fix: audit hardening pass — XSS, crash, drift alert, a11y, CI (v3.0.1)#24
Merged
Merged
Conversation
A correctness/security/tooling pass from a full code audit. No feature changes. - batch.js: HTML-escape provider errors + pasted URLs (stored-input XSS) - library.js: hoist FIT_ORDER to one module const — fixes a ReferenceError in the compare modal's Fit-delta cell; drop the duplicate per-function locals - background.js: read saved_at (not savedAt) so the daily drift alert fires; add the missing .catch on the RERUN path; make the combinator seed immutable; drop two production console.log - format.js: esc() now escapes single quotes (matches the safe-html escaper) - batch.html, stack-tab.html: honour prefers-reduced-motion (loaders pulsed on) - themes.css, website/app/global.css: darken faint text on light themes to AA - manifest.json: explicit content_security_policy; version -> 3.0.1 - eslint.config.js: lint .mjs so the dev driver stops flooding no-undef - ci.yml: npm ci (synced lockfile) + blocking lint + advisory npm audit - package.json / package-lock.json: version -> 3.0.1; regenerate the stale lockfile 733/733 tests pass; eslint 0 errors.
- CHANGELOG: add [3.0.1] — Audit hardening (Fixed / Changed / Notes) - README: v3.0.1 "What's new" block + version badge 3.0.0 -> 3.0.1 - docs/audits: add the 2026-06-15 deep-review report
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A correctness, security, and tooling pass from a full code audit of RepoLens — no feature changes. Ships as v3.0.1 and reconciles the long-standing version drift (manifest
3.0.0vs package.json1.7.0→ both 3.0.1).Fixed
batch.jsrendered provider error messages and pasted URLs straight intoinnerHTML; both are now HTML-escaped (the file imported no escaper at all).library.jsthrewReferenceError: FIT_ORDER is not definedon the Fit-delta cell because the constant was scoped to the wrong function. Hoisted to one module constant; the duplicate locals were removed.savedAt, but the store writessaved_at, so it always counted zero. Field names now match.prefers-reduced-motion.--text-fainton the five light themes (paper, cream, apple, latte, solarized) + the website.Changed / hardened
content_security_policyin the manifest (matches the MV3 default, now auditable).background.js:.catchon the RERUN path (no more stuck spinner); immutable combinator seed; removed two productionconsole.log.format.js:esc()now escapes single quotes (matches the canonicalsafe-htmlescaper).npm install→npm ci(lockfile regenerated + in sync), lint promoted to a blocking gate (was advisory), advisorynpm auditstep added; ESLint now lints.mjsso the dev driver stops floodingno-undef.Docs
[3.0.1] — Audit hardening+ README "What's new" block + version badge.docs/audits/audit-2026-06-15-deep-review.html.Test plan
npm test— 733/733 passingnpm run lint— 0 errors (was 15)prefers-reduced-motion: reduce, confirm the Batch/Stack loaders don't pulseDeferred (own PRs)
Splitting the three monoliths, extracting the provider engine/message router for testability, library-grid virtualization, Playwright E2E, the vitest major bump, and three proposed features — all detailed in the audit report.