Skip to content

fix: maintenance pass pt2 — 0 audit CVEs, a11y fixes, rate-limiter regression, markdown defense-in-depth#65

Merged
llbbl merged 2 commits into
mainfrom
chore/maintenance-2026-06-pt2
Jun 3, 2026
Merged

fix: maintenance pass pt2 — 0 audit CVEs, a11y fixes, rate-limiter regression, markdown defense-in-depth#65
llbbl merged 2 commits into
mainfrom
chore/maintenance-2026-06-pt2

Conversation

@llbbl

@llbbl llbbl commented Jun 3, 2026

Copy link
Copy Markdown
Owner

Summary

  • Dependency upgrades close all remaining audit CVEs (astro server-island replay low, smol-toml DoS moderate) — pnpm audit now reports 0 vulnerabilities
  • Rate-limiter regression fixed: missing/invalid X-Forwarded-For previously generated a unique key per request, silently disabling the limiter; unattributed requests now share a fallback bucket
  • Defense-in-depth scheme allowlist added to markdown link/image renderers before sanitize-html (blocks whitespace-prefix bypass e.g. " javascript:...")
  • Accessibility improvements across mobile menu, theme switcher, and search results; TOC active-heading tracking fixed for duplicate headings

Changes

Security / Dependencies

  • package.json: astro 6.1.9 → 6.4.4; react 19.2.7, marked, @biomejs/biome 2.4.16, @astrojs/node 10.1.3, tailwindcss 4.3.0, lucide-react 1.17.0, tailwind-merge 3.6.0, @types/* and tsx patch bumps
  • pnpm-workspace.yaml: add smol-toml ^1.6.1 override (astro still pins 1.6.0 which has a moderate DoS CVE)
  • pnpm-lock.yaml: updated lockfile

Rate Limiter

  • src/middleware/rateLimit.ts: fixed fallback key from unique-per-request UUID to shared "unknown" bucket so the limiter is never bypassed when X-Forwarded-For is absent or invalid
  • src/middleware/rateLimit.test.ts: added regression test covering the fallback bucket behaviour

Markdown Defense-in-Depth

  • src/lib/markdown.ts: explicit scheme allowlist (http:, https:, mailto:, #) in link and image renderers; input trimmed before scheme check to close whitespace bypass

Accessibility & Navigation

  • src/components/DocsHeader.astro: aria-expanded/aria-controls on mobile menu button; sidebar inert/aria-hidden synced to menu state; menu auto-closes on resize into desktop viewport
  • src/components/DocsToc.tsx: IntersectionObserver entries sorted by DOM position; active heading read from heading.id directly (fixes duplicate-slug collision)
  • src/components/ThemeSwitcher.tsx: backdrop changed from focusable button to non-focusable div + aria-hidden; focus moves to current theme on open
  • src/components/Search.tsx: result items wrapped in <a href> (tabIndex=-1, stopPropagation) for native middle/Cmd-click; removed unconditional window.location.href that caused double-navigation
  • src/pages/content/[...slug].astro: Astro.redirect branches replaced with throw — missing slug/article is a build-time invariant violation on a prerendered route

Test plan

  • pnpm test — all 153 tests pass
  • pnpm exec tsc --noEmit — no type errors
  • pnpm build — clean production build
  • pnpm audit — 0 vulnerabilities
  • Manual: mobile menu button announces aria-expanded state correctly in a screen reader
  • Manual: TOC highlights correct heading when multiple headings share similar text
  • Manual: search result middle-click / Cmd-click opens in new tab without double-navigation

llbbl added 2 commits June 3, 2026 15:15
@llbbl
fix(security): close remaining CVEs and patch defense-in-depth gaps
72ca266 
### Fixes
- Bump astro 6.1.9 → 6.4.4 (fixes server-island replay low CVE)
- Add smol-toml ^1.6.1 override in pnpm-workspace.yaml (fixes moderate
  DoS CVE; astro still pins 1.6.0 internally)
- Patch/minor bumps: react 19.2.7, react-dom, marked, @biomejs/biome
  2.4.16, @types/react, @types/node, tsx, @astrojs/node 10.1.3,
  tailwindcss/@tailwindcss/vite 4.3.0, lucide-react 1.17.0,
  tailwind-merge 3.6.0 — audit now reports 0 vulnerabilities
- rateLimit.ts: fixed unique-per-request fallback that silently disabled
  the limiter when X-Forwarded-For was missing/invalid; unattributed
  requests now share a single fallback bucket
- rateLimit.test.ts: added regression test for the fallback bucket fix
- markdown.ts: added explicit scheme allowlist in link/image renderers
  before sanitize-html; trims input to block whitespace bypass attacks
  (e.g. "  javascript:...")
@llbbl
fix(ui): a11y, navigation, and TOC fixes from source code sweep
c33412c 
### Fixes
- DocsToc.tsx: sort IntersectionObserver entries by DOM position so the
  active heading reflects what is actually on screen; read heading.id
  directly instead of recomputing a slug that diverged on
  duplicate-heading collisions
- DocsHeader.astro: add aria-expanded + aria-controls to mobile menu
  button; sync sidebar inert/aria-hidden with menu state via resize
  listener; auto-close menu when crossing into desktop viewport
- ThemeSwitcher.tsx: replace focusable backdrop button (announced as a
  full-viewport "Close theme menu" control) with non-focusable div +
  aria-hidden; move focus to current theme button on open
- Search.tsx: wrap result content in <a href> with tabIndex=-1 and
  stopPropagation so middle/Cmd-click open in a new tab natively; drop
  unconditional window.location.href to prevent double-navigation
- [...slug].astro: replace Astro.redirect branches with throw — route is
  prerendered and getStaticPaths enumerates all valid slugs so a missing
  slug or article is a build-time invariant violation
@socket-security

socket-security Bot commented Jun 3, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​types/​react@​19.2.161001007996100
Addedlucide-react@​1.17.0100100989680
Addedmarked@​18.0.41001001009680
Added@​types/​node@​25.9.11001008195100
Addedtsx@​4.22.41001008294100
Added@​astrojs/​node@​10.1.31001008297100
Addedtailwindcss@​4.3.01001008498100
Addedreact@​19.2.71001008497100
Addedtailwind-merge@​3.6.01001008695100
Addedastro@​6.4.4971008898100
Added@​tailwindcss/​vite@​4.3.01001009098100
Addedreact-dom@​19.2.71001009298100
Added@​biomejs/​biome@​2.4.1610010010099100

View full report

@codecov

codecov Bot commented Jun 3, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 65.00000% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.90%. Comparing base (2502f90) to head (c33412c).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
src/components/Search.tsx 50.00% 4 Missing ⚠️
src/lib/markdown.ts 72.72% 0 Missing and 3 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main      #65      +/-   ##
==========================================
- Coverage   83.33%   82.90%   -0.43%     
==========================================
  Files          11       11              
  Lines         264      275      +11     
  Branches       68       70       +2     
==========================================
+ Hits          220      228       +8     
- Misses         26       28       +2     
- Partials       18       19       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@llbbl llbbl merged commit b3450f6 into main Jun 3, 2026
5 of 6 checks passed
@llbbl llbbl deleted the chore/maintenance-2026-06-pt2 branch June 3, 2026 20:20
This was referenced Jun 3, 2026
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@llbbl