Conversation
After enabling Dependabot, it immediately opened 8 PRs against main — including several cross-major bumps (vite 6→8, checkout 4→7, etc.) that need human review and would have skipped the normal dev → main flow. - target-branch: dev — PRs go through dev like any other change - ignore semver-major — automated PRs are patch/minor only; majors are reviewed by a human when needed - Security advisories still open PRs regardless of these ignore rules
The toggle-comment command stripped --> but not --!>, the rare-but-legal HTML comment-end-bang form. Browsers (and the HTML spec) treat both as valid comment terminators; toggling-off a buffer that used the bang form would leave a stray --!> on the line. Side benefit: closes CodeQL alert #1 (js/bad-tag-filter) on this line. The alert was technically a false positive — the regex output is fed into Monaco's text buffer, never rendered as HTML — but the underlying incompleteness was real, so it's worth fixing rather than dismissing.
fix(editor): handle --!> when stripping XML comment markers
- Pin all GitHub Actions to commit SHAs (Pinned-Dependencies check) - Add top-level 'permissions: contents: read' to codeql.yml and e2e-tests.yml (Token-Permissions check); scorecard.yml already had 'permissions: read-all' - Bump action versions while pinning: - actions/checkout v4 -> v4.2.2 - actions/setup-node v4 -> v4.4.0 - actions/upload-artifact v4 -> v4.4.3 - github/codeql-action v3 -> v3.36.2 - ossf/scorecard-action v2.4.0 -> v2.4.3 CodeQL's per-job 'permissions:' block is preserved — it widens the top-level default to grant security-events:write for SARIF upload.
# Conflicts: # .github/workflows/scorecard.yml
Contributor
Deploying xsltdebugx with
|
| Latest commit: |
ce1821a
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://e143897b.xsltdebugx.pages.dev |
| Branch Preview URL: | https://dev.xsltdebugx.pages.dev |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Promotes
devtomain. Four commits:6e36282—chore(ci): harden workflows for OpenSSF Scorecard (#67)— SHA-pins all GitHub Actions and adds top-level least-privilegepermissions:blocks. Needed onmainfor Scorecard to actually pick it up (Scorecard analyzesmainonly).08e6932+f211c81—fix(editor): handle --!> when stripping XML comment markers (#66)— corrects the XML comment-strip regex.f4b5bb6—chore(dependabot): target dev, ignore major bumps— routes Dependabot PRs todevand filters out major version bumps.Expected impact
main. Can be triggered manually after merge viagh workflow run scorecard.yml --ref main.maintriggers deploy).ossf/scorecard-action) already onmain:devindependently bumped that same action to v2.4.3 (a newer version, now SHA-pinned), so this PR supersedes it cleanly — no conflict expected.