Conversation
no ref A newly-published moderate XSS advisory landed against `ip-address`'s `Address6` HTML-emitting methods (the helpers that produce HTML representations of IPv6 addresses). Affected versions are `<=10.1.0`; fixed upstream in `10.2.0`. In our tree it reaches as `sqlite3 > node-gyp > make-fetch-happen > socks-proxy-agent > socks > ip-address`, so it's a build-time chain (sqlite3 native compilation) rather than runtime — the practical risk surface is limited. The override is still worth taking because the fix is a same-major patch and the override is mechanical.
no ref
`assertNoOTCInEmailContent` in `send-magic-link.test.js` uses `/\d{6}/`
to verify no one-time code appears in the email, but `mail.text` and the
rendered HTML text both contain the magic-link URL — and the URL's
random token can incidentally contain six consecutive digits,
false-positiving the assertion.
The fix strips `http(s)://...` URLs from the scanned text before
applying the regex. Subject is left alone since URLs don't appear there.
no ref
The `{{#get}}` and `{{#recommendations}}` "timeout threshold" tests
asserted that the helper's `setTimeout(threshold=1ms)` fires before the
API stub's `setTimeout(5ms)`. That's a Node scheduler race, not a
behavior assertion.
Switch each test to `sinon.useFakeTimers({toFake: ['setTimeout',
'clearTimeout']})`, kick off the helper, then `clock.tickAsync(2)` —
fires the 1ms threshold timer but not the 5ms stub timer, so the timeout
branch wins deterministically.
no ref This is a small adjustment for (what is currently) the posts, stats, and admin-x-settings. We've observed some occasional flakiness that seems to be from crossing boundaries, and moving to forks is going to be a slight perf hit but given this is what are otherwise-speedy unit tests with a limited app scope, it seems fine for now. Switch the shared `createVitestConfig` from Vitest's default `threads` pool to `forks`. Forks runs each worker as a separate child process, giving stronger isolation than threads (which run in separate V8 isolates but still share the Node process — and therefore process-scoped state).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )