From f4b5bb6f4995b69f03500abb88a46756996046ca Mon Sep 17 00:00:00 2001
From: linusdevx <sunilpharswan4198@gmail.com>
Date: Tue, 23 Jun 2026 00:06:58 +0530
Subject: [PATCH 1/3] chore(dependabot): target dev, ignore major bumps
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After enabling Dependabot, it immediately opened 8 PRs against main —
including several cross-major bumps (vite 6→8, checkout 4→7, etc.) that
need human review and would have skipped the normal dev → main flow.

- target-branch: dev — PRs go through dev like any other change
- ignore semver-major — automated PRs are patch/minor only; majors are
  reviewed by a human when needed
- Security advisories still open PRs regardless of these ignore rules
---
 .github/dependabot.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index a5a5203..2d50b87 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -2,8 +2,10 @@ version: 2
 updates:
   # Dev dependencies — Playwright, Vite, http-server, esbuild.
   # No runtime npm deps ship to users, so these are dev-tool hygiene only.
+  # PRs target `dev` so they flow through the normal dev → main review cycle.
   - package-ecosystem: npm
     directory: /
+    target-branch: dev
     schedule:
       interval: weekly
       day: monday
@@ -17,10 +19,17 @@ updates:
         update-types:
           - minor
           - patch
+    # Major bumps are reviewed by a human as needed (vite, playwright, etc.).
+    # Security advisories still open PRs regardless of these ignore rules.
+    ignore:
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-major
 
   # GitHub Actions used by our workflows (checkout, setup-node, codeql, scorecard, ...).
   - package-ecosystem: github-actions
     directory: /
+    target-branch: dev
     schedule:
       interval: weekly
       day: monday
@@ -33,3 +42,7 @@ updates:
         update-types:
           - minor
           - patch
+    ignore:
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-major

From f211c81a8ac084f4900f416a6285fcd17606bb97 Mon Sep 17 00:00:00 2001
From: linusdevx <sunilpharswan4198@gmail.com>
Date: Tue, 23 Jun 2026 07:59:01 +0530
Subject: [PATCH 2/3] fix(editor): handle --!> when stripping XML comment
 markers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The toggle-comment command stripped --> but not --!>, the rare-but-legal
HTML comment-end-bang form. Browsers (and the HTML spec) treat both as
valid comment terminators; toggling-off a buffer that used the bang form
would leave a stray --!> on the line.

Side benefit: closes CodeQL alert #1 (js/bad-tag-filter) on this line.
The alert was technically a false positive — the regex output is fed
into Monaco's text buffer, never rendered as HTML — but the underlying
incompleteness was real, so it's worth fixing rather than dismissing.
---
 js/editor.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/js/editor.js b/js/editor.js
index 9262cdc..8218d0a 100644
--- a/js/editor.js
+++ b/js/editor.js
@@ -270,7 +270,8 @@ require(['vs/editor/editor.main'], () => {
     if (allCommented) {
       for (let i = startLine; i <= endLine; i++) {
         const line = model.getLineContent(i);
-        const stripped = line.replace(/^(\s*)<!--\s?/, '$1').replace(/\s?-->(\s*)$/, '$1');
+        // --!?> matches both --> and --!>; the latter is rare but legal per the HTML spec.
+        const stripped = line.replace(/^(\s*)<!--\s?/, '$1').replace(/\s?--!?>(\s*)$/, '$1');
         edits.push({ range: new monaco.Range(i, 1, i, line.length + 1), text: stripped });
       }
     } else {

From 6e3628272cf84bc50b65eb01ea52cb117adb93d0 Mon Sep 17 00:00:00 2001
From: Sunil Pharswan <sunilpharswan4198@gmail.com>
Date: Tue, 23 Jun 2026 08:10:42 +0530
Subject: [PATCH 3/3] chore(ci): harden workflows for OpenSSF Scorecard (#67)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Pin all GitHub Actions to commit SHAs (Pinned-Dependencies check)
- Add top-level 'permissions: contents: read' to codeql.yml and
  e2e-tests.yml (Token-Permissions check); scorecard.yml already had
  'permissions: read-all'
- Bump action versions while pinning:
  - actions/checkout v4 -> v4.2.2
  - actions/setup-node v4 -> v4.4.0
  - actions/upload-artifact v4 -> v4.4.3
  - github/codeql-action v3 -> v3.36.2
  - ossf/scorecard-action v2.4.0 -> v2.4.3

CodeQL's per-job 'permissions:' block is preserved — it widens the
top-level default to grant security-events:write for SARIF upload.
---
 .github/workflows/codeql.yml    | 10 +++++++---
 .github/workflows/e2e-tests.yml | 12 ++++++++----
 .github/workflows/scorecard.yml |  8 ++++----
 3 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0d213ea..76bef08 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -10,6 +10,10 @@ on:
     # badge stays current even when the repo is quiet.
     - cron: '0 6 * * 1'
 
+# Least-privilege default; the analyze job widens this for SARIF upload.
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (javascript-typescript)
@@ -27,10 +31,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.36.2
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
@@ -43,6 +47,6 @@ jobs:
               - dist/**
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.36.2
         with:
           category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
index 23885c4..786a195 100644
--- a/.github/workflows/e2e-tests.yml
+++ b/.github/workflows/e2e-tests.yml
@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [main, dev]
 
+# Least-privilege default; jobs opt in to more if needed.
+permissions:
+  contents: read
+
 jobs:
   e2e-tests:
     name: E2E Tests (Playwright)
@@ -14,10 +18,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: '24'
           cache: 'npm'
@@ -55,7 +59,7 @@ jobs:
 
       - name: Upload test report
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: playwright-report
           path: playwright-report/
@@ -63,7 +67,7 @@ jobs:
 
       - name: Upload test results (XML)
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: test-results
           path: test-results/
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index aeab6b1..59e7d30 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -25,12 +25,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
       - name: Run analysis
-        uses: ossf/scorecard-action@v2.4.0
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
@@ -38,13 +38,13 @@ jobs:
           publish_results: true
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.36.2
         with:
           sarif_file: results.sarif