fix(security): corrigir 7 alertas do code scanning (CodeQL)#32
Merged
Conversation
- ci.yml: define permissions minimas (contents: read) para o GITHUB_TOKEN no nivel do workflow (alertas #1-3) - remove scripts/download-openapi.ts e o script download:spec: codigo morto (todos os endpoints retornam 404; specs sao mantidas manualmente em openapi/spec/) (alerta #6) - remove lib/ (codigo legado v2): nao importado, nao publicado no pacote (files exclui) e nao executavel (depende de 'when', nao instalada); v2 vive no historico git e no nfe-io@2.x do npm (alertas #5, #7, #8) - atualiza CLAUDE.md e README.md Refs #31
📋 OpenAPI Spec Validation✅ All specs validated and types generated successfully Specs processed:
Generated types available as artifact in |
📋 OpenAPI Spec Validation✅ All specs validated and types generated successfully Specs processed:
Generated types available as artifact in |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resumo
Fecha 7 alertas do Code Scanning (CodeQL) — parte 1 de 2 do plano de segurança da #31.
permissions: contents: readno nível do workflow emci.yml(least privilege para oGITHUB_TOKEN)scripts/download-openapi.ts— código morto: todos os 5 endpoints retornam 404 e as specs são mantidas manualmente emopenapi/spec/lib/(código legado v2)Por que deletar
lib/é segurolib/importa nada dele (src/tests/scripts/examples/configs verificados)filesinclui apenasdist/, docs eskills/)when, que não está declarada nopackage.jsonnem instaladanfe-io@2.xdo npm; o código permanece no histórico gitDetalhes
openapi-validationmantém seu blocopermissionspróprio (pull-requests: writepara comentar em PRs) — job-level sobrepõe workflow-levelpublish.ymljá tinha permissions explícitas — não tocadoCLAUDE.mdeREADME.mdatualizados (referências ao dual codebase e aodownload:spec)Verificação
npm run validate:spec+npm run generate— pipeline de specs intactonpm run typecheck— sem errosnpm test -- --run— 650 testes passando (31 arquivos, 4 skipped)Refs #31