Skip to content

Marketing + docs site (Vite + React + TypeScript)#11

Merged
iamrraj merged 6 commits into
mainfrom
feature/web-vite-site
Jun 18, 2026
Merged

Marketing + docs site (Vite + React + TypeScript)#11
iamrraj merged 6 commits into
mainfrom
feature/web-vite-site

Conversation

@iamrraj

@iamrraj iamrraj commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

A modern, animated marketing + docs site for ShipIT Forge.

  • Stack: Vite + React 18 + TypeScript (.tsx), HashRouter (works on static hosts).
  • Pages: Landing (/) + Docs (/docs), clean reusable components (Logo, Header/Footer, CodeBlock with copy, Reveal scroll-in).
  • Design: animated mesh-gradient hero, bobbing anvil + spinning spark logo, feature grid, GitHub-styled live-example cards (review/fix/CI-fix/audit), full docs with sidebar TOC, copy-able code blocks, FAQ.
  • Deploy: .github/workflows/pages.yml builds web/ and publishes to GitHub Pages on push to main.

tsc -b + vite build both pass.

iamrraj added 2 commits June 18, 2026 17:00
… data)

- dependabot.ts: fetch open Dependabot alerts (GitHub Advisory Database) -> findings; best-effort, never throws
- merged into PR review and /audit so dependency CVEs are always up to date
- app.yml: vulnerability_alerts: read permission
- 115 tests passing
…ploy

- web/: Vite + React 18 + TypeScript SPA (HashRouter) — Landing + Docs pages
- clean components: Logo, Header/Footer, CodeBlock (copy), Reveal (scroll-in)
- animated hero (mesh gradient, bobbing anvil, spinning spark), live-example cards, full docs
- .github/workflows/pages.yml builds web/ and deploys to GitHub Pages
- tsc + vite build both pass
@shipit-forge

shipit-forge Bot commented Jun 18, 2026

Copy link
Copy Markdown

🔍 ShipIT Forge reviewed this PR — 💬 commented (no blocking issues)

4 finding(s) (2 security). See the review above for inline details and suggested fixes.

@shipit-forge shipit-forge Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ShipIT Forge review

Found 4 issue(s) (2 security). 🔵 Low: 3 · ⚪ Info: 1

See inline comments for details and suggested fixes.

Comment thread web/package-lock.json
},
"engines": {
"node": ">=6.0.0"
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 Low · 🛡️ Security · vulnerable-dependency

Vulnerable Dependency: semver is susceptible to ReDoS

The package-lock.json file includes semver@6.3.1 as a transitive dependency (via @babel/helper-compilation-targets). This version is vulnerable to CVE-2022-25883, a regular expression denial-of-service (ReDoS) vulnerability. While this is a development dependency and the exploitability is very low within the build process, it's best practice to use patched versions of all dependencies. The vulnerability can be triggered by a maliciously crafted version string, potentially causing the build process to hang.

Suggested change
}
Run `npm audit fix` in the `web/` directory. If that doesn't resolve it, updating the top-level packages that rely on the vulnerable version (like `@babel/core` or `vite` and its plugins) to their latest versions should resolve the issue.

Comment on lines +28 to +30
</header>
);
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 Low · 🛡️ Security · CWE-1022

External links are missing rel="noopener noreferrer"

The <a> tag used for the external GitHub link does not have a rel="noopener noreferrer" attribute. Without noopener, the newly opened page can access the original page's window object via window.opener, which could be used to maliciously redirect the original page to a phishing site (tabnabbing). Without noreferrer, the new page receives the full URL of the source page in the Referer header, which can be a minor privacy leak. This issue is present on this line and on other external links throughout the new web components (e.g., in Footer.tsx, Docs.tsx).

Suggested change
</header>
);
}
<a className="btn btn-g cta" href={GITHUB} rel="noopener noreferrer">
GitHub
</a>

Comment thread src/github/dependabot.ts
Comment on lines +29 to +35
body:
`${adv.summary ?? 'Known vulnerability in a dependency.'}\n\n` +
`Package: \`${pkg.name ?? '?'}\` (${pkg.ecosystem ?? '?'}). ` +
`Affected: ${vuln?.vulnerable_version_range ?? '?'}. ` +
(patched ? `Fixed in **${patched}** — upgrade to it or later.` : 'No patched version yet.') +
(a?.html_url ? `\n\n${a.html_url}` : ''),
});

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 Low · 🔧 Quality · Improper Output Neutralization

Unsanitized Dependabot API data is used in Markdown report

The mapAlertsToFindings function constructs a Markdown string for the finding's body using raw data from the Dependabot API response (e.g., pkg.name, adv.summary). It does not sanitize or escape potential Markdown control characters (like backticks, newlines, etc.) in these fields. If a package name or vulnerability summary from the API contains these characters, it could break the formatting of the final GitHub comment, making it hard to read or even misleading. While the data comes from GitHub's API and is likely safe from XSS, this can lead to garbled output (a form of injection).

Suggested change
body:
`${adv.summary ?? 'Known vulnerability in a dependency.'}\n\n` +
`Package: \`${pkg.name ?? '?'}\` (${pkg.ecosystem ?? '?'}). ` +
`Affected: ${vuln?.vulnerable_version_range ?? '?'}. ` +
(patched ? `Fixed in **${patched}** — upgrade to it or later.` : 'No patched version yet.') +
(a?.html_url ? `\n\n${a.html_url}` : ''),
});
`Package: \`${(pkg.name ?? '?').replace(/`/g, '\\`')}\` (${pkg.ecosystem ?? '?'}). `

Comment thread web/package.json
Comment on lines +18 to +22
"@types/react": "^18.3.11",
"@types/react-dom": "^18.3.0",
"@vitejs/plugin-react": "^4.3.2",
"typescript": "^5.6.2",
"vite": "^5.4.8"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Info · 🔧 Quality · Dependency Management

Dev dependency versions in package.json are out of sync with package-lock.json

The versions specified in package.json for several dev dependencies (like vite, typescript, @vitejs/plugin-react) are older than the versions resolved in package-lock.json. For example, vite is ^5.4.8 in package.json but 5.4.21 in the lockfile. This indicates that npm update or a similar command was run, but the package.json file was not updated to reflect the new minimal versions. This can cause confusion and lead to different developers getting different minor/patch versions on a fresh install if the lockfile is ignored or recreated.

Suggested change
"@types/react": "^18.3.11",
"@types/react-dom": "^18.3.0",
"@vitejs/plugin-react": "^4.3.2",
"typescript": "^5.6.2",
"vite": "^5.4.8"
To synchronize the files, either manually update the versions in `package.json` to match the lockfile (e.g., `"vite": "^5.4.21"`), or use `npm update --save-dev <package-name>` for each dependency to explicitly update the `package.json` file.

… finding)

The mapAlertsToFindings body was built from raw API fields (package name, summary).
Now neutralize Markdown control chars + newlines so untrusted text can't break/inject
into the rendered GitHub comment.
@shipit-forge

shipit-forge Bot commented Jun 18, 2026

Copy link
Copy Markdown

🔍 ShipIT Forge reviewed this PR — 💬 commented (no blocking issues)

1 finding(s) (1 security). See the review above for inline details and suggested fixes.

@shipit-forge shipit-forge Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ShipIT Forge review

Found 1 issue(s) (1 security). 🔵 Low: 1

See inline comments for details and suggested fixes.

Comment thread src/github/dependabot.ts
Comment on lines +9 to +11
function md(s: unknown): string {
return String(s ?? '').replace(/[`*_~<>[\]|\\]/g, '\\$&').replace(/\r?\n/g, ' ');
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 Low · 🛡️ Security · CWE-79

Incomplete Markdown Neutralization

The md() function is used to sanitize text from the Dependabot API before it's included in a Markdown comment on GitHub. The function's aim is to prevent Markdown injection by escaping special characters. However, the character set it escapes is incomplete. It misses several characters with special meaning in Markdown, such as parentheses (), hash (#), and exclamation mark (!).

While current usage doesn't appear to create a vulnerability, if future code changes were to place sanitized text inside a different Markdown structure (e.g., inside a link [text](url)), this could lead to injection or broken output. A more comprehensive sanitization provides better defense-in-depth.

Suggested change
function md(s: unknown): string {
return String(s ?? '').replace(/[`*_~<>[\]|\\]/g, '\\$&').replace(/\r?\n/g, ' ');
}
function md(s: unknown): string {
return String(s ?? '').replace(/[\\`*_{}\[\]()#+-.!~<>|]/g, '\\$&').replace(/\r?\n/g, ' ');
}

…defense-in-depth)

Escape the full GFM special set incl. () # + ! . so sanitized text stays safe even
inside other Markdown structures (e.g. links).
@shipit-forge

shipit-forge Bot commented Jun 18, 2026

Copy link
Copy Markdown

🔍 ShipIT Forge reviewed this PR — 💬 commented (no blocking issues)

0 finding(s) (0 security). See the review above for inline details and suggested fixes.

@shipit-forge shipit-forge Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ShipIT Forge review

No blocking issues found. I reviewed the changed files and ran:

  • 🛡️ Security checks — SSRF, injection (SQL/command/template), broken auth/authz, hardcoded secrets, unsafe deserialization, path traversal, weak crypto.
  • 🔧 Code review — correctness, error handling, missing tests, clarity.

Nothing to flag. This is a comment, not an approval — ShipIT Forge never approves PRs; a human reviewer should approve and merge.

…examples page

- monochrome autophocus-style theme + top scroll-progress bar
- HeroDemo: types the issue, streams steps live, reveals the opened PR (+ replay)
- /flow/:slug pages (fix/review/audit/ci) with auto-playing StepPlayer terminals
- /examples page linking to the real PRs/reviews/issues on GitHub
- nav routes Examples + Docs; tsc + vite build pass
@shipit-forge

shipit-forge Bot commented Jun 18, 2026

Copy link
Copy Markdown

🔍 ShipIT Forge reviewed this PR — 💬 commented (no blocking issues)

0 finding(s) (0 security). See the review above for inline details and suggested fixes.

@shipit-forge shipit-forge Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ShipIT Forge review

No blocking issues found. I reviewed the changed files and ran:

  • 🛡️ Security checks — SSRF, injection (SQL/command/template), broken auth/authz, hardcoded secrets, unsafe deserialization, path traversal, weak crypto.
  • 🔧 Code review — correctness, error handling, missing tests, clarity.

Nothing to flag. This is a comment, not an approval — ShipIT Forge never approves PRs; a human reviewer should approve and merge.

@iamrraj iamrraj merged commit 80af744 into main Jun 18, 2026
1 check passed
@iamrraj iamrraj deleted the feature/web-vite-site branch June 18, 2026 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant