chore: add ESLint, CodeQL, and npm audit to CI#180
Open
jakebromberg wants to merge 4 commits intomainfrom
Open
chore: add ESLint, CodeQL, and npm audit to CI#180jakebromberg wants to merge 4 commits intomainfrom
jakebromberg wants to merge 4 commits intomainfrom
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Deploying wxyc-dj with
|
| Latest commit: |
1e45da0
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://22327451.dj-site.pages.dev |
| Branch Preview URL: | https://chore-static-analysis.dj-site.pages.dev |
jakebromberg
force-pushed
the
chore/static-analysis
branch
2 times, most recently
from
262779f to
95234e0
Compare
added 4 commits
February 27, 2026 14:20
Set up ESLint with eslint-config-next (core-web-vitals + typescript), CodeQL for security scanning, and npm audit for dependency vulnerabilities. Fix all lint violations across the codebase. - Add eslint.config.mjs with flat config format - Add CI workflow with lint, typecheck, and audit steps - Add CodeQL workflow with weekly scheduled scans - Fix ~200 lint violations (unused vars/imports, console.log, unescaped entities, missing alt text, exhaustive-deps, etc.) - Add eslint-disable comments for SDK-related any casts - Disable React Compiler rules pending adoption
Run npm audit fix to update transitive dependencies: - minimatch 3.1.2 -> 3.1.5, 8.0.4 -> 8.0.7, 9.0.5 -> 9.0.8 (ReDoS) - rollup 4.57.1 -> 4.59.0 (path traversal) - fast-xml-parser 5.3.4 -> 5.3.6 via @aws-sdk/xml-builder (DoS, entity bypass) - ajv 6.12.6 -> 6.14.0 (ReDoS) Remaining 9 vulnerabilities are low/moderate with no non-breaking fix.
The @wxyc/shared package is hosted on GitHub Packages, which requires authentication. Add registry-url and NPM_TOKEN env vars to the CI workflow, matching the pattern used in PR #224.
- Replace `Function` type with explicit parameter types in rightbar test - Replace `any` with typed parameters in organization-utils.ts - Replace `any` cast with typed object in conversions.ts default case - Fix `play_freq` -> `rotation_bin` rename in BinContent test - Fix `SearchIn` value "Both" -> "All" in catalogSearchQuery test - Fix mock return types to match async signatures in test files - Add required fields to mock objects for type compatibility
jakebromberg
force-pushed
the
chore/static-analysis
branch
from
53309e5 to
1e45da0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #238
Summary
eslint-config-next(core-web-vitals + typescript presets) via flat config (eslint.config.mjs).github/workflows/ci.yml) with lint, typecheck, andnpm audit --audit-level=highsteps.github/workflows/codeql.yml) withsecurity-extendedqueries and weekly scheduled scansconsole.log, unescaped entities, missing alt text, exhaustive-deps,no-explicit-anysuppressions for SDK types, etc.)npm run lint/npm run lint:fixscriptsnpm auditfinding (@isaacs/brace-expansion)Notable decisions
react-hooksv7 (shipped witheslint-config-next16) includes new rules (set-state-in-effect,refs,purity,preserve-manual-memoization) that are too strict for the current codebase. Disabled until React Compiler is adopted.no-explicit-anysuppressed for SDK types: ~49 instances whereanyis required due to better-auth SDK missing types, RTK Query untyped backend responses, and vendor-prefixed browser APIs. Each has a justification comment.@next/next/no-img-elementsuppressed for external image URLs (album art from Discogs/iTunes/Last.fm) wherenext/imageremote patterns aren't practical.Test plan
npx eslint .-- 0 errors, 0 warningsnpm run build-- passesnpm audit --audit-level=high-- exit code 0npm run test:run-- pre-existing failures only (unchanged)npx tsc --noEmit-- pre-existing failures only (unchanged)