merge(preprod): resolve PR #229 conflicts + fix CodeQL findings#260
Open
QSchlegel wants to merge 2 commits into
Open
merge(preprod): resolve PR #229 conflicts + fix CodeQL findings#260QSchlegel wants to merge 2 commits into
QSchlegel wants to merge 2 commits into
Conversation
Conflict resolution
- jest.config.mjs: union both moduleNameMapper entries (libsodium ESM
redirect from preprod + styleMock from main)
- package.json: keep preprod's expanded bot test scripts and Mesh SDK
1.9.0-beta.102 pins; honor main's removal of @jinglescode/nostr-chat-
plugin (no remaining source refs on either branch)
- package-lock.json: regenerated from the merged package.json
- src/__tests__/{apiSecurity,botBallotsUpsert,governanceActiveProposals,
signTransaction}.test.ts: take preprod; tighter generics and preprod-
shaped tRPC ctx (sessionWallets/primaryWallet) match the live router
- src/components/pages/wallet/transactions/transaction-card.tsx: take
preprod's defensive JSON.parse guard (#211 — malformed txJson must not
crash the Transactions page)
Security fixes flagged by CodeQL on the merge
- src/lib/server/resolveDRepAnchorFromUrl.ts: close the DNS-rebinding
TOCTOU window. assertUrlSafeForFetch now returns the resolved IP, and
the fetch goes through an undici Agent with a buildConnector-pinned
lookup so the actual TCP connect uses the pre-validated IP. Switched
from global.fetch to undici.request for the same reason; existing
hostname blocklist, private/loopback IP rejection, redirect=error,
body size cap and timeout are all preserved.
- src/__tests__/resolveDRepAnchorFromUrl.test.ts: mock undici instead of
global.fetch to match the new transport.
- scripts/ci/framework/markdown.ts: rewrite escapeCell as a single
character-class regex (\\ and | escaped in one pass) so there's no
ordering ambiguity that triggers js/incomplete-sanitization.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
git's three-way merge of preprod←main reported a clean merge of prisma/schema.prisma and src/server/api/trpc.ts but silently dropped main's additions — both files had only end-of-file additions on main, which the auto-merge resolved by taking preprod's tail without pulling in main's new symbols. The Vercel build then failed on three downstream references. prisma/schema.prisma - Add model AuditLog (referenced by src/lib/observability/audit.ts; migration 20260510160404_audit_log_and_indexes already in the tree) - Make User.nostrKey String? (matches migration 20260510170000_make_user_nostrkey_optional) src/server/api/trpc.ts - Re-export TRPCContext and AuthCtx (used by src/server/api/auth.ts added in main's audit-log PR) Drop the Nostr chat system on preprod to match main - Remove src/components/pages/wallet/chat and src/pages/wallets/[wallet]/chat - Drop @jinglescode/nostr-chat-plugin imports from _app.tsx + layout.tsx - Remove the Chat menu entry from the wallet sidebar - userRouter.createUser: nostrKey becomes optional (matches the now- nullable column) and is only written when supplied - User profile page: scope nostrKey to a non-null local inside the existing `user.nostrKey &&` guard so it still renders for legacy users without tripping the nullable narrowing The repo's nostr-chat-plugin dep was already removed in the prior merge commit; this commit removes the last call sites and brings the user-row contract in line with the schema. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merges
origin/mainintopreprodto clear the conflicts on #229, and addresses the three CodeQL alerts that surfaced on the same files. Once this lands onpreprod, PR #229's diff updates and it's mergeable intomain.Conflict resolution
moduleNameMapperentries (libsodium ESM redirect from preprod + styleMock from main)1.9.0-beta.102pins; honor main's removal of@jinglescode/nostr-chat-plugin(no remaining source refs on either branch)package.jsonvianpm install --package-lock-onlysessionWallets,primaryWallet) match the live router on preprodJSON.parseguard (Bug: Added transactions via API -> Cannot load 'Transactions' page #211 — a malformedtxJsonrow must not crash the Transactions page)CodeQL fixes
src/lib/server/resolveDRepAnchorFromUrl.ts—js/request-forgery(alerts #26, #27, #28). The existing validator (assertUrlSafeForFetch) checked protocol, hostname blocklist and DNS-resolved IP, butfetch()did its own DNS lookup afterwards — a DNS-rebinding TOCTOU window. NowassertUrlSafeForFetchreturns the resolved{ ip, family }, and the fetch runs through anundiciAgentwithbuildConnector({ lookup: cb(ip, family) })so the actual TCP connect uses the pre-validated IP. Hostname blocklist, private/loopback rejection,maxRedirections: 0, body-size cap and timeout all preserved. The unit test was updated to mockundici.requestinstead ofglobal.fetch(transport change).scripts/ci/framework/markdown.ts—js/incomplete-sanitization(alert #25). RewroteescapeCellas a single character-class regex/[\\|]/g → \\$&so\\and|are escaped in one pass — eliminates the chained-replace ordering pattern CodeQL flagged.Test plan
jest src/__tests__/resolveDRepAnchorFromUrl.test.ts— 2/2 passnpx tsc --noEmit— clean for touched files (only pre-existingaudit.ts/users.ts/proxyCi*test-mock errors remain, all from preprod)🤖 Generated with Claude Code