Conversation
After enabling Dependabot, it immediately opened 8 PRs against main — including several cross-major bumps (vite 6→8, checkout 4→7, etc.) that need human review and would have skipped the normal dev → main flow. - target-branch: dev — PRs go through dev like any other change - ignore semver-major — automated PRs are patch/minor only; majors are reviewed by a human when needed - Security advisories still open PRs regardless of these ignore rules
The toggle-comment command stripped --> but not --!>, the rare-but-legal HTML comment-end-bang form. Browsers (and the HTML spec) treat both as valid comment terminators; toggling-off a buffer that used the bang form would leave a stray --!> on the line. Side benefit: closes CodeQL alert #1 (js/bad-tag-filter) on this line. The alert was technically a false positive — the regex output is fed into Monaco's text buffer, never rendered as HTML — but the underlying incompleteness was real, so it's worth fixing rather than dismissing.
fix(editor): handle --!> when stripping XML comment markers
- Pin all GitHub Actions to commit SHAs (Pinned-Dependencies check) - Add top-level 'permissions: contents: read' to codeql.yml and e2e-tests.yml (Token-Permissions check); scorecard.yml already had 'permissions: read-all' - Bump action versions while pinning: - actions/checkout v4 -> v4.2.2 - actions/setup-node v4 -> v4.4.0 - actions/upload-artifact v4 -> v4.4.3 - github/codeql-action v3 -> v3.36.2 - ossf/scorecard-action v2.4.0 -> v2.4.3 CodeQL's per-job 'permissions:' block is preserved — it widens the top-level default to grant security-events:write for SARIF upload.
# Conflicts: # .github/workflows/scorecard.yml
Bumps the actions-minor-and-patch group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [actions/upload-artifact](https://github.com/actions/upload-artifact). Updates `actions/checkout` from 4.2.2 to 4.3.1 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@11bd719...34e1148) Updates `actions/upload-artifact` from 4.4.3 to 4.6.2 - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@b4b15b8...ea165f8) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 4.3.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-and-patch - dependency-name: actions/upload-artifact dependency-version: 4.6.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps the dev-minor-and-patch group with 1 update in the / directory: [@playwright/test](https://github.com/microsoft/playwright). Updates `@playwright/test` from 1.60.0 to 1.61.0 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.60.0...v1.61.0) --- updated-dependencies: - dependency-name: "@playwright/test" dependency-version: 1.61.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: dev-minor-and-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Adds sha384 integrity hashes and crossorigin=anonymous to the three CDN-hosted dependencies in index.html: - pako@2.1.0 (compression for share URLs) - lucide@1.14.0 (icon library) - monaco-editor@0.44.0 loader Mitigates the supply-chain risk of a tampered CDN response — the browser refuses to execute any script whose content doesn't match the hash. Resolves the only real CodeQL alert (js/functionality-from-untrusted-source) on index.html:51-53. Maintenance note: each version bump now requires regenerating the hash: curl -sL <url> | openssl dgst -sha384 -binary | openssl base64 -A
Contributor
Deploying xsltdebugx with
|
| Latest commit: |
cab2263
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://72fe28a6.xsltdebugx.pages.dev |
| Branch Preview URL: | https://dev.xsltdebugx.pages.dev |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Promotes
devtomain. Three new commits since the last release (PR #68):418bab4—chore(security): add SRI integrity to CDN-loaded scripts (#70)— addssha384integrity hashes +crossorigin="anonymous"to pako, lucide, and monaco-editor CDN scripts. Mitigates the supply-chain risk of a tampered CDN response. Resolves the last real open CodeQL alert.1dbf9b9—chore(deps-dev): bump @playwright/test (#64)— Playwright 1.60.0 → 1.61.0. Adds WebAuthn passkey support to the testing API; no breaking changes. Verified by the E2E suite running against itself.e36a162—chore(deps): bump the actions-minor-and-patch group (#69)—actions/checkoutv4.2.2 → v4.3.1 (the 'port v6 cleanup' reliability fix);actions/upload-artifactv4.4.3 → v4.6.2 (patch fixes). Both still SHA-pinned by Dependabot.Expected impact
maindrops from 1 real open alert to 0 — no morejs/functionality-from-untrusted-source.