Skip to content

🧹 Refactor fetchUserProfile to use spread operator#456

Open
is0692vs wants to merge 1 commit into
mainfrom
refactor-fetch-user-profile-16208466654816058611
Open

🧹 Refactor fetchUserProfile to use spread operator#456
is0692vs wants to merge 1 commit into
mainfrom
refactor-fetch-user-profile-16208466654816058611

Conversation

@is0692vs

@is0692vs is0692vs commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

🎯 What: Simplified fetchUserProfile to use the spread operator for profile properties.
💡 Why: Reduces duplication and improves readability.
Verification: Ran npm run test locally and verified all tests pass.
Result: Improved maintainability of fetchUserProfile function.


PR created automatically by Jules for task 16208466654816058611 started by @is0692vs

Greptile Summary

fetchUserProfile 関数の戻り値オブジェクト生成を、明示的なプロパティ列挙から ...profile スプレッドに変更しています。コードの簡潔さは向上しますが、ランタイム挙動が変わります。

  • restGet<GitHubUser>()res.json() as Promise<T> を使っており、返るオブジェクトは型の保証なしに GitHub API レスポンス全体(idnode_idemailpublic_gistshtml_url など 30 以上のフィールド)を含みます。変更前の明示的列挙は allowlist として機能していましたが、スプレッドでその保護がなくなります。
  • GitHubUser 型と UserProfile 型のフィールドセットは一致しているため TypeScript エラーは発生しませんが、ランタイムオブジェクトには型定義外のフィールドが混入します。

Confidence Score: 3/5

スプレッド演算子によってランタイムで GitHub API の余剰フィールドが返り値に混入するため、そのままマージするのは避けるべきです。

restGet が型アサーションで GitHub API レスポンス全体を返すため、...profileemailid などの意図しないフィールドをすべて呼び出し元に露出させます。変更前の明示的プロパティ列挙は allowlist として機能しており、その安全性の保証が失われています。

src/lib/github.tsfetchUserProfile 関数(242〜245行目)

Important Files Changed

Filename Overview
src/lib/github.ts fetchUserProfile の明示的プロパティ列挙をスプレッド演算子に置換。コンパイルは通るが、ランタイムでは GitHub API レスポンスの余剰フィールドが返り値に混入するリスクがある。

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Caller
    participant fetchUserProfile
    participant fetchBasicProfile
    participant GitHub_API as GitHub REST API

    Caller->>fetchUserProfile: fetchUserProfile(username, token)
    fetchUserProfile->>fetchBasicProfile: fetchBasicProfile(username, token)
    fetchBasicProfile->>GitHub_API: GET /users/:username
    GitHub_API-->>fetchBasicProfile: 30+ fields (id, node_id, email, login, ...)
    fetchBasicProfile-->>fetchUserProfile: profile (typed as GitHubUser, but contains all API fields at runtime)
    Note over fetchUserProfile: Before: explicit 12-field allowlist After: ...profile spreads ALL runtime fields
    fetchUserProfile-->>Caller: UserProfile (+ unintended extra fields at runtime)
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Caller
    participant fetchUserProfile
    participant fetchBasicProfile
    participant GitHub_API as GitHub REST API

    Caller->>fetchUserProfile: fetchUserProfile(username, token)
    fetchUserProfile->>fetchBasicProfile: fetchBasicProfile(username, token)
    fetchBasicProfile->>GitHub_API: GET /users/:username
    GitHub_API-->>fetchBasicProfile: 30+ fields (id, node_id, email, login, ...)
    fetchBasicProfile-->>fetchUserProfile: profile (typed as GitHubUser, but contains all API fields at runtime)
    Note over fetchUserProfile: Before: explicit 12-field allowlist After: ...profile spreads ALL runtime fields
    fetchUserProfile-->>Caller: UserProfile (+ unintended extra fields at runtime)
Loading
Prompt To Fix All With AI
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
src/lib/github.ts:242-245
**スプレッド演算子によるランタイム余剰フィールドの流出**

`restGet``res.json() as Promise<T>` でキャストしているだけで、ランタイムでは GitHub API の `/users/:username` レスポンス全体(`id``node_id``email``html_url``public_gists``updated_at` など 30 以上のフィールド)が `profile` オブジェクトに含まれます。TypeScript の型はコンパイル時しか保証せず、`...profile` を展開すると意図しないフィールドがすべて返り値に含まれてしまいます。変更前のコードは明示的に 12 フィールドを列挙することで許可リスト(allowlist)として機能していましたが、スプレッドによりその保護が失われています。`email` フィールドが公開設定のユーザーであれば、クライアントに意図せず露出する可能性があります。

Reviews (1): Last reviewed commit: "🧹 Refactor fetchUserProfile to use spre..." | Re-trigger Greptile

Greptile also left 1 inline comment on this PR.

Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@vercel

vercel Bot commented Jul 10, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
github-user-summary Ignored Ignored Jul 10, 2026 7:01am

@qodo-code-review

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@is0692vs, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 39 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 79d99415-b4ae-4a84-b18b-fb68d27ec0c1

📥 Commits

Reviewing files that changed from the base of the PR and between 05bc250 and 349967c.

📒 Files selected for processing (1)
  • src/lib/github.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch refactor-fetch-user-profile-16208466654816058611

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request simplifies the fetchUserProfile function in src/lib/github.ts by replacing explicit property mapping with the spread operator (...profile). The reviewer correctly points out that using the spread operator leaks extra fields from the GitHub API response to the client, increasing the network payload size, and recommends reverting to explicit property selection.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread src/lib/github.ts
followers: profile.followers,
following: profile.following,
public_repos: profile.public_repos,
...profile,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Using the spread operator ...profile will copy all properties from the actual runtime profile object returned by the GitHub API (such as id, node_id, html_url, repos_url, etc.) into the returned object. Since this object is serialized and sent to the client in the /api/dashboard/summary endpoint, this leaks unused fields and unnecessarily increases the network payload size. It is safer and more efficient to explicitly select only the required properties.

    login: profile.login,
    avatar_url: profile.avatar_url,
    name: profile.name,
    bio: profile.bio,
    company: profile.company,
    location: profile.location,
    blog: profile.blog,
    twitter_username: profile.twitter_username,
    created_at: profile.created_at,
    followers: profile.followers,
    following: profile.following,
    public_repos: profile.public_repos,

@codecov

codecov Bot commented Jul 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Comment thread src/lib/github.ts
Comment on lines +242 to 245
...profile,
orgs,
pinnedRepos,
};

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 スプレッド演算子によるランタイム余剰フィールドの流出

restGetres.json() as Promise<T> でキャストしているだけで、ランタイムでは GitHub API の /users/:username レスポンス全体(idnode_idemailhtml_urlpublic_gistsupdated_at など 30 以上のフィールド)が profile オブジェクトに含まれます。TypeScript の型はコンパイル時しか保証せず、...profile を展開すると意図しないフィールドがすべて返り値に含まれてしまいます。変更前のコードは明示的に 12 フィールドを列挙することで許可リスト(allowlist)として機能していましたが、スプレッドによりその保護が失われています。email フィールドが公開設定のユーザーであれば、クライアントに意図せず露出する可能性があります。

Prompt To Fix With AI
This is a comment left during a code review.
Path: src/lib/github.ts
Line: 242-245

Comment:
**スプレッド演算子によるランタイム余剰フィールドの流出**

`restGet``res.json() as Promise<T>` でキャストしているだけで、ランタイムでは GitHub API の `/users/:username` レスポンス全体(`id``node_id``email``html_url``public_gists``updated_at` など 30 以上のフィールド)が `profile` オブジェクトに含まれます。TypeScript の型はコンパイル時しか保証せず、`...profile` を展開すると意図しないフィールドがすべて返り値に含まれてしまいます。変更前のコードは明示的に 12 フィールドを列挙することで許可リスト(allowlist)として機能していましたが、スプレッドによりその保護が失われています。`email` フィールドが公開設定のユーザーであれば、クライアントに意図せず露出する可能性があります。

How can I resolve this? If you propose a fix, please make it concise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant