Merge branch 'main' into renovate/npm-happy-dom-vulnerability

Author: wgordon17

.github/workflows/ci.yml

@@ -7,11 +7,11 @@ jobs:
   ci:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
-          node-version: 22
+          node-version: 24
           cache: pnpm
       - run: pnpm install --frozen-lockfile
       - run: pnpm run typecheck

.github/workflows/deploy.yml

@@ -9,11 +9,11 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
-          node-version: 22
+          node-version: 24
           cache: pnpm
       - run: pnpm install --frozen-lockfile
       - run: pnpm run typecheck
@@ -25,7 +25,7 @@ jobs:
       - run: pnpm run build
         env:
           VITE_GITHUB_CLIENT_ID: ${{ vars.VITE_GITHUB_CLIENT_ID }}
-      - uses: cloudflare/wrangler-action@v3
+      - uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3
         with:
           apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}

README.md

@@ -4,11 +4,12 @@ Dashboard SPA tracking GitHub issues, PRs, and GHA workflow runs across multiple
 
 ## Features
 
-- **Issues Tab** — Open issues where you're the creator, assignee, or mentioned. Sortable, filterable, paginated.
+- **Issues Tab** — Open issues where you're the creator, assignee, or mentioned. Sortable, filterable, paginated. Dependency Dashboard issues hidden by default (toggleable).
 - **Pull Requests Tab** — Open PRs with CI check status indicators (green/yellow/red dots). Draft badges, reviewer names.
 - **Actions Tab** — GHA workflow runs grouped by repo and workflow. Accordion collapse, PR run toggle.
 - **Onboarding Wizard** — Two-step org/repo selection with search filtering and bulk select.
-- **Settings Page** — Refresh interval, notification preferences, theme (light/dark/system), density, GitHub Actions limits.
+- **PAT Authentication** — Optional Personal Access Token login as alternative to OAuth. Client-side format validation, detailed token creation instructions for classic and fine-grained PATs.
+- **Settings Page** — Refresh interval, notification preferences, theme (light/dark/system), density, GitHub Actions limits. Shows current auth method and hides OAuth-specific options for PAT users.
 - **Desktop Notifications** — New item alerts with per-type toggles and batching.
 - **Ignore System** — Hide specific items with an "N ignored" badge and unignore popover.
 - **Dark Mode** — System-aware with flash prevention via inline script + CSP SHA-256 hash.
@@ -30,7 +31,7 @@ Dashboard SPA tracking GitHub issues, PRs, and GHA workflow runs across multiple
 ```sh
 pnpm install
 pnpm run dev        # Start Vite dev server
-pnpm test           # Run browser tests (130 tests)
+pnpm test           # Run unit/component tests
 pnpm run typecheck  # TypeScript check
 pnpm run build      # Production build (~241KB JS, ~31KB CSS)
 ```
@@ -57,6 +58,7 @@ src/
       config.ts     # Zod v4-validated config with localStorage persistence
       view.ts       # View state (tabs, sorting, ignored items, filters)
     lib/
+      pat.ts            # PAT format validation and token creation instruction constants
       notifications.ts  # Desktop notification permission, detection, and dispatch
   worker/
     index.ts        # OAuth token exchange endpoint, CORS, security headers
@@ -72,6 +74,7 @@ tests/
 ## Security
 
 - Strict CSP: `script-src 'self'` (SHA-256 exception for dark mode script only)
+- PAT tokens stored in `localStorage` (same key as OAuth tokens) — single-user personal dashboard threat model
 - OAuth CSRF protection via `crypto.getRandomValues` state parameter
 - CORS locked to exact origin (strict equality, no substring matching)
 - Access token stored in `localStorage` under app-specific key; CSP prevents XSS token theft

e2e/settings.spec.ts

@@ -25,7 +25,7 @@ async function setupAuth(page: Page) {
       json: {
         data: {
           search: { issueCount: 0, pageInfo: { hasNextPage: false, endCursor: null }, nodes: [] },
-          rateLimit: { remaining: 5000, resetAt: new Date(Date.now() + 3600000).toISOString() },
+          rateLimit: { limit: 5000, remaining: 5000, resetAt: new Date(Date.now() + 3600000).toISOString() },
         },
       },
     })

e2e/smoke.spec.ts

@@ -34,7 +34,7 @@ async function setupAuth(page: Page) {
       json: {
         data: {
           search: { issueCount: 0, pageInfo: { hasNextPage: false, endCursor: null }, nodes: [] },
-          rateLimit: { remaining: 5000, resetAt: new Date(Date.now() + 3600000).toISOString() },
+          rateLimit: { limit: 5000, remaining: 5000, resetAt: new Date(Date.now() + 3600000).toISOString() },
         },
       },
     })
@@ -112,7 +112,7 @@ test("OAuth callback flow completes and redirects", async ({ page }) => {
       json: {
         data: {
           search: { issueCount: 0, pageInfo: { hasNextPage: false, endCursor: null }, nodes: [] },
-          rateLimit: { remaining: 5000, resetAt: new Date(Date.now() + 3600000).toISOString() },
+          rateLimit: { limit: 5000, remaining: 5000, resetAt: new Date(Date.now() + 3600000).toISOString() },
         },
       },
     })

package.json

@@ -16,33 +16,33 @@
     "test:waf": "bash scripts/waf-smoke-test.sh"
   },
   "dependencies": {
-    "@kobalte/core": "^0.13.11",
-    "@octokit/core": "^7.0.6",
-    "@octokit/plugin-paginate-rest": "^14.0.0",
-    "@octokit/plugin-retry": "^8.1.0",
-    "@octokit/plugin-throttling": "^11.0.3",
-    "@sentry/solid": "^10.46.0",
-    "@solidjs/router": "^0.16.1",
-    "corvu": "^0.7.2",
-    "idb": "^8.0.3",
-    "solid-js": "^1.9.11",
-    "zod": "^4.3.6"
+    "@kobalte/core": "0.13.11",
+    "@octokit/core": "7.0.6",
+    "@octokit/plugin-paginate-rest": "14.0.0",
+    "@octokit/plugin-retry": "8.1.0",
+    "@octokit/plugin-throttling": "11.0.3",
+    "@sentry/solid": "10.46.0",
+    "@solidjs/router": "0.16.1",
+    "corvu": "0.7.2",
+    "idb": "8.0.3",
+    "solid-js": "1.9.11",
+    "zod": "4.3.6"
   },
   "devDependencies": {
-    "@cloudflare/vite-plugin": "^1.30.0",
-    "@cloudflare/vitest-pool-workers": "^0.13.3",
-    "@playwright/test": "^1.58.2",
-    "@solidjs/testing-library": "^0.8.10",
-    "@tailwindcss/vite": "^4.2.2",
-    "@testing-library/user-event": "^14.6.1",
-    "daisyui": "^5.5.19",
-    "fake-indexeddb": "^6.2.5",
+    "@cloudflare/vite-plugin": "1.30.0",
+    "@cloudflare/vitest-pool-workers": "0.13.3",
+    "@playwright/test": "1.58.2",
+    "@solidjs/testing-library": "0.8.10",
+    "@tailwindcss/vite": "4.2.2",
+    "@testing-library/user-event": "14.6.1",
+    "daisyui": "5.5.19",
+    "fake-indexeddb": "6.2.5",
     "happy-dom": "^20.8.4",
-    "tailwindcss": "^4.2.2",
-    "typescript": "^5.9.3",
-    "vite": "^8.0.1",
-    "vite-plugin-solid": "^2.11.11",
-    "vitest": "^4.1.0",
-    "wrangler": "^4.76.0"
+    "tailwindcss": "4.2.2",
+    "typescript": "5.9.3",
+    "vite": "8.0.1",
+    "vite-plugin-solid": "2.11.11",
+    "vitest": "4.1.0",
+    "wrangler": "4.76.0"
   }
 }

pnpm-lock.yaml

@@ -1,5 +1,6 @@
 /*
-  Content-Security-Policy: default-src 'none'; script-src 'self' 'sha256-uEFqyYCMaNy1Su5VmWLZ1hOCRBjkhm4+ieHHxQW6d3Y='; style-src-elem 'self'; style-src-attr 'unsafe-inline'; img-src 'self' data: https://avatars.githubusercontent.com; connect-src 'self' https://api.github.com; font-src 'self'; worker-src 'self'; manifest-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests
+  Content-Security-Policy: default-src 'none'; script-src 'self' 'sha256-uEFqyYCMaNy1Su5VmWLZ1hOCRBjkhm4+ieHHxQW6d3Y='; style-src-elem 'self'; style-src-attr 'unsafe-inline'; img-src 'self' data: https://avatars.githubusercontent.com; connect-src 'self' https://api.github.com; font-src 'self'; worker-src 'self'; manifest-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'none'; upgrade-insecure-requests; report-uri /api/csp-report; report-to csp-endpoint
+  Reporting-Endpoints: csp-endpoint="/api/csp-report"
   X-Content-Type-Options: nosniff
   Referrer-Policy: strict-origin-when-cross-origin
   Permissions-Policy: geolocation=(), microphone=(), camera=()

public/_headers

@@ -1,17 +1,43 @@
-import { createSignal, createEffect, onMount, Show, type JSX } from "solid-js";
+import { createSignal, createEffect, onMount, Show, ErrorBoundary, Suspense, lazy, type JSX } from "solid-js";
 import { Router, Route, Navigate, useNavigate } from "@solidjs/router";
-import { isAuthenticated, validateToken } from "./stores/auth";
+import { isAuthenticated, validateToken, AUTH_STORAGE_KEY } from "./stores/auth";
 import { config, initConfigPersistence, resolveTheme } from "./stores/config";
 import { initViewPersistence } from "./stores/view";
 import { evictStaleEntries } from "./stores/cache";
 import { initClientWatcher } from "./services/github";
 import LoginPage from "./pages/LoginPage";
 import OAuthCallback from "./pages/OAuthCallback";
-import DashboardPage from "./components/dashboard/DashboardPage";
-import OnboardingWizard from "./components/onboarding/OnboardingWizard";
-import SettingsPage from "./components/settings/SettingsPage";
 import PrivacyPage from "./pages/PrivacyPage";
 
+const DashboardPage = lazy(() => import("./components/dashboard/DashboardPage"));
+const OnboardingWizard = lazy(() => import("./components/onboarding/OnboardingWizard"));
+const SettingsPage = lazy(() => import("./components/settings/SettingsPage"));
+
+function handleRouteError(err: unknown) {
+  console.error("[app] Route render failed:", err);
+  return <ChunkErrorFallback />;
+}
+
+function ChunkErrorFallback() {
+  return (
+    <div class="min-h-screen flex items-center justify-center bg-base-200">
+      <div class="card bg-base-100 shadow-md p-8 flex flex-col items-center gap-4 max-w-sm">
+        <p class="text-error font-medium">Failed to load page</p>
+        <p class="text-sm text-base-content/60 text-center">
+          A new version may have been deployed. Reloading should fix this.
+        </p>
+        <button
+          type="button"
+          class="btn btn-neutral"
+          onClick={() => window.location.reload()}
+        >
+          Reload page
+        </button>
+      </div>
+    </div>
+  );
+}
+
 // Auth guard: redirects unauthenticated users to /login.
 // On page load, validates the localStorage token with GitHub API.
 function AuthGuard(props: { children: JSX.Element }) {
@@ -138,17 +164,33 @@ export default function App() {
     evictStaleEntries(24 * 60 * 60 * 1000).catch(() => {
       // Non-fatal — stale eviction failure is acceptable
     });
+
+    // Preload dashboard chunk in parallel with token validation to avoid
+    // a sequential waterfall (validateToken → chunk fetch)
+    if (localStorage.getItem?.(AUTH_STORAGE_KEY)) {
+      import("./components/dashboard/DashboardPage").catch(() => {
+        console.warn("[app] Dashboard chunk preload failed");
+      });
+    }
   });
 
   return (
-    <Router>
-      <Route path="/" component={RootRedirect} />
-      <Route path="/login" component={LoginPage} />
-      <Route path="/oauth/callback" component={OAuthCallback} />
-      <Route path="/onboarding" component={() => <AuthGuard><OnboardingWizard /></AuthGuard>} />
-      <Route path="/dashboard" component={() => <AuthGuard><DashboardPage /></AuthGuard>} />
-      <Route path="/settings" component={() => <AuthGuard><SettingsPage /></AuthGuard>} />
-      <Route path="/privacy" component={PrivacyPage} />
-    </Router>
+    <ErrorBoundary fallback={handleRouteError}>
+      <Suspense fallback={
+        <div class="min-h-screen flex items-center justify-center bg-base-200">
+          <span class="loading loading-spinner loading-lg" aria-label="Loading" />
+        </div>
+      }>
+        <Router>
+          <Route path="/" component={RootRedirect} />
+          <Route path="/login" component={LoginPage} />
+          <Route path="/oauth/callback" component={OAuthCallback} />
+          <Route path="/onboarding" component={() => <AuthGuard><OnboardingWizard /></AuthGuard>} />
+          <Route path="/dashboard" component={() => <AuthGuard><DashboardPage /></AuthGuard>} />
+          <Route path="/settings" component={() => <AuthGuard><SettingsPage /></AuthGuard>} />
+          <Route path="/privacy" component={PrivacyPage} />
+        </Router>
+      </Suspense>
+    </ErrorBoundary>
   );
 }