Marketing + docs site (Vite + React + TypeScript)#11
Conversation
… data) - dependabot.ts: fetch open Dependabot alerts (GitHub Advisory Database) -> findings; best-effort, never throws - merged into PR review and /audit so dependency CVEs are always up to date - app.yml: vulnerability_alerts: read permission - 115 tests passing
…ploy - web/: Vite + React 18 + TypeScript SPA (HashRouter) — Landing + Docs pages - clean components: Logo, Header/Footer, CodeBlock (copy), Reveal (scroll-in) - animated hero (mesh gradient, bobbing anvil, spinning spark), live-example cards, full docs - .github/workflows/pages.yml builds web/ and deploys to GitHub Pages - tsc + vite build both pass
🔍 ShipIT Forge reviewed this PR — 💬 commented (no blocking issues)4 finding(s) (2 security). See the review above for inline details and suggested fixes. |
| }, | ||
| "engines": { | ||
| "node": ">=6.0.0" | ||
| } |
There was a problem hiding this comment.
🔵 Low · 🛡️ Security · vulnerable-dependency
Vulnerable Dependency: semver is susceptible to ReDoS
The package-lock.json file includes semver@6.3.1 as a transitive dependency (via @babel/helper-compilation-targets). This version is vulnerable to CVE-2022-25883, a regular expression denial-of-service (ReDoS) vulnerability. While this is a development dependency and the exploitability is very low within the build process, it's best practice to use patched versions of all dependencies. The vulnerability can be triggered by a maliciously crafted version string, potentially causing the build process to hang.
| } | |
| Run `npm audit fix` in the `web/` directory. If that doesn't resolve it, updating the top-level packages that rely on the vulnerable version (like `@babel/core` or `vite` and its plugins) to their latest versions should resolve the issue. |
| </header> | ||
| ); | ||
| } |
There was a problem hiding this comment.
🔵 Low · 🛡️ Security · CWE-1022
External links are missing rel="noopener noreferrer"
The <a> tag used for the external GitHub link does not have a rel="noopener noreferrer" attribute. Without noopener, the newly opened page can access the original page's window object via window.opener, which could be used to maliciously redirect the original page to a phishing site (tabnabbing). Without noreferrer, the new page receives the full URL of the source page in the Referer header, which can be a minor privacy leak. This issue is present on this line and on other external links throughout the new web components (e.g., in Footer.tsx, Docs.tsx).
| </header> | |
| ); | |
| } | |
| <a className="btn btn-g cta" href={GITHUB} rel="noopener noreferrer"> | |
| GitHub ↗ | |
| </a> |
| body: | ||
| `${adv.summary ?? 'Known vulnerability in a dependency.'}\n\n` + | ||
| `Package: \`${pkg.name ?? '?'}\` (${pkg.ecosystem ?? '?'}). ` + | ||
| `Affected: ${vuln?.vulnerable_version_range ?? '?'}. ` + | ||
| (patched ? `Fixed in **${patched}** — upgrade to it or later.` : 'No patched version yet.') + | ||
| (a?.html_url ? `\n\n${a.html_url}` : ''), | ||
| }); |
There was a problem hiding this comment.
🔵 Low · 🔧 Quality · Improper Output Neutralization
Unsanitized Dependabot API data is used in Markdown report
The mapAlertsToFindings function constructs a Markdown string for the finding's body using raw data from the Dependabot API response (e.g., pkg.name, adv.summary). It does not sanitize or escape potential Markdown control characters (like backticks, newlines, etc.) in these fields. If a package name or vulnerability summary from the API contains these characters, it could break the formatting of the final GitHub comment, making it hard to read or even misleading. While the data comes from GitHub's API and is likely safe from XSS, this can lead to garbled output (a form of injection).
| body: | |
| `${adv.summary ?? 'Known vulnerability in a dependency.'}\n\n` + | |
| `Package: \`${pkg.name ?? '?'}\` (${pkg.ecosystem ?? '?'}). ` + | |
| `Affected: ${vuln?.vulnerable_version_range ?? '?'}. ` + | |
| (patched ? `Fixed in **${patched}** — upgrade to it or later.` : 'No patched version yet.') + | |
| (a?.html_url ? `\n\n${a.html_url}` : ''), | |
| }); | |
| `Package: \`${(pkg.name ?? '?').replace(/`/g, '\\`')}\` (${pkg.ecosystem ?? '?'}). ` |
| "@types/react": "^18.3.11", | ||
| "@types/react-dom": "^18.3.0", | ||
| "@vitejs/plugin-react": "^4.3.2", | ||
| "typescript": "^5.6.2", | ||
| "vite": "^5.4.8" |
There was a problem hiding this comment.
⚪ Info · 🔧 Quality · Dependency Management
Dev dependency versions in package.json are out of sync with package-lock.json
The versions specified in package.json for several dev dependencies (like vite, typescript, @vitejs/plugin-react) are older than the versions resolved in package-lock.json. For example, vite is ^5.4.8 in package.json but 5.4.21 in the lockfile. This indicates that npm update or a similar command was run, but the package.json file was not updated to reflect the new minimal versions. This can cause confusion and lead to different developers getting different minor/patch versions on a fresh install if the lockfile is ignored or recreated.
| "@types/react": "^18.3.11", | |
| "@types/react-dom": "^18.3.0", | |
| "@vitejs/plugin-react": "^4.3.2", | |
| "typescript": "^5.6.2", | |
| "vite": "^5.4.8" | |
| To synchronize the files, either manually update the versions in `package.json` to match the lockfile (e.g., `"vite": "^5.4.21"`), or use `npm update --save-dev <package-name>` for each dependency to explicitly update the `package.json` file. |
… finding) The mapAlertsToFindings body was built from raw API fields (package name, summary). Now neutralize Markdown control chars + newlines so untrusted text can't break/inject into the rendered GitHub comment.
🔍 ShipIT Forge reviewed this PR — 💬 commented (no blocking issues)1 finding(s) (1 security). See the review above for inline details and suggested fixes. |
| function md(s: unknown): string { | ||
| return String(s ?? '').replace(/[`*_~<>[\]|\\]/g, '\\$&').replace(/\r?\n/g, ' '); | ||
| } |
There was a problem hiding this comment.
🔵 Low · 🛡️ Security · CWE-79
Incomplete Markdown Neutralization
The md() function is used to sanitize text from the Dependabot API before it's included in a Markdown comment on GitHub. The function's aim is to prevent Markdown injection by escaping special characters. However, the character set it escapes is incomplete. It misses several characters with special meaning in Markdown, such as parentheses (), hash (#), and exclamation mark (!).
While current usage doesn't appear to create a vulnerability, if future code changes were to place sanitized text inside a different Markdown structure (e.g., inside a link [text](url)), this could lead to injection or broken output. A more comprehensive sanitization provides better defense-in-depth.
| function md(s: unknown): string { | |
| return String(s ?? '').replace(/[`*_~<>[\]|\\]/g, '\\$&').replace(/\r?\n/g, ' '); | |
| } | |
| function md(s: unknown): string { | |
| return String(s ?? '').replace(/[\\`*_{}\[\]()#+-.!~<>|]/g, '\\$&').replace(/\r?\n/g, ' '); | |
| } |
…defense-in-depth) Escape the full GFM special set incl. () # + ! . so sanitized text stays safe even inside other Markdown structures (e.g. links).
🔍 ShipIT Forge reviewed this PR — 💬 commented (no blocking issues)0 finding(s) (0 security). See the review above for inline details and suggested fixes. |
There was a problem hiding this comment.
ShipIT Forge review
✅ No blocking issues found. I reviewed the changed files and ran:
- 🛡️ Security checks — SSRF, injection (SQL/command/template), broken auth/authz, hardcoded secrets, unsafe deserialization, path traversal, weak crypto.
- 🔧 Code review — correctness, error handling, missing tests, clarity.
Nothing to flag. This is a comment, not an approval — ShipIT Forge never approves PRs; a human reviewer should approve and merge.
…examples page - monochrome autophocus-style theme + top scroll-progress bar - HeroDemo: types the issue, streams steps live, reveals the opened PR (+ replay) - /flow/:slug pages (fix/review/audit/ci) with auto-playing StepPlayer terminals - /examples page linking to the real PRs/reviews/issues on GitHub - nav routes Examples + Docs; tsc + vite build pass
🔍 ShipIT Forge reviewed this PR — 💬 commented (no blocking issues)0 finding(s) (0 security). See the review above for inline details and suggested fixes. |
There was a problem hiding this comment.
ShipIT Forge review
✅ No blocking issues found. I reviewed the changed files and ran:
- 🛡️ Security checks — SSRF, injection (SQL/command/template), broken auth/authz, hardcoded secrets, unsafe deserialization, path traversal, weak crypto.
- 🔧 Code review — correctness, error handling, missing tests, clarity.
Nothing to flag. This is a comment, not an approval — ShipIT Forge never approves PRs; a human reviewer should approve and merge.
A modern, animated marketing + docs site for ShipIT Forge.
.tsx), HashRouter (works on static hosts)./) + Docs (/docs), clean reusable components (Logo, Header/Footer, CodeBlock with copy, Reveal scroll-in)..github/workflows/pages.ymlbuildsweb/and publishes to GitHub Pages on push to main.tsc -b+vite buildboth pass.