Skip to content

fix warnings#342

Merged
martin-mfg merged 16 commits into
masterfrom
fix-warnings
Jul 12, 2026
Merged

fix warnings#342
martin-mfg merged 16 commits into
masterfrom
fix-warnings

Conversation

@martin-mfg

Copy link
Copy Markdown
Member

No description provided.

@vercel

vercel Bot commented Jul 7, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
github-stats-extended-backend Ready Ready Preview, Comment Jul 12, 2026 11:46am
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
github-stats-extended-frontend Ignored Ignored Jul 12, 2026 11:46am

async (_label, payload) => {
const result = await wakatimeApi({ username: payload });

document.body.innerHTML = result.content;
[param]: payload,
});

document.body.innerHTML = result.content;
async (_label, payload) => {
const result = await gistApi({ id: payload });

document.body.innerHTML = result.content;
[param]: payload,
});

document.body.innerHTML = result.content;
async (_label, payload) => {
const result = await pinApi({ repo: payload });

document.body.innerHTML = result.content;
async (_label, payload) => {
const result = await topLangsApi({ username: payload });

document.body.innerHTML = result.content;
[param]: payload,
});

document.body.innerHTML = result.content;
async (_label, payload) => {
const result = await statsApi({ username: payload });

document.body.innerHTML = result.content;
[param]: payload,
});

document.body.innerHTML = result.content;
Comment thread packages/core/src/common/render.ts Outdated
@martin-mfg

martin-mfg commented Jul 8, 2026

Copy link
Copy Markdown
Member Author

The errors currently reported by the "Backend E2E test" pipeline are expected and not a problem. Mainly we encode ' now, whereas https://github-stats-extended-preview.vercel.app/ doesn't, so the pipeline detects a change.

As far as I can tell, all the CodeQL problems reported here are false positives. They complain about color inputs, but we verify them via isValidHexColor. They complain about about strings which go through encodeHTML. And they complain about the code in xss.test.js, but these are tests.

@martin-mfg martin-mfg requested a review from marcalexiei July 11, 2026 09:33

@marcalexiei marcalexiei left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've opened #355 with a few follow-up refinements to the color validation

- Related to #342

## fix(top-languages): default color when a language has no color

GitHub's `Language.color` is nullable, so a language can reach the card
with `color: null`.

The `compact`, `pie`, `donut`, and `donut-vertical` layouts validated
the raw color and threw on `null`,
turning a normal request into a "Something went wrong" error card
(previously such languages rendered gray).

## refactor(core): restructure color validation

Cleans up `common/color.ts` (no behavior change for valid inputs):

- Split the `isValidHexColor(x, numberSignPrefix)` into `isBareHexColor`
/ `isPrefixedHexColor`.
- Moved the hex regex to a module constant (was rebuilt on every call in
render loops).
- Gradient angle now validated with `Number.isFinite` (rejects
`Infinity`)
- Reworked `color.test.ts` for the two predicates + non-finite-angle
cases.
martin-mfg pushed a commit that referenced this pull request Jul 12, 2026
…tern (#356)

- Related to #342 

`stats` and `pin` already reject `username`/`repo`/`owner` that don't
match `safePattern` (`/^[-\w/.,]+$/`), but `top-langs`, `wakatime`, and
`gist` didn't.

This applies the same guard:

- `top-langs` + `wakatime`: reject a `username` containing unsafe
characters.
Matters most for `wakatime`, where `username` is interpolated into the
outbound request URL path.
- `gist`: same guard on its `id` param.

All three return the existing `error - permanent` card before any fetch.

## Additional change

Simplified the `layout` / `stats_format` checks in `top-langs`: 
dropped the redundant `typeof x !== "string" ||` (a non-string already
fails `.includes(...)`),
keeping the `x !== undefined` guard so the params stay optional.
@martin-mfg martin-mfg merged commit 4ccec46 into master Jul 12, 2026
10 of 12 checks passed
@martin-mfg martin-mfg deleted the fix-warnings branch July 12, 2026 17:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants