@bugspotter/sdk 0.3.0 → 1.0.0

package/dist/index.js

@@ -62,7 +62,9 @@ async function fetchReplaySettings(endpoint, apiKey) {
         if (apiKey) {
             headers['x-api-key'] = apiKey;
         }
-        const response = await fetch(`${apiBaseUrl}/api/v1/settings/replay`, { headers });
+        const response = await fetch(`${apiBaseUrl}/api/v1/settings/replay`, {
+            headers,
+        });
         if (!response.ok) {
             logger.warn(`Failed to fetch replay settings: ${response.status}. Using defaults.`);
             return defaults;
@@ -311,3 +313,5 @@ function sanitize(text) {
     });
     return sanitizer.sanitize(text);
 }
+// Default export for convenience
+exports.default = BugSpotter;

package/dist/utils/config-validator.js

@@ -6,6 +6,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.validateAuthConfig = validateAuthConfig;
 exports.validateDeduplicationConfig = validateDeduplicationConfig;
+const url_helpers_1 = require("./url-helpers");
 /**
  * Validate authentication configuration
  * @throws Error if configuration is invalid
@@ -14,6 +15,11 @@ function validateAuthConfig(context) {
     if (!context.endpoint) {
         throw new Error('No endpoint configured for bug report submission');
     }
+    // SECURITY: Ensure endpoint uses HTTPS
+    // This prevents credentials and sensitive data from being sent over plain HTTP
+    if (!(0, url_helpers_1.isSecureEndpoint)(context.endpoint)) {
+        throw new url_helpers_1.InsecureEndpointError(context.endpoint);
+    }
     if (!context.auth) {
         throw new Error('API key authentication is required');
     }

package/dist/utils/sanitize-patterns.js

@@ -20,7 +20,11 @@ exports.DEFAULT_PATTERNS = {
         name: 'email',
         regex: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g,
         description: 'Email addresses',
-        examples: ['user@example.com', 'john.doe+tag@company.co.uk', 'test_user@sub.domain.com'],
+        examples: [
+            'user@example.com',
+            'john.doe+tag@company.co.uk',
+            'test_user@sub.domain.com',
+        ],
         priority: 1, // Highest priority - most specific
     },
     creditcard: {
@@ -53,7 +57,11 @@ exports.DEFAULT_PATTERNS = {
         name: 'ip',
         regex: /\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b|(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}\b/g,
         description: 'IPv4 and IPv6 addresses',
-        examples: ['192.168.1.100', '127.0.0.1', '2001:0db8:85a3:0000:0000:8a2e:0370:7334'],
+        examples: [
+            '192.168.1.100',
+            '127.0.0.1',
+            '2001:0db8:85a3:0000:0000:8a2e:0370:7334',
+        ],
         priority: 5,
     },
     phone: {
@@ -96,7 +104,11 @@ exports.DEFAULT_PATTERNS = {
         name: 'password',
         regex: /(?:password|passwd|pwd)[\s:=]+[^\s]{6,}|(?:password|passwd|pwd)["']?\s*[:=]\s*["']?[^\s"']{6,}/gi,
         description: 'Password fields in text (password=..., pwd:...)',
-        examples: ['password: MySecret123!', 'passwd=SecurePass456', 'pwd: "MyP@ssw0rd"'],
+        examples: [
+            'password: MySecret123!',
+            'passwd=SecurePass456',
+            'pwd: "MyP@ssw0rd"',
+        ],
         priority: 9,
     },
 };

package/dist/utils/url-helpers.d.ts

@@ -26,3 +26,18 @@ export declare function stripEndpointSuffix(path: string): string;
  * @throws InvalidEndpointError if endpoint is not a valid absolute URL
  */
 export declare function getApiBaseUrl(endpoint: string): string;
+/**
+ * specific error for insecure endpoints
+ */
+export declare class InsecureEndpointError extends Error {
+    readonly endpoint: string;
+    constructor(endpoint: string);
+}
+/**
+ * Checks if the endpoint uses the secure HTTPS protocol.
+ * Uses the URL API for robust parsing.
+ *
+ * @param endpoint The endpoint URL to check
+ * @returns True if the endpoint uses HTTPS
+ */
+export declare function isSecureEndpoint(endpoint: string): boolean;

package/dist/utils/url-helpers.js

@@ -4,9 +4,10 @@
  * Extract base API URL from endpoint configuration
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.InvalidEndpointError = void 0;
+exports.InsecureEndpointError = exports.InvalidEndpointError = void 0;
 exports.stripEndpointSuffix = stripEndpointSuffix;
 exports.getApiBaseUrl = getApiBaseUrl;
+exports.isSecureEndpoint = isSecureEndpoint;
 const logger_1 = require("./logger");
 const logger = (0, logger_1.getLogger)();
 /**
@@ -62,3 +63,38 @@ function getApiBaseUrl(endpoint) {
         throw new InvalidEndpointError(endpoint, 'Must be a valid absolute URL (e.g., https://api.example.com/api/v1/reports)');
     }
 }
+/**
+ * specific error for insecure endpoints
+ */
+class InsecureEndpointError extends Error {
+    constructor(endpoint) {
+        super(`Secure HTTPS connection required. Attempted to connect to insecure endpoint: "${endpoint}"`);
+        this.endpoint = endpoint;
+        this.name = 'InsecureEndpointError';
+    }
+}
+exports.InsecureEndpointError = InsecureEndpointError;
+/**
+ * Checks if the endpoint uses the secure HTTPS protocol.
+ * Uses the URL API for robust parsing.
+ *
+ * @param endpoint The endpoint URL to check
+ * @returns True if the endpoint uses HTTPS
+ */
+function isSecureEndpoint(endpoint) {
+    if (!endpoint)
+        return false;
+    try {
+        const url = new URL(endpoint.trim());
+        // STRICT SECURITY:
+        // 1. Production must use HTTPS
+        // 2. Development allowed on localhost/127.0.0.1 via HTTP
+        return (url.protocol === 'https:' ||
+            (url.protocol === 'http:' &&
+                (url.hostname === 'localhost' || url.hostname === '127.0.0.1')));
+    }
+    catch (_a) {
+        // If it's not a valid URL, it's definitely not a secure endpoint
+        return false;
+    }
+}

package/dist/version.d.ts

@@ -5,4 +5,4 @@
  * This file is automatically generated during the build process.
  * To update the version, modify package.json
  */
-export declare const VERSION = "0.3.0";
+export declare const VERSION = "1.0.0";

package/dist/version.js

@@ -8,4 +8,4 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.VERSION = void 0;
-exports.VERSION = '0.3.0';
+exports.VERSION = '1.0.0';

package/dist/widget/button.d.ts

@@ -21,6 +21,16 @@ export declare class FloatingButton {
     private eventHandlers;
     constructor(options?: FloatingButtonOptions);
     private createButton;
+    /**
+     * Safely inject HTML content by parsing and validating SVG elements
+     * Prevents XSS attacks by only allowing safe SVG elements and attributes
+     */
+    private setSafeHTMLContent;
+    /**
+     * Recursively sanitize SVG elements by removing dangerous tags and attributes
+     * Uses whitelists to ensure only safe SVG content is preserved
+     */
+    private sanitizeSVGElement;
     private getButtonStyles;
     private getPositionStyles;
     private handleMouseEnter;

package/dist/widget/button.js

@@ -37,6 +37,104 @@ const BUTTON_STYLES = {
         active: 'scale(0.95)',
     },
 };
+// SVG sanitization whitelists (module-level for performance)
+const SAFE_SVG_TAGS = new Set([
+    'svg',
+    'g',
+    'path',
+    'circle',
+    'rect',
+    'line',
+    'polyline',
+    'polygon',
+    'ellipse',
+    'text',
+    'tspan',
+    // SECURITY: 'use' deliberately excluded - requires href/xlink:href attributes which pose XSS risks
+    // and are not in the attribute whitelist, making <use> non-functional anyway
+    'symbol',
+    'defs',
+    'marker',
+    'lineargradient', // lowercase to match tagName.toLowerCase() in sanitizeSVGElement (parser preserves camelCase)
+    'radialgradient', // lowercase to match tagName.toLowerCase() in sanitizeSVGElement (parser preserves camelCase)
+    'stop',
+    'clippath', // lowercase to match tagName.toLowerCase() in sanitizeSVGElement (parser preserves camelCase)
+    'mask',
+    // SECURITY: 'image' deliberately excluded - requires href/xlink:href attributes which pose XSS risks
+    // and are not in the attribute whitelist, making <image> non-functional anyway
+    // SECURITY: foreignObject deliberately excluded - allows embedding arbitrary HTML/XML
+    // and can bypass SVG sanitization (e.g., <foreignObject><body><script>...</script></body></foreignObject>)
+]);
+const SAFE_SVG_ATTRIBUTES = new Set([
+    'id',
+    'class',
+    // SECURITY: 'style' deliberately excluded - can enable CSS-based attacks:
+    // - expression() in older browsers
+    // - url() with javascript:/data: URIs
+    // - @import with malicious stylesheets
+    // - CSS data exfiltration
+    // Use specific styling attributes (fill, stroke, opacity, etc.) instead
+    'd',
+    'cx',
+    'cy',
+    'r',
+    'rx',
+    'ry',
+    'x',
+    'y',
+    'x1',
+    'y1',
+    'x2',
+    'y2',
+    'width',
+    'height',
+    'viewbox', // lowercase to match attrName.toLowerCase() in sanitizeSVGElement (parser preserves camelCase)
+    'xmlns',
+    'fill',
+    'stroke',
+    'stroke-width',
+    'stroke-linecap',
+    'stroke-linejoin',
+    'opacity',
+    'fill-opacity',
+    'stroke-opacity',
+    'transform',
+    'points',
+    'text-anchor',
+    'font-size',
+    'font-family',
+    'font-weight',
+    'offset',
+    'stop-color',
+    'stop-opacity',
+    'clip-path',
+    'mask', // Used to reference mask definitions: mask="url(#maskId)"
+]);
+/**
+ * Check if an attribute value contains dangerous patterns
+ * Uses simple string matching instead of regex for better performance and clarity
+ */
+const isDangerousAttributeValue = (value) => {
+    const lowerValue = value.toLowerCase();
+    // Dangerous protocol checks
+    if (lowerValue.includes('javascript:'))
+        return true;
+    if (lowerValue.includes('vbscript:'))
+        return true;
+    // SECURITY: Block ALL data: URIs by default
+    // data:text/html, data:application/javascript, data:image/svg+xml can all execute scripts
+    // Even data:text/javascript or data URIs with embedded scripts are dangerous
+    if (lowerValue.includes('data:'))
+        return true;
+    // CSS-based attack patterns
+    if (lowerValue.includes('expression('))
+        return true; // IE CSS expressions
+    if (lowerValue.includes('@import'))
+        return true; // CSS imports
+    if (lowerValue.includes('-moz-binding'))
+        return true; // Firefox XBL binding
+    return false;
+};
 class FloatingButton {
     constructor(options = {}) {
         var _a, _b, _c, _d, _e, _f, _g, _h;
@@ -80,10 +178,12 @@ class FloatingButton {
         const btn = document.createElement('button');
         // Set button content (SVG or text)
         if (this.options.customSvg) {
-            btn.innerHTML = this.options.customSvg;
+            // Safely inject custom SVG by parsing and validating it
+            this.setSafeHTMLContent(btn, this.options.customSvg);
         }
         else if (this.options.icon === 'svg') {
-            btn.innerHTML = DEFAULT_SVG_ICON;
+            // Safely inject default SVG
+            this.setSafeHTMLContent(btn, DEFAULT_SVG_ICON);
         }
         else {
             btn.textContent = this.options.icon;
@@ -95,6 +195,103 @@ class FloatingButton {
         this.addHoverEffects(btn);
         return btn;
     }
+    /**
+     * Safely inject HTML content by parsing and validating SVG elements
+     * Prevents XSS attacks by only allowing safe SVG elements and attributes
+     */
+    setSafeHTMLContent(element, htmlContent) {
+        try {
+            if (typeof window === 'undefined' ||
+                typeof window.DOMParser === 'undefined') {
+                element.textContent = htmlContent;
+                return;
+            }
+            // SECURITY: Use DOMParser with image/svg+xml MIME type for strict SVG parsing
+            // This prevents HTML-specific parsing quirks from being exploited
+            const parser = new window.DOMParser();
+            const doc = parser.parseFromString(htmlContent, 'image/svg+xml');
+            // Check for parse errors
+            const parserError = doc.querySelector('parsererror');
+            if (parserError) {
+                element.textContent = htmlContent;
+                return;
+            }
+            if (doc.documentElement &&
+                doc.documentElement.nodeType === Node.ELEMENT_NODE) {
+                const rootElement = doc.documentElement;
+                // SECURITY: Root element MUST be SVG - prevents wrapper element injection
+                // Reject structures like <div><svg>...</svg></div>
+                if (rootElement.tagName.toLowerCase() === 'svg') {
+                    // SECURITY: Only proceed if there's exactly one root element
+                    // This prevents attacks like: <svg></svg><script>alert('XSS')</script>
+                    if (doc.children.length === 1) {
+                        // Remove potentially dangerous attributes and event handlers
+                        this.sanitizeSVGElement(rootElement);
+                        // Clear the target element and append only the validated SVG element
+                        element.innerHTML = '';
+                        element.appendChild(rootElement);
+                        return;
+                    }
+                }
+            }
+            // If not valid SVG, fall back to text content to prevent XSS
+            element.textContent = htmlContent;
+        }
+        catch (error) {
+            // On any error, use text content for safety
+            // eslint-disable-next-line no-console
+            console.warn('[BugSpotter] Failed to inject custom SVG content:', error);
+            element.textContent = htmlContent;
+        }
+    }
+    /**
+     * Recursively sanitize SVG elements by removing dangerous tags and attributes
+     * Uses whitelists to ensure only safe SVG content is preserved
+     */
+    sanitizeSVGElement(element) {
+        // Process all elements in the tree
+        const elementsToProcess = [element];
+        const processedElements = new WeakSet();
+        while (elementsToProcess.length > 0) {
+            const current = elementsToProcess.pop();
+            if (!current || processedElements.has(current))
+                continue;
+            processedElements.add(current);
+            // SECURITY: First, sanitize the current element's attributes (including root)
+            // This prevents attacks like <svg onload="alert('XSS')">
+            Array.from(current.attributes || []).forEach((attr) => {
+                const attrName = attr.name.toLowerCase();
+                // SECURITY: Explicitly reject all event handler attributes (on*)
+                // This provides defense-in-depth and prevents accidental whitelisting
+                if (attrName.startsWith('on')) {
+                    current.removeAttribute(attr.name);
+                    return;
+                }
+                // Only keep whitelisted attributes
+                if (!SAFE_SVG_ATTRIBUTES.has(attrName)) {
+                    current.removeAttribute(attr.name);
+                    return;
+                }
+                // Check attribute values for dangerous patterns
+                if (isDangerousAttributeValue(attr.value)) {
+                    current.removeAttribute(attr.name);
+                    return;
+                }
+            });
+            // Then, process children elements
+            const children = Array.from(current.children || []);
+            children.forEach((child) => {
+                const tagName = child.tagName.toLowerCase();
+                // SECURITY: Remove tags not in whitelist (blocks <script>, <style>, <iframe>, etc.)
+                if (!SAFE_SVG_TAGS.has(tagName)) {
+                    child.remove();
+                    return;
+                }
+                // Add to processing queue for recursive sanitization
+                elementsToProcess.push(child);
+            });
+        }
+    }
     getButtonStyles() {
         const { position, size, offset, backgroundColor, zIndex } = this.options;
         const positionStyles = this.getPositionStyles(position, offset);
@@ -159,7 +356,7 @@ class FloatingButton {
     setIcon(icon) {
         this.options.icon = icon;
         if (icon === 'svg') {
-            this.button.innerHTML = DEFAULT_SVG_ICON;
+            this.setSafeHTMLContent(this.button, DEFAULT_SVG_ICON);
         }
         else {
             this.button.textContent = icon;

package/dist/widget/components/form-validator.js

@@ -31,7 +31,8 @@ class FormValidator {
         }
         // Validate PII confirmation if PII detected
         if (data.piiDetected && !data.piiConfirmed) {
-            errors.piiConfirmation = 'Please confirm you have reviewed sensitive information';
+            errors.piiConfirmation =
+                'Please confirm you have reviewed sensitive information';
         }
         return {
             isValid: Object.keys(errors).length === 0,

package/dist/widget/components/style-manager.js

@@ -51,7 +51,8 @@ class StyleManager {
             primaryColor: config.primaryColor || '#007bff',
             dangerColor: config.dangerColor || '#dc3545',
             borderRadius: config.borderRadius || '4px',
-            fontFamily: config.fontFamily || '-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif',
+            fontFamily: config.fontFamily ||
+                '-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif',
             zIndex: config.zIndex || 999999,
         };
     }

package/dist/widget/components/template-manager.js

@@ -12,7 +12,8 @@ class TemplateManager {
         this.config = {
             title: config.title || 'Report a Bug',
             titlePlaceholder: config.titlePlaceholder || 'Brief description of the issue',
-            descriptionPlaceholder: config.descriptionPlaceholder || 'Detailed description of what happened...',
+            descriptionPlaceholder: config.descriptionPlaceholder ||
+                'Detailed description of what happened...',
             submitButtonText: config.submitButtonText || 'Submit Bug Report',
             cancelButtonText: config.cancelButtonText || 'Cancel',
             showScreenshot: config.showScreenshot !== false,

package/dist/widget/modal.js

@@ -126,7 +126,10 @@ class BugReportModal {
         });
         // Submit button click (manually trigger form submit for test compatibility)
         elements.submitButton.addEventListener('click', () => {
-            const submitEvent = new Event('submit', { bubbles: true, cancelable: true });
+            const submitEvent = new Event('submit', {
+                bubbles: true,
+                cancelable: true,
+            });
             elements.form.dispatchEvent(submitEvent);
         });
         // Cancel button
@@ -159,7 +162,9 @@ class BugReportModal {
     }
     validateField(fieldName) {
         const elements = this.domCache.get();
-        const value = fieldName === 'title' ? elements.titleInput.value : elements.descriptionTextarea.value;
+        const value = fieldName === 'title'
+            ? elements.titleInput.value
+            : elements.descriptionTextarea.value;
         const error = this.validator.validateField(fieldName, value);
         const errorElement = fieldName === 'title' ? elements.titleError : elements.descriptionError;
         if (error) {
@@ -278,7 +283,8 @@ class BugReportModal {
         updateProgress('Preparing screenshot...');
         // Prepare screenshot with redactions
         let finalScreenshot = this.originalScreenshot;
-        if (this.redactionCanvas && this.redactionCanvas.getRedactions().length > 0) {
+        if (this.redactionCanvas &&
+            this.redactionCanvas.getRedactions().length > 0) {
             try {
                 finalScreenshot = await this.screenshotProcessor.mergeRedactions(this.originalScreenshot, this.redactionCanvas.getCanvas());
             }
@@ -302,7 +308,8 @@ class BugReportModal {
         catch (error) {
             (0, logger_1.getLogger)().error('Error submitting bug report:', error);
             // Show error message in modal instead of blocking alert
-            elements.submitError.textContent = 'Failed to submit bug report. Please try again.';
+            elements.submitError.textContent =
+                'Failed to submit bug report. Please try again.';
             elements.submitError.style.display = 'block';
             // Clear stale progress status for screen readers
             elements.progressStatus.textContent = '';

package/docs/CDN.md

@@ -30,7 +30,7 @@ Add the SDK to your HTML file:
 **Example:**
 
 ```html
-<script src="https://cdn.bugspotter.io/sdk/bugspotter-0.1.0.min.js"></script>
+<script src="https://cdn.bugspotter.io/sdk/bugspotter-1.0.0.min.js"></script>
 ```
 
 ### Development (Latest)
@@ -49,8 +49,8 @@ For enhanced security, use SRI hashes to verify file integrity:
 
 ```html
 <script
-  src="https://cdn.bugspotter.io/sdk/bugspotter-0.1.0.min.js"
-  integrity="sha384-..."
+  src="https://cdn.bugspotter.io/sdk/bugspotter-1.0.0.min.js"
+  integrity="sha384-WmzRwRsJDYQTHnPU0mTuz+VqnCFn70GlSiGh6lsogKahPBEB48pTzfEEB71+uA7I"
   crossorigin="anonymous"
 ></script>
 ```
@@ -58,7 +58,7 @@ For enhanced security, use SRI hashes to verify file integrity:
 To generate SRI hash for a specific version:
 
 ```bash
-curl https://cdn.bugspotter.io/sdk/bugspotter-0.1.0.min.js | openssl dgst -sha384 -binary | openssl base64 -A
+curl https://cdn.bugspotter.io/sdk/bugspotter-1.0.0.min.js | openssl dgst -sha384 -binary | openssl base64 -A
 ```
 
 ## 📝 Complete Example
@@ -75,7 +75,7 @@ curl https://cdn.bugspotter.io/sdk/bugspotter-0.1.0.min.js | openssl dgst -sha38
     <button id="trigger-error">Trigger Test Error</button>
 
     <!-- Load BugSpotter SDK -->
-    <script src="https://cdn.bugspotter.io/sdk/bugspotter-0.1.0.min.js"></script>
+    <script src="https://cdn.bugspotter.io/sdk/bugspotter-1.0.0.min.js"></script>
 
     <script>
       // Initialize BugSpotter

package/eslint.config.js

@@ -0,0 +1,99 @@
+import js from '@eslint/js';
+import tsParser from '@typescript-eslint/parser';
+import tsPlugin from '@typescript-eslint/eslint-plugin';
+import prettierConfig from 'eslint-config-prettier';
+
+export default [
+  js.configs.recommended,
+  {
+    files: ['**/*.{ts,js}'],
+    languageOptions: {
+      parser: tsParser,
+      parserOptions: {
+        ecmaVersion: 2020,
+        sourceType: 'module',
+      },
+      globals: {
+        // Browser globals
+        window: 'readonly',
+        document: 'readonly',
+        console: 'readonly',
+        navigator: 'readonly',
+        localStorage: 'readonly',
+        fetch: 'readonly',
+        XMLHttpRequest: 'readonly',
+        Request: 'readonly',
+        Response: 'readonly',
+        URL: 'readonly',
+        Blob: 'readonly',
+        File: 'readonly',
+        FileReader: 'readonly',
+        Image: 'readonly',
+        setTimeout: 'readonly',
+        clearTimeout: 'readonly',
+        setInterval: 'readonly',
+        clearInterval: 'readonly',
+        crypto: 'readonly',
+        alert: 'readonly',
+        // DOM types
+        HTMLElement: 'readonly',
+        HTMLDivElement: 'readonly',
+        HTMLButtonElement: 'readonly',
+        HTMLFormElement: 'readonly',
+        HTMLInputElement: 'readonly',
+        HTMLTextAreaElement: 'readonly',
+        HTMLImageElement: 'readonly',
+        HTMLCanvasElement: 'readonly',
+        HTMLStyleElement: 'readonly',
+        Element: 'readonly',
+        Node: 'readonly',
+        Document: 'readonly',
+        ShadowRoot: 'readonly',
+        Event: 'readonly',
+        MouseEvent: 'readonly',
+        KeyboardEvent: 'readonly',
+        EventListener: 'readonly',
+        CanvasRenderingContext2D: 'readonly',
+        // Web APIs
+        TextEncoder: 'readonly',
+        TextDecoder: 'readonly',
+        AbortController: 'readonly',
+        CompressionStream: 'readonly',
+        Console: 'readonly',
+        BlobPart: 'readonly',
+        BodyInit: 'readonly',
+      },
+    },
+    plugins: {
+      '@typescript-eslint': tsPlugin,
+    },
+    rules: {
+      ...tsPlugin.configs.recommended.rules,
+      '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }],
+      '@typescript-eslint/no-explicit-any': 'warn',
+      '@typescript-eslint/explicit-function-return-type': 'off',
+      '@typescript-eslint/explicit-module-boundary-types': 'off',
+      '@typescript-eslint/no-non-null-assertion': 'warn',
+      'no-console': 'warn',
+      'prefer-const': 'error',
+    },
+  },
+  {
+    files: ['**/*.test.{ts,js}', '**/*.spec.{ts,js}'],
+    languageOptions: {
+      globals: {
+        global: 'readonly',
+        Headers: 'readonly',
+        process: 'readonly',
+        ReadableStream: 'readonly',
+        WritableStream: 'readonly',
+        TransformStream: 'readonly',
+      },
+    },
+    rules: {
+      'no-console': 'off',
+      '@typescript-eslint/no-explicit-any': 'off',
+    },
+  },
+  prettierConfig,
+];