From e181ea476df7cb6cc7091e922109823b633e9468 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Fri, 12 Dec 2025 17:26:46 -0500 Subject: [PATCH 01/64] Add workflow for Node.js package testing and publishing This workflow runs tests and publishes a Node.js package to GitHub Packages upon release creation. --- .github/workflows/npm-publish.yml | 33 +++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/npm-publish.yml diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml new file mode 100644 index 00000000000000..2a4766d38913ea --- /dev/null +++ b/.github/workflows/npm-publish.yml @@ -0,0 +1,33 @@ +# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created +# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages + +name: Node.js Package + +on: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + - run: npm ci + - run: npm test + + publish-npm: + needs: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + registry-url: https://registry.npmjs.org/ + - run: npm ci + - run: npm publish + env: + NODE_AUTH_TOKEN: ${{secrets.npm_token}} From 6e013a2c1bb7f87ced42f2ee97e624f2ec81aac7 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Fri, 12 Dec 2025 17:27:05 -0500 Subject: [PATCH 02/64] Add GitHub Actions workflow for NodeJS with Webpack --- .github/workflows/webpack.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/webpack.yml diff --git a/.github/workflows/webpack.yml b/.github/workflows/webpack.yml new file mode 100644 index 00000000000000..9626ff6d358970 --- /dev/null +++ b/.github/workflows/webpack.yml @@ -0,0 +1,28 @@ +name: NodeJS with Webpack + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + build: + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [18.x, 20.x, 22.x] + + steps: + - uses: actions/checkout@v4 + + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4 + with: + node-version: ${{ matrix.node-version }} + + - name: Build + run: | + npm install + npx webpack From b0915ae2e01d7ab64d73427f076e10f56c746f8c Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Fri, 12 Dec 2025 17:27:18 -0500 Subject: [PATCH 03/64] Add Deno CI workflow for linting and testing This workflow installs Deno, runs linting, and executes tests on push and pull request events to the main branch. --- .github/workflows/deno.yml | 42 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/deno.yml diff --git a/.github/workflows/deno.yml b/.github/workflows/deno.yml new file mode 100644 index 00000000000000..782af35b427d86 --- /dev/null +++ b/.github/workflows/deno.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will install Deno then run `deno lint` and `deno test`. +# For more information see: https://github.com/denoland/setup-deno + +name: Deno + +on: + push: + branches: ["main"] + pull_request: + branches: ["main"] + +permissions: + contents: read + +jobs: + test: + runs-on: ubuntu-latest + + steps: + - name: Setup repo + uses: actions/checkout@v4 + + - name: Setup Deno + # uses: denoland/setup-deno@v1 + uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31 # v1.1.2 + with: + deno-version: v1.x + + # Uncomment this step to verify the use of 'deno fmt' on each commit. + # - name: Verify formatting + # run: deno fmt --check + + - name: Run linter + run: deno lint + + - name: Run tests + run: deno test -A From 4a195d6cb22a17c362446fb801c2b6382c6eaf9e Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Fri, 12 Dec 2025 17:27:42 -0500 Subject: [PATCH 04/64] Add devcontainer configuration file --- .devcontainer/devcontainer.json | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .devcontainer/devcontainer.json diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 00000000000000..39bbd2681d703a --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,4 @@ +{ + "image": "mcr.microsoft.com/devcontainers/universal:2", + "features": {} +} From 2bb49c1c098efcdb7cb4b61fdd9c730503f54cde Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Tue, 10 Feb 2026 23:40:45 -0500 Subject: [PATCH 05/64] Create SECURITY.md --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000000..034e848032092e --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. From 9d4809c34714efd6e74e99f32835f32b6c00ec95 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Tue, 10 Feb 2026 23:43:21 -0500 Subject: [PATCH 06/64] Create codeql.yml --- .github/workflows/codeql.yml | 101 +++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000000000..6ce3f177e7be11 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,101 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '43 22 * * 6' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: javascript-typescript + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - name: Run manual build steps + if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{matrix.language}}" From cbbe0324a0b399d03dd0783e70a3366270540988 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Tue, 10 Feb 2026 23:45:43 -0500 Subject: [PATCH 07/64] Create nextjs.yml --- .github/workflows/nextjs.yml | 93 ++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 .github/workflows/nextjs.yml diff --git a/.github/workflows/nextjs.yml b/.github/workflows/nextjs.yml new file mode 100644 index 00000000000000..ed74736705521e --- /dev/null +++ b/.github/workflows/nextjs.yml @@ -0,0 +1,93 @@ +# Sample workflow for building and deploying a Next.js site to GitHub Pages +# +# To get started with Next.js see: https://nextjs.org/docs/getting-started +# +name: Deploy Next.js site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Detect package manager + id: detect-package-manager + run: | + if [ -f "${{ github.workspace }}/yarn.lock" ]; then + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT + echo "runner=yarn" >> $GITHUB_OUTPUT + exit 0 + elif [ -f "${{ github.workspace }}/package.json" ]; then + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT + echo "runner=npx --no-install" >> $GITHUB_OUTPUT + exit 0 + else + echo "Unable to determine package manager" + exit 1 + fi + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version: "20" + cache: ${{ steps.detect-package-manager.outputs.manager }} + - name: Setup Pages + uses: actions/configure-pages@v5 + with: + # Automatically inject basePath in your Next.js configuration file and disable + # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized). + # + # You may remove this line if you want to manage the configuration yourself. + static_site_generator: next + - name: Restore cache + uses: actions/cache@v4 + with: + path: | + .next/cache + # Generate a new cache whenever packages or source files change. + key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }} + # If source files changed but packages didn't, rebuild from a prior cache. + restore-keys: | + ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}- + - name: Install dependencies + run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} + - name: Build with Next.js + run: ${{ steps.detect-package-manager.outputs.runner }} next build + - name: Upload artifact + uses: actions/upload-pages-artifact@v3 + with: + path: ./out + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 From 8b60736232c5c78194d60fbaa5451d5437dc723f Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Tue, 10 Feb 2026 23:50:21 -0500 Subject: [PATCH 08/64] Potential fix for code scanning alert no. 6: Missing rate limiting Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- playground/optimize-missing-deps/package.json | 3 ++- playground/optimize-missing-deps/server.js | 7 ++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/playground/optimize-missing-deps/package.json b/playground/optimize-missing-deps/package.json index 31fcb844305ec8..7062d596a1f6dc 100644 --- a/playground/optimize-missing-deps/package.json +++ b/playground/optimize-missing-deps/package.json @@ -7,7 +7,8 @@ "dev": "node server" }, "dependencies": { - "@vitejs/test-missing-dep": "file:./missing-dep" + "@vitejs/test-missing-dep": "file:./missing-dep", + "express-rate-limit": "^8.2.1" }, "devDependencies": { "express": "^5.2.1" diff --git a/playground/optimize-missing-deps/server.js b/playground/optimize-missing-deps/server.js index 165e3786ef182b..ea8e81fab31a25 100644 --- a/playground/optimize-missing-deps/server.js +++ b/playground/optimize-missing-deps/server.js @@ -3,6 +3,7 @@ import fs from 'node:fs' import path from 'node:path' import { fileURLToPath } from 'node:url' import express from 'express' +import rateLimit from 'express-rate-limit' const __dirname = path.dirname(fileURLToPath(import.meta.url)) const isTest = process.env.VITEST @@ -11,6 +12,10 @@ export async function createServer(root = process.cwd(), hmrPort) { const resolve = (p) => path.resolve(__dirname, p) const app = express() + const limiter = rateLimit({ + windowMs: 15 * 60 * 1000, + max: 100, + }) /** * @type {import('vite').ViteDevServer} @@ -30,7 +35,7 @@ export async function createServer(root = process.cwd(), hmrPort) { }) app.use(vite.middlewares) - app.use('*all', async (req, res) => { + app.use('*all', limiter, async (req, res) => { try { let template = fs.readFileSync(resolve('index.html'), 'utf-8') template = await vite.transformIndexHtml(req.originalUrl, template) From 80e75957fa4cad6c12884a06cc0dbfdd3bc72384 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Tue, 10 Feb 2026 23:51:52 -0500 Subject: [PATCH 09/64] Potential fix for code scanning alert no. 1: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .github/workflows/npm-publish.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 2a4766d38913ea..42a464f27d52c3 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -7,6 +7,9 @@ on: release: types: [created] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest From 80954f9c548f77118666fc5bbcfbe017f6f4e7c4 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Tue, 10 Feb 2026 23:52:57 -0500 Subject: [PATCH 10/64] Potential fix for code scanning alert no. 12: Shell command built from environment values Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- playground/cli/__tests__/serve.ts | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/playground/cli/__tests__/serve.ts b/playground/cli/__tests__/serve.ts index 352fd5f887cd2b..19481ed429cbc6 100644 --- a/playground/cli/__tests__/serve.ts +++ b/playground/cli/__tests__/serve.ts @@ -2,7 +2,7 @@ // the default e2e test serve behavior import { stripVTControlCharacters } from 'node:util' -import { execaCommand } from 'execa' +import { execa } from 'execa' import kill from 'kill-port' import { isBuild, @@ -47,16 +47,16 @@ export async function serve() { // only run `vite build` when needed if (isBuild) { - const buildCommand = `${viteBinPath} build` + const buildCommandDisplay = `"${viteBinPath}" build` try { - const buildProcess = execaCommand(buildCommand, { + const buildProcess = execa(viteBinPath, ['build'], { cwd: rootDir, stdio: 'pipe', }) collectStreams('build', buildProcess) await buildProcess } catch (e) { - console.error(`error while executing cli command "${buildCommand}":`, e) + console.error(`error while executing cli command "${buildCommandDisplay}":`, e) collectErrorStreams('build', e) await printStreamsToConsole('build') throw e From df178d13883384dc1c63138f9e9068e1c49ec6c7 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Tue, 10 Feb 2026 23:55:48 -0500 Subject: [PATCH 11/64] Potential fix for code scanning alert no. 52: Inefficient regular expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- packages/vite/src/node/plugins/css.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/vite/src/node/plugins/css.ts b/packages/vite/src/node/plugins/css.ts index cd62232d832403..f7bbb552210fb5 100644 --- a/packages/vite/src/node/plugins/css.ts +++ b/packages/vite/src/node/plugins/css.ts @@ -1958,7 +1958,7 @@ export const importCssRE: RegExp = /@import\s+(?:url\()?('[^']+\.css'|"[^"]+\.css"|[^'"\s)]+\.css)/ // Assuming a function name won't be longer than 256 chars // eslint-disable-next-line regexp/no-unused-capturing-group -- doesn't detect asyncReplace usage -const cssImageSetRE = /(?<=image-set\()((?:[\w-]{1,256}\([^)]*\)|[^)])*)(?=\))/ +const cssImageSetRE = /(?<=image-set\()([^)]*)(?=\))/ const UrlRewritePostcssPlugin: PostCSS.PluginCreator<{ resolver: CssUrlResolver From fd4ebf174744be9bcbe77b10b652898badad9b19 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Tue, 10 Feb 2026 23:59:56 -0500 Subject: [PATCH 12/64] Create npm-publish-github-packages.yml --- .../workflows/npm-publish-github-packages.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/npm-publish-github-packages.yml diff --git a/.github/workflows/npm-publish-github-packages.yml b/.github/workflows/npm-publish-github-packages.yml new file mode 100644 index 00000000000000..ea2d329fa02ad5 --- /dev/null +++ b/.github/workflows/npm-publish-github-packages.yml @@ -0,0 +1,36 @@ +# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created +# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages + +name: Node.js Package + +on: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + - run: npm ci + - run: npm test + + publish-gpr: + needs: build + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + registry-url: https://npm.pkg.github.com/ + - run: npm ci + - run: npm publish + env: + NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} From b2b5cb54be90486f06243f40160dd43bb2556c6a Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 11 Feb 2026 00:01:52 -0500 Subject: [PATCH 13/64] Create google-cloudrun-source.yml --- .github/workflows/google-cloudrun-source.yml | 75 ++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 .github/workflows/google-cloudrun-source.yml diff --git a/.github/workflows/google-cloudrun-source.yml b/.github/workflows/google-cloudrun-source.yml new file mode 100644 index 00000000000000..f0191b905c21c7 --- /dev/null +++ b/.github/workflows/google-cloudrun-source.yml @@ -0,0 +1,75 @@ +# This workflow will deploy source code on Cloud Run when a commit is pushed to +# the "main" branch. +# +# To configure this workflow: +# +# 1. Enable the following Google Cloud APIs: +# +# - Artifact Registry (artifactregistry.googleapis.com) +# - Cloud Build (cloudbuild.googleapis.com) +# - Cloud Run (run.googleapis.com) +# - IAM Credentials API (iamcredentials.googleapis.com) +# +# You can learn more about enabling APIs at +# https://support.google.com/googleapi/answer/6158841. +# +# 2. Create and configure a Workload Identity Provider for GitHub: +# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. +# +# Depending on how you authenticate, you will need to grant an IAM principal +# permissions on Google Cloud: +# +# - Artifact Registry Administrator (roles/artifactregistry.admin) +# - Cloud Run Source Developer (roles/run.sourceDeveloper) +# +# You can learn more about setting IAM permissions at +# https://cloud.google.com/iam/docs/manage-access-other-resources. +# +# 3. Change the values in the "env" block to match your values. + +name: 'Deploy to Cloud Run from Source' + +on: + push: + branches: + - '"main"' + +env: + PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID + REGION: 'us-central1' # TODO: update to your region + SERVICE: 'my-service' # TODO: update to your service name + +jobs: + deploy: + runs-on: 'ubuntu-latest' + + permissions: + contents: 'read' + id-token: 'write' + + steps: + - name: 'Checkout' + uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 + + # Configure Workload Identity Federation and generate an access token. + # + # See https://github.com/google-github-actions/auth for more options, + # including authenticating via a JSON credentials file. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 + with: + workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: replace with your workload identity provider + + - name: 'Deploy to Cloud Run' + uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2 + with: + service: '${{ env.SERVICE }}' + region: '${{ env.REGION }}' + # NOTE: If using a different source folder, update the image name below: + source: './' + + # If required, use the Cloud Run URL output in later steps + - name: 'Show output' + run: |- + echo ${{ steps.deploy.outputs.url }} From 93a3ed22fc124229fc8e93b8c1643a9d1e4d8f47 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 11 Feb 2026 00:03:30 -0500 Subject: [PATCH 14/64] Create google-cloudrun-docker.yml --- .github/workflows/google-cloudrun-docker.yml | 95 ++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 .github/workflows/google-cloudrun-docker.yml diff --git a/.github/workflows/google-cloudrun-docker.yml b/.github/workflows/google-cloudrun-docker.yml new file mode 100644 index 00000000000000..4ebba004bb2781 --- /dev/null +++ b/.github/workflows/google-cloudrun-docker.yml @@ -0,0 +1,95 @@ +# This workflow build and push a Docker container to Google Artifact Registry +# and deploy it on Cloud Run when a commit is pushed to the "main" +# branch. +# +# To configure this workflow: +# +# 1. Enable the following Google Cloud APIs: +# +# - Artifact Registry (artifactregistry.googleapis.com) +# - Cloud Run (run.googleapis.com) +# - IAM Credentials API (iamcredentials.googleapis.com) +# +# You can learn more about enabling APIs at +# https://support.google.com/googleapi/answer/6158841. +# +# 2. Create and configure a Workload Identity Provider for GitHub: +# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. +# +# Depending on how you authenticate, you will need to grant an IAM principal +# permissions on Google Cloud: +# +# - Artifact Registry Administrator (roles/artifactregistry.admin) +# - Cloud Run Developer (roles/run.developer) +# +# You can learn more about setting IAM permissions at +# https://cloud.google.com/iam/docs/manage-access-other-resources +# +# 3. Change the values in the "env" block to match your values. + +name: 'Build and Deploy to Cloud Run' + +on: + push: + branches: + - '"main"' + +env: + PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID + REGION: 'us-central1' # TODO: update to your region + SERVICE: 'my-service' # TODO: update to your service name + WORKLOAD_IDENTITY_PROVIDER: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: update to your workload identity provider + +jobs: + deploy: + runs-on: 'ubuntu-latest' + + permissions: + contents: 'read' + id-token: 'write' + + steps: + - name: 'Checkout' + uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 + + # Configure Workload Identity Federation and generate an access token. + # + # See https://github.com/google-github-actions/auth for more options, + # including authenticating via a JSON credentials file. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 + with: + workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}' + + # BEGIN - Docker auth and build + # + # If you already have a container image, you can omit these steps. + - name: 'Docker Auth' + uses: 'docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567' # docker/login-action@v3 + with: + username: 'oauth2accesstoken' + password: '${{ steps.auth.outputs.auth_token }}' + registry: '${{ env.REGION }}-docker.pkg.dev' + + - name: 'Build and Push Container' + run: |- + DOCKER_TAG="$${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" + docker build --tag "${DOCKER_TAG}" . + docker push "${DOCKER_TAG}" + - name: 'Deploy to Cloud Run' + + # END - Docker auth and build + + uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2 + with: + service: '${{ env.SERVICE }}' + region: '${{ env.REGION }}' + # NOTE: If using a pre-built image, update the image name below: + + image: '${{ env.REGION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}' + # If required, use the Cloud Run URL output in later steps + - name: 'Show output' + run: |2- + + echo ${{ steps.deploy.outputs.url }} From 6d248becd8373f5859539e5cc2a9222e00be4d01 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 11 Feb 2026 00:05:21 -0500 Subject: [PATCH 15/64] Create node.js.yml --- .github/workflows/node.js.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/node.js.yml diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml new file mode 100644 index 00000000000000..2284b93570365d --- /dev/null +++ b/.github/workflows/node.js.yml @@ -0,0 +1,31 @@ +# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs + +name: Node.js CI + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + build: + + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [18.x, 20.x, 22.x] + # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ + + steps: + - uses: actions/checkout@v4 + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4 + with: + node-version: ${{ matrix.node-version }} + cache: 'npm' + - run: npm ci + - run: npm run build --if-present + - run: npm test From cadc6408f4d3c8c2744485f81d0f20d77451ff57 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 11 Feb 2026 00:06:17 -0500 Subject: [PATCH 16/64] Create datadog-synthetics.yml --- .github/workflows/datadog-synthetics.yml | 38 ++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/datadog-synthetics.yml diff --git a/.github/workflows/datadog-synthetics.yml b/.github/workflows/datadog-synthetics.yml new file mode 100644 index 00000000000000..66c70f8eae9d2c --- /dev/null +++ b/.github/workflows/datadog-synthetics.yml @@ -0,0 +1,38 @@ +# This workflow will trigger Datadog Synthetic tests within your Datadog organisation +# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# To get started: + +# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. +# 2. Start using the action within your workflow + +name: Run Datadog Synthetic tests + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + # Run Synthetic tests within your GitHub workflow. + # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci + - name: Run Datadog Synthetic tests + uses: DataDog/synthetics-ci-github-action@87b505388a22005bb8013481e3f73a367b9a53eb # v1.4.0 + with: + api_key: ${{secrets.DD_API_KEY}} + app_key: ${{secrets.DD_APP_KEY}} + test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy + + From e22ba1977375d2a84debc0723f7dc9382ca3a37d Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 11 Feb 2026 00:10:03 -0500 Subject: [PATCH 17/64] Create google.yml --- .github/workflows/google.yml | 116 +++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 .github/workflows/google.yml diff --git a/.github/workflows/google.yml b/.github/workflows/google.yml new file mode 100644 index 00000000000000..0b5c7d12f258a2 --- /dev/null +++ b/.github/workflows/google.yml @@ -0,0 +1,116 @@ +# This workflow will build a docker container, publish it to Google Container +# Registry, and deploy it to GKE when there is a push to the "main" +# branch. +# +# To configure this workflow: +# +# 1. Enable the following Google Cloud APIs: +# +# - Artifact Registry (artifactregistry.googleapis.com) +# - Google Kubernetes Engine (container.googleapis.com) +# - IAM Credentials API (iamcredentials.googleapis.com) +# +# You can learn more about enabling APIs at +# https://support.google.com/googleapi/answer/6158841. +# +# 2. Ensure that your repository contains the necessary configuration for your +# Google Kubernetes Engine cluster, including deployment.yml, +# kustomization.yml, service.yml, etc. +# +# 3. Create and configure a Workload Identity Provider for GitHub: +# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. +# +# Depending on how you authenticate, you will need to grant an IAM principal +# permissions on Google Cloud: +# +# - Artifact Registry Administrator (roles/artifactregistry.admin) +# - Kubernetes Engine Developer (roles/container.developer) +# +# You can learn more about setting IAM permissions at +# https://cloud.google.com/iam/docs/manage-access-other-resources +# +# 5. Change the values in the "env" block to match your values. + +name: 'Build and Deploy to GKE' + +on: + push: + branches: + - '"main"' + +env: + PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID + GAR_LOCATION: 'us-central1' # TODO: update to your region + GKE_CLUSTER: 'cluster-1' # TODO: update to your cluster name + GKE_ZONE: 'us-central1-c' # TODO: update to your cluster zone + DEPLOYMENT_NAME: 'gke-test' # TODO: update to your deployment name + REPOSITORY: 'samples' # TODO: update to your Artifact Registry docker repository name + IMAGE: 'static-site' + WORKLOAD_IDENTITY_PROVIDER: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: update to your workload identity provider + +jobs: + setup-build-publish-deploy: + name: 'Setup, Build, Publish, and Deploy' + runs-on: 'ubuntu-latest' + environment: 'production' + + permissions: + contents: 'read' + id-token: 'write' + + steps: + - name: 'Checkout' + uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 + + # Configure Workload Identity Federation and generate an access token. + # + # See https://github.com/google-github-actions/auth for more options, + # including authenticating via a JSON credentials file. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 + with: + workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}' + + # Authenticate Docker to Google Cloud Artifact Registry + - name: 'Docker Auth' + uses: 'docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567' # docker/login-action@v3 + with: + username: 'oauth2accesstoken' + password: '${{ steps.auth.outputs.auth_token }}' + registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' + + # Get the GKE credentials so we can deploy to the cluster + - name: 'Set up GKE credentials' + uses: 'google-github-actions/get-gke-credentials@6051de21ad50fbb1767bc93c11357a49082ad116' # google-github-actions/get-gke-credentials@v2 + with: + cluster_name: '${{ env.GKE_CLUSTER }}' + location: '${{ env.GKE_ZONE }}' + + # Build the Docker image + - name: 'Build and push Docker container' + run: |- + DOCKER_TAG="${GAR_LOCATION}-docker.pkg.dev/${PROJECT_ID}/${REPOSITORY}/${IMAGE}:${GITHUB_SHA}" + + docker build \ + --tag "${DOCKER_TAG}" \ + --build-arg GITHUB_SHA="${GITHUB_SHA}" \ + --build-arg GITHUB_REF="${GITHUB_REF}" \ + . + + docker push "${DOCKER_TAG}" + + # Set up kustomize + - name: 'Set up Kustomize' + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.4.3/kustomize_v5.4.3_linux_amd64.tar.gz + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: 'Deploy to GKE' + run: |- + # replacing the image name in the k8s template + ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide From fab406ea3aa27c737d4551ca21056f94336c2a0a Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 11 Feb 2026 00:14:48 -0500 Subject: [PATCH 18/64] Potential fix for code scanning alert no. 32: Bad HTML filtering regexp Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- packages/vite/src/node/optimizer/scan.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/vite/src/node/optimizer/scan.ts b/packages/vite/src/node/optimizer/scan.ts index 76da8a6991dbd1..23ae9365ce1b81 100644 --- a/packages/vite/src/node/optimizer/scan.ts +++ b/packages/vite/src/node/optimizer/scan.ts @@ -328,7 +328,7 @@ async function globEntries( type Loader = 'js' | 'ts' | 'jsx' | 'tsx' export const scriptRE: RegExp = - /(=\s]+))?)*\s*>)(.*?)<\/script>/gis + /(=\s]+))?)*\s*>)(.*?)<\/script\s*>/gis export const commentRE: RegExp = //gs const srcRE = /\bsrc\s*=\s*(?:"([^"]+)"|'([^']+)'|([^\s'">]+))/i const typeRE = /\btype\s*=\s*(?:"([^"]+)"|'([^']+)'|([^\s'">]+))/i From 776b058e590d56b324c4bc344c1a5069e8db70b6 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 11 Feb 2026 00:17:34 -0500 Subject: [PATCH 19/64] Potential fix for code scanning alert no. 28: Uncontrolled data used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- .../vite/src/node/server/middlewares/indexHtml.ts | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/packages/vite/src/node/server/middlewares/indexHtml.ts b/packages/vite/src/node/server/middlewares/indexHtml.ts index 0e9c48518cac45..40dd177eed07f7 100644 --- a/packages/vite/src/node/server/middlewares/indexHtml.ts +++ b/packages/vite/src/node/server/middlewares/indexHtml.ts @@ -502,6 +502,17 @@ export function indexHtmlMiddleware( filePath = normalizePath( path.resolve(path.join(root, decodeURIComponent(url))), ) + try { + const realFilePath = fs.realpathSync.native(filePath) + filePath = normalizePath(realFilePath) + } catch { + // If the path does not exist or cannot be resolved, fall through to the normal + // existence checks below, which will treat it as not found. + } + // Ensure the resolved path stays within the configured root directory. + if (!isParentDirectory(root, filePath)) { + return next() + } } if (isDev) { From 4ec3a59d83415f56efaf238a2e0e0199512dab84 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 11 Feb 2026 00:19:26 -0500 Subject: [PATCH 20/64] Potential fix for code scanning alert no. 30: Uncontrolled data used in path expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- playground/css-lightningcss-proxy/server.js | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/playground/css-lightningcss-proxy/server.js b/playground/css-lightningcss-proxy/server.js index c50a423b72b43b..e15e3ef09bbf86 100644 --- a/playground/css-lightningcss-proxy/server.js +++ b/playground/css-lightningcss-proxy/server.js @@ -15,6 +15,7 @@ const DYNAMIC_STYLES = ` export async function createServer(root = process.cwd(), hmrPort) { const resolve = (p) => path.resolve(import.meta.dirname, p) + const htmlRoot = root const app = express() @@ -55,7 +56,17 @@ export async function createServer(root = process.cwd(), hmrPort) { return res.status(404).end('404') } - const htmlLoc = resolve(`.${url}`) + const requestedPath = '.' + url + let htmlLoc = path.resolve(htmlRoot, requestedPath) + try { + htmlLoc = fs.realpathSync(htmlLoc) + } catch { + return res.status(404).end('404') + } + if (!htmlLoc.startsWith(htmlRoot)) { + return res.status(403).end('Forbidden') + } + let template = fs.readFileSync(htmlLoc, 'utf-8') template = template.replace('', DYNAMIC_STYLES) From 9878ce573bf5918d2ab2f8118af493bd3dc75f07 Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 11 Feb 2026 00:21:51 -0500 Subject: [PATCH 21/64] Potential fix for code scanning alert no. 5: Missing rate limiting Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- playground/css-lightningcss-proxy/package.json | 5 ++++- playground/css-lightningcss-proxy/server.js | 8 ++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/playground/css-lightningcss-proxy/package.json b/playground/css-lightningcss-proxy/package.json index c31519e711fcc4..13f31404728b0f 100644 --- a/playground/css-lightningcss-proxy/package.json +++ b/playground/css-lightningcss-proxy/package.json @@ -11,5 +11,8 @@ "devDependencies": { "lightningcss": "^1.31.1", "express": "^5.2.1" - } + }, + "dependencies": { + "express-rate-limit": "^8.2.1" +} } diff --git a/playground/css-lightningcss-proxy/server.js b/playground/css-lightningcss-proxy/server.js index c50a423b72b43b..a7b96269703073 100644 --- a/playground/css-lightningcss-proxy/server.js +++ b/playground/css-lightningcss-proxy/server.js @@ -2,6 +2,7 @@ import fs from 'node:fs' import path from 'node:path' import { fileURLToPath } from 'node:url' import express from 'express' +import RateLimit from 'express-rate-limit' const isTest = process.env.VITEST @@ -18,6 +19,11 @@ export async function createServer(root = process.cwd(), hmrPort) { const app = express() + const limiter = RateLimit({ + windowMs: 15 * 60 * 1000, // 15 minutes + max: 100, // limit each IP to 100 requests per windowMs + }) + /** * @type {import('vite').ViteDevServer} */ @@ -46,6 +52,8 @@ export async function createServer(root = process.cwd(), hmrPort) { // use vite's connect instance as middleware app.use(vite.middlewares) + app.use(limiter) + app.use('*all', async (req, res, next) => { try { let [url] = req.originalUrl.split('?') From bc6df41c49d81ec942a8f16b6a4184a3efe0e36d Mon Sep 17 00:00:00 2001 From: Tanker187 Date: Wed, 11 Feb 2026 00:23:32 -0500 Subject: [PATCH 22/64] Potential fix for code scanning alert no. 51: Inefficient regular expression Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- packages/vite/src/node/plugins/html.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/vite/src/node/plugins/html.ts b/packages/vite/src/node/plugins/html.ts index 02305b45387c38..1790a31c2bfd72 100644 --- a/packages/vite/src/node/plugins/html.ts +++ b/packages/vite/src/node/plugins/html.ts @@ -1421,7 +1421,7 @@ export async function applyHtmlTransforms( } const entirelyImportRE = - /^(?:import\s*(?:"[^"\n]*[^\\\n]"|'[^'\n]*[^\\\n]');*|\/\*[\s\S]*?\*\/|\/\/.*[$\n])*$/ + /^(?:import\s*(?:"[^"\n]*[^\\\n]"|'[^'\n]*[^\\\n]');*|\/\*[\s\S]*?\*\/|\/\/[^\n]*[$\n])*$/ function isEntirelyImport(code: string) { // only consider "side-effect" imports, which match