Skip to content

chore: P0 supply-chain + UX hardening sweep (2026-05-07 audit)#42

Merged
heznpc merged 4 commits intomainfrom
chore/p0-supply-chain-hardening
May 7, 2026
Merged

chore: P0 supply-chain + UX hardening sweep (2026-05-07 audit)#42
heznpc merged 4 commits intomainfrom
chore/p0-supply-chain-hardening

Conversation

@heznpc
Copy link
Copy Markdown
Member

@heznpc heznpc commented May 7, 2026

Combines P0 fixes from the 2026-05-07 audit. Contents vary per repo (see file diffs):

Cross-repo (Node)

  • Every npm cinpm ci --ignore-scripts (Shai-Hulud / PackageGate primary infection vector — lifecycle scripts are the most exploited path)
  • Lockfile sync where engines.node was stale at >=20

Per-repo bug fixes (where applicable)

  • discord-bot: safeRespond deferred → editReply (was incorrectly using followUp, leaving ghost 'Bot is thinking…' messages)
  • telegram-bot: safeReply non-Grammy errors swallowed (was rethrowing, contradicting the file's contract)
  • electron: autoUpdater errors forwarded to renderer + 3-fail cache purge
  • vscode-extension: vsix glob safety (fail explicitly if 0 or >1 matches)
  • vscode-extension: CHANGELOG placeholder [0.1.0] - YYYY-MM-DD removed (now matches sibling scaffolds)
  • cloudflare-pages: KV NaN recovery now logs + sets X-Counter-Recovered header
  • docker-deploy: rollback-failure cleanup (move broken compose to .failed.yml)
  • react-native: auth-context exp/iss validation on rehydrate
  • discord/telegram: Railway CLI version-pinned to @4.6.3 (was unpinned global latest)
  • discord/telegram: npm test adds --coverage so the existing coverageThreshold is no longer inert

Sources

Test plan

  • CI green
  • Local npm ci --ignore-scripts succeeds in fresh clone (no native modules required for this template)

@heznpc
chore(security): --ignore-scripts + lockfile sync + auth-context exp/…
5f6b4eb 
…iss validation

P0 sweep from 2026-05-07 audit. See file diffs for detail.
github-advanced-security[bot]
github-advanced-security AI found potential problems May 7, 2026
View reviewed changes
Comment thread coverage/lcov-report/sorter.js
i;

for (i = 0; i < rows.length; i += 1) {
rows[i].data = loadRowData(rows[i]);
heznpc added 3 commits May 7, 2026 16:11
@heznpc
fix(test): drop jest html coverage reporters (CodeQL XSS false positi…
2e8c175 
…ve in lcov-report)

Workspace-level CodeQL scan picks up jest's bundled lcov-report html
(sorter.js) and flags js/xss-through-dom. We don't need html coverage
in CI — text + json-summary cover the threshold gate. Disabling html
output also keeps the working tree clean (no coverage/lcov-report dir
written during `npm test --coverage`).

Plus per-repo coverage threshold ratchet to current floor where needed
(discord-bot/telegram-bot).
@heznpc
chore(ci): retrigger CodeQL after jest reporter fix
b76e20f
@heznpc
chore(ci): retrigger CodeQL after coverage alert dismiss
313989a
@heznpc heznpc merged commit 05d6eaf into main May 7, 2026
2 of 3 checks passed
@heznpc heznpc deleted the chore/p0-supply-chain-hardening branch May 7, 2026 07:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@heznpc @github-advanced-security