Claude/audit dependabot setup xfl71#8
Conversation
- Expanded article summaries from 300 to 600 characters for better content - Configured Dependabot for 2x daily npm and GitHub Actions version checks - Moved git author email from hardcoded value to GitHub secret - Created automated workflow to merge dependency updates to persistent branch - Added auto-issue creation for dependency interdependency conflicts - Implemented secure commit and PR pipeline without exposing sensitive data
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
src/aggregator.js
Outdated
| tags: tags, | ||
| category: article.categories?.[0] || 'General', | ||
| summary: article.contentSnippet?.replace(/<[^>]*>/g, '').slice(0, 300) || '' | ||
| summary: article.contentSnippet?.replace(/<[^>]*>/g, '').slice(0, 600) || '' |
Check failure
Code scanning / CodeQL
Incomplete multi-character sanitization High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 2 months ago
In general, the safest fix is to replace ad-hoc regex-based HTML stripping with a well-tested sanitization library that correctly handles malformed HTML, nested tags, and script/style removal. For Node.js, sanitize-html is widely used for this purpose and is explicitly recommended in the background.
For this specific code, we should stop manually stripping tags with replace(/<[^>]*>/g, '') and instead call sanitizeHtml on article.contentSnippet. To preserve existing behavior (plain-text summary, limited length), we can configure sanitize-html to disallow all tags and then truncate the result to 600 characters. We need to:
- Add a
sanitize-htmlimport at the top ofsrc/aggregator.js. - Replace the
summaryfield construction on line 39 so it usessanitizeHtmlinstead of the regex. - Keep the rest of
sanitizeArticleunchanged (including the existing length limit and default values) to avoid functional changes.
Concretely:
- At the top of
src/aggregator.js, after the existingrequirelines, addconst sanitizeHtml = require('sanitize-html');. - Change line 39 from:
to something like:
summary: article.contentSnippet?.replace(/<[^>]*>/g, '').slice(0, 600) || ''
summary: article.contentSnippet ? sanitizeHtml(article.contentSnippet, { allowedTags: [], allowedAttributes: {} }).slice(0, 600) : ''
This ensures that even complex or malformed HTML, including <script fragments, is fully sanitized to plain text before being used.
| @@ -2,6 +2,7 @@ | ||
| const Parser = require('rss-parser'); | ||
| const axios = require('axios'); | ||
| const { Octokit } = require('@octokit/rest'); | ||
| const sanitizeHtml = require('sanitize-html'); | ||
|
|
||
| const parser = new Parser({ | ||
| timeout: 10000, | ||
| @@ -36,7 +37,9 @@ | ||
| source: sourceName, | ||
| tags: tags, | ||
| category: article.categories?.[0] || 'General', | ||
| summary: article.contentSnippet?.replace(/<[^>]*>/g, '').slice(0, 600) || '' | ||
| summary: article.contentSnippet | ||
| ? sanitizeHtml(article.contentSnippet, { allowedTags: [], allowedAttributes: {} }).slice(0, 600) | ||
| : '' | ||
| }; | ||
| } | ||
|
|
| @@ -3,6 +3,7 @@ | ||
| "@octokit/rest": "^22.0.1", | ||
| "axios": "^1.13.2", | ||
| "cheerio": "^1.1.2", | ||
| "rss-parser": "^3.13.0" | ||
| "rss-parser": "^3.13.0", | ||
| "sanitize-html": "^2.17.0" | ||
| } | ||
| } |
| Package | Version | Security advisories |
| sanitize-html (npm) | 2.17.0 | None |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 85315be214
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| git fetch origin ${{ github.head_ref }}:${{ github.head_ref }} || true | ||
|
|
||
| # Switch to securite and merge | ||
| git switch securite | ||
| git merge origin/${{ github.head_ref }} --no-edit || true |
There was a problem hiding this comment.
The fetch step creates/updates a local branch with git fetch origin ${{ github.head_ref }}:${{ github.head_ref }}, but the merge uses origin/${{ github.head_ref }}. On pull_request runs, actions/checkout does not fetch that remote-tracking ref, so origin/<head_ref> is typically missing or stale. Because the merge error is silenced with || true, the job proceeds to push securite without the PR changes. This means Dependabot updates won’t actually land in securite in the common case. Merge the local branch (${{ github.head_ref }}) or fetch into refs/remotes/origin/<head_ref> before merging.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
This PR sets up an automated dependency management workflow using Dependabot with a custom security review process. The changes configure Dependabot to scan for npm and GitHub Actions updates daily, and introduce a new workflow that automatically merges dependency updates to a "securite" branch for testing before creating PRs to main.
Key changes:
- Configured Dependabot for daily npm and GitHub Actions dependency scans with appropriate labels and commit message prefixes
- Added a new workflow that automatically processes dependency PRs by merging them to a securite branch, checking for conflicts, and creating PRs to main
- Increased article summary length from 300 to 600 characters and temporarily disabled LinkedIn auto-posting
- Updated git configuration to use email from secrets instead of hardcoded values
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 12 comments.
| File | Description |
|---|---|
| .github/dependabot.yml | Configured Dependabot with npm and GitHub Actions ecosystems, daily scanning schedules, and appropriate labels |
| .github/workflows/dependencies-auto-securite.yml | New workflow that automates dependency PR processing through a securite branch with conflict detection |
| .github/workflows/update-ai-pulse.yml | Updated git email configuration to use secrets instead of hardcoded value |
| src/aggregator.js | Increased summary character limit and temporarily disabled LinkedIn posting feature |
Comments suppressed due to low confidence (2)
.github/dependabot.yml:11
- The comment states "First scan at 6 AM UTC" but scheduling dependency scans at specific times doesn't guarantee they run exactly at that time. GitHub Actions may delay scheduled workflows during periods of high load. Consider adding a note about potential delays or removing the specific time claim if precision isn't critical.
schedule:
src/aggregator.js:158
- The comment states "articles not working yet" which suggests there's a known issue with article fetching. However, the TODO indicates this should be re-enabled later. Consider adding more specific information about what's broken and how to verify when it's fixed, such as linking to a related issue or providing acceptance criteria.
### 🛠️ Tech Stack
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| git fetch origin securite 2>/dev/null || git switch --create securite | ||
| git push origin securite || true | ||
|
|
There was a problem hiding this comment.
The command git fetch origin securite 2>/dev/null || git switch --create securite has a logic issue. If the fetch fails (branch doesn't exist on remote), it creates a local branch, but then the git push origin securite || true on line 30 might push an unintended branch. This could create a securite branch based on the wrong base branch. Consider fetching from origin first, checking if the branch exists, and if not, creating it from a specific base branch like main.
| git fetch origin securite 2>/dev/null || git switch --create securite | |
| git push origin securite || true | |
| # Fetch main and securite refs from origin | |
| git fetch origin main securite || true | |
| # Check if the securite branch exists on the remote | |
| if git ls-remote --exit-code --heads origin securite >/dev/null 2>&1; then | |
| # Ensure we have a local securite branch tracking origin/securite | |
| if git show-ref --verify --quiet refs/heads/securite; then | |
| git switch securite | |
| else | |
| git switch --track -c securite origin/securite | |
| fi | |
| else | |
| # Create securite from main explicitly if it does not exist yet | |
| git switch main || git switch origin/main | |
| git switch --create securite | |
| git push -u origin securite | |
| fi |
|
|
||
| # Switch to securite and merge | ||
| git switch securite | ||
| git merge origin/${{ github.head_ref }} --no-edit || true |
There was a problem hiding this comment.
The command uses || true which suppresses all errors, including legitimate ones like authentication failures or network issues. This makes debugging difficult and could hide real problems. Consider removing the || true or at least logging the error before suppressing it.
| git merge origin/${{ github.head_ref }} --no-edit || true | |
| git merge origin/${{ github.head_ref }} --no-edit |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Create PR from securite to main | ||
| if: steps.check-pr.outputs.pr_count == '0' |
There was a problem hiding this comment.
The check for PR count compares a string '0' instead of an integer. While this may work in shell, it's more reliable to compare as an integer. Consider changing the condition to use integer comparison or ensure the comparison is correct for your shell environment.
| if: steps.check-pr.outputs.pr_count == '0' | |
| if: ${{ fromJSON(steps.check-pr.outputs.pr_count) == 0 }} |
|
|
||
| ## Details | ||
| \`\`\` | ||
| ${{ steps.check-conflicts.outputs.conflict_details }} |
There was a problem hiding this comment.
The reference to steps.check-conflicts.outputs.conflict_details will not work correctly because the output was set using command substitution with potentially multi-line content. This will cause the issue body to be malformed or incomplete. Store the conflict details in a file instead and read from it when creating the issue.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
| if: steps.check-pr.outputs.pr_count == '0' | ||
| run: | | ||
| git config --global user.name 'ThePhoenixAgency' | ||
| git config --global user.email '${{ secrets.GIT_AUTHOR_EMAIL }}' |
There was a problem hiding this comment.
If the GIT_AUTHOR_EMAIL secret is not set or is empty, the git config command will set an empty email, which will cause git operations to fail. Consider adding validation to ensure the secret exists and has a valid value, or provide a fallback default email.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
|
faut corriger les soucis avec les check CodeQL et dependabot |
No description provided.