: |
       github.event_name == 'pull_request' ||
       (github.event_name == 'deployment_status' && github.event.deployment_status.state == 'success')
     runs-on: ubuntu-latest
-    permissions:
-      checks: read
-      contents: read
-      pull-requests: read
-      statuses: read
     steps:
       - name: Wait for merge gates
         uses: actions/github-script@v8

bun.lock

@@ -1,3 +1,4 @@
+import { cleanText, normalizeWhitespace } from "./text";
 import type {
   ShopifyCableSourceTemplate,
   ShopifyEvidencePointer,
@@ -189,21 +190,6 @@ const UNKNOWN_BRAND_TOKENS = new Set([
   "null",
 ]);
 
-const stripTags = (value: string): string => {
-  return value.replace(/<[^>]+>/g, " ");
-};
-
-const normalizeWhitespace = (value: string): string => {
-  return value.replace(/\s+/g, " ").trim();
-};
-
-const cleanText = (value: string | undefined | null): string => {
-  if (typeof value !== "string") {
-    return "";
-  }
-  return normalizeWhitespace(stripTags(value));
-};
-
 const combineUniqueText = (...segments: Array<string | undefined>): string => {
   const seen = new Set<string>();
   const unique: string[] = [];

packages/shopify-cable-source/src/source.ts

@@ -0,0 +1,21 @@
+import { describe, expect, it } from "bun:test";
+import { cleanText } from "./text";
+
+describe("cleanText", () => {
+  it("strips balanced HTML tags and normalizes whitespace", () => {
+    expect(cleanText("  <p>Hello <strong>world</strong></p>  ")).toBe(
+      "Hello world"
+    );
+  });
+
+  it("preserves unmatched angle brackets instead of truncating the remainder", () => {
+    expect(cleanText("prefix <<<<<<<<<< trailing")).toBe(
+      "prefix <<<<<<<<<< trailing"
+    );
+  });
+
+  it("returns an empty string for non-string input", () => {
+    expect(cleanText(undefined)).toBe("");
+    expect(cleanText(null)).toBe("");
+  });
+});

packages/shopify-cable-source/src/text.test.ts

@@ -0,0 +1,36 @@
+const stripBalancedTags = (value: string): string => {
+  let cursor = 0;
+  let output = "";
+
+  while (cursor < value.length) {
+    const tagStart = value.indexOf("<", cursor);
+    if (tagStart === -1) {
+      output += value.slice(cursor);
+      break;
+    }
+
+    const tagEnd = value.indexOf(">", tagStart + 1);
+    if (tagEnd === -1) {
+      output += value.slice(cursor);
+      break;
+    }
+
+    output += value.slice(cursor, tagStart);
+    output += " ";
+    cursor = tagEnd + 1;
+  }
+
+  return output;
+};
+
+export const normalizeWhitespace = (value: string): string => {
+  return value.replace(/\s+/g, " ").trim();
+};
+
+export const cleanText = (value: string | undefined | null): string => {
+  if (typeof value !== "string") {
+    return "";
+  }
+
+  return normalizeWhitespace(stripBalancedTags(value));
+};