Skip to content

release: promote dev → main (v0.5.1 → v0.5.2)#13

Merged
scttbnsn merged 2 commits into
mainfrom
dev
Jun 30, 2026
Merged

release: promote dev → main (v0.5.1 → v0.5.2)#13
scttbnsn merged 2 commits into
mainfrom
dev

Conversation

@scttbnsn

Copy link
Copy Markdown
Contributor

Promotes the slug-trim polynomial-ReDoS class-fix (15 sites, js/polynomial-redos) + v0.5.2. With the logo-src xss-through-dom dismissed as a false positive, this brings main's CodeQL baseline to 0 open alerts. Merge-commit only. 939 tests green.

CodesWhat added 2 commits June 30, 2026 19:31
…codebase

The slugify idiom `.replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "")` carries a
polynomial-ReDoS in the trailing `-+$` (O(n²) backtracking on a long run of dashes
not at end). CodeQL flagged the two sites reachable from uncontrolled input in
capture-search-sources.mjs (js/polynomial-redos), but it's the same latent idiom in
15 sites across providers, tracker, profile, comms, research, interview, and a
backfill script — fix the whole class. The preceding `[^a-z0-9]+→"-"` collapse
already makes any boundary dash single, so `/^-|-$/g` is behavior-equivalent
(verified on edge cases) and has no quantifier to backtrack (0.04ms on 50k dashes).

Also dismissed the logo-src xss-through-dom (#8) as a false positive: the value is
an https-validated, first-party logo.dev URL written into an img `src`, never
reinterpreted as HTML.
Eliminates the slug-trim polynomial-ReDoS class (js/polynomial-redos) across 15 sites; dismisses the logo-src xss-through-dom false positive. main + dev now CodeQL-clean.
@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
rolester-website Ready Ready Preview, Comment Jun 30, 2026 11:32pm

@biggest-littlest biggest-littlest left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code-owner approval. Slug-trim ReDoS class-fix (15 sites) + v0.5.2; xss-through-dom #8 dismissed as a verified false positive. structure-guards + CodeQL green, 0 open alerts on the merge ref, 939 tests.

@ALARGECOMPANY ALARGECOMPANY left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Second approval. Verified CodeQL clean on the merge ref and main baseline going to zero open alerts. Good to promote.

@scttbnsn scttbnsn merged commit fd88390 into main Jun 30, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants