fix(security): clear vibecoder semgrep blockers#4
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
📝 WalkthroughWalkthroughThe changes convert error and warning logging across multiple files from formatted strings to structured logging format with message and payload objects, and update an example environment variable placeholder. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Pull request overview
This PR addresses Semgrep security-scan blockers by removing dynamic console format strings and sanitizing the example Supabase anon key in the environment template, aiming to keep runtime behavior unchanged while clearing CI security gates.
Changes:
- Replaced template-string console logs with constant messages plus structured metadata objects.
- Updated
env.exampleto use a neutral placeholder forEXPO_PUBLIC_SUPABASE_ANON_KEY. - Adjusted error logging in storage/error-boundary/store init paths to match the new logging pattern.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| utils/storage.ts | Converts storage error log to constant message + metadata object. |
| components/ui/SectionErrorBoundary.tsx | Converts section error boundary log to constant message + metadata object. |
| app/_layout.tsx | Converts store initialization warning to constant message + metadata object (dev-only). |
| env.example | Replaces JWT-shaped example anon key with a placeholder value. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| console.error(`[Storage] ${operation} failed:`, err.message); | ||
| console.error("[Storage] operation failed", { | ||
| operation, | ||
| message: err.message, |
There was a problem hiding this comment.
handleStorageError now logs only err.message inside an object. To make these errors actionable (and consistent with other error logs in the app), include the actual Error object (or at least stack) in the metadata so stack traces aren’t lost during debugging, while keeping the log message constant for semgrep.
| message: err.message, | |
| message: err.message, | |
| error: err, | |
| stack: err.stack, |
| @@ -5,4 +5,4 @@ | |||
|
|
|||
| # Supabase Configuration (Frankfurt - eu-central-1) | |||
| EXPO_PUBLIC_SUPABASE_URL=https://shchfellocvnhrhhtiui.supabase.co | |||
There was a problem hiding this comment.
env.example now uses a placeholder anon key, but the Supabase URL is still a specific project URL. Since anon keys are project-specific, leaving a real URL here is misleading (copy/paste will fail unless the user also changes the URL) and may unintentionally point people at a real project. Consider replacing the URL with a neutral placeholder to match the key.
| EXPO_PUBLIC_SUPABASE_URL=https://shchfellocvnhrhhtiui.supabase.co | |
| EXPO_PUBLIC_SUPABASE_URL=https://your-project-ref.supabase.co |
Summary
env.exampleVerification
Summary by CodeRabbit