@checkstack/ui 1.8.1 → 1.8.3

package/CHANGELOG.md

@@ -1,5 +1,67 @@
 # @checkstack/ui
 
+## 1.8.3
+
+### Patch Changes
+
+- 1909a61: Address open CodeQL code-scanning findings:
+
+  - **`@checkstack/ui` (`LinksEditor`)**: validate URL scheme on render and on
+    add; only `http:` / `https:` URLs are accepted, defeating stored XSS via
+    `javascript:` / `data:` schemes in user-supplied hotlinks
+    (`js/xss-through-dom`).
+  - **`@checkstack/backend-api` (`markdownToPlainText`)**: decode HTML entities
+    before stripping tags, then strip tags in a loop until the output
+    stabilizes. Decoding `&` last avoids reintroducing tag delimiters
+    via `<` round-trips (`js/double-escaping`,
+    `js/incomplete-multi-character-sanitization`).
+  - **`@checkstack/backend` (`createScopedWsRegistry`)**: drop the
+    identity-replacement on the path suffix; the leading-slash invariant
+    is documented on `WebSocketRouteRegistry` (`js/identity-replacement`).
+
+## 1.8.2
+
+### Patch Changes
+
+- b627562: Bump direct and transitive dependencies to clear MEDIUM-severity advisories
+  that Trivy now surfaces alongside CRITICAL/HIGH.
+
+  Direct version bumps in package.json:
+
+  - `@checkstack/catalog-backend`, `@checkstack/gitops-backend`,
+    `@checkstack/healthcheck-frontend`: `uuid` `^13.0.0` → `^14.0.0`
+    (GHSA-w5hq-g745-h8pq, missing buffer bounds check in v3/v5/v6). Also
+    dropped the now-redundant `@types/uuid` devDependency — uuid 14 ships
+    its own types and the npm `@types/uuid` package is a stub.
+  - `@checkstack/gitops-backend`: `yaml` `^2.7.0` → `^2.8.3`
+    (GHSA-48c2-rrv3-qjmp, stack overflow on deeply nested collections).
+  - `@checkstack/dev-server`: `vite` `^5.4.0` → `^8.0.12`
+    (GHSA-4w7w-66w2-5vf9, path traversal in optimized-deps `.map` handling)
+    and `@vitejs/plugin-react` `^4.3.4` → `^6.0.1` to stay inside the new
+    vite peer range.
+
+  Root `overrides` / `resolutions` to bypass transitive pins that block the
+  walk:
+
+  - `dompurify` `^3.4.3` — `monaco-editor@0.55.1` pins `dompurify@3.2.7`
+    exactly, so the only way to pick up the eight DOMPurify XSS / prototype
+    pollution advisories (GHSA-v2wj-7wpq-c8vv et al.) is an override.
+    Affects `@checkstack/ui`, which is the only consumer of monaco.
+  - `uuid` `^14.0.0` — also forces `bullmq`'s nested `uuid@11.1.0`
+    (vulnerable per GHSA-w5hq-g745-h8pq) to the patched line. Affects
+    `@checkstack/queue-bullmq-backend`.
+  - `yaml` `^2.9.0` — covers transitive resolutions that would otherwise
+    pin pre-2.8.3 yaml.
+
+  The CI image scan (`.github/workflows/pr-checks.yml`) and the local
+  `bun run audit:*` helper now include `MEDIUM` alongside `CRITICAL,HIGH`,
+  so future MEDIUM regressions fail the pipeline. The production Dockerfile
+  also strips vendored `test/`, `tests/`, `__tests__/`, `benchmark/`,
+  `benchmarks/`, `example/` and `examples/` folders from `node_modules`
+  before the runtime stage — those tarball artefacts ship their own
+  nested `package.json` (`benchmark`, `tedious-benchmarks`, etc.) which
+  Trivy was scanning as if they were real packages.
+
 ## 1.8.1
 
 ### Patch Changes

package/package.json

@@ -1,12 +1,12 @@
 {
   "name": "@checkstack/ui",
-  "version": "1.8.1",
+  "version": "1.8.3",
   "license": "Elastic-2.0",
   "type": "module",
   "main": "src/index.ts",
   "dependencies": {
-    "@checkstack/common": "0.9.0",
-    "@checkstack/frontend-api": "0.5.0",
+    "@checkstack/common": "0.10.0",
+    "@checkstack/frontend-api": "0.5.1",
     "@monaco-editor/react": "^4.7.0",
     "@radix-ui/react-accordion": "^1.2.12",
     "@radix-ui/react-dialog": "^1.1.15",
@@ -30,7 +30,7 @@
     "tailwind-merge": "^2.2.0"
   },
   "devDependencies": {
-    "@checkstack/scripts": "0.3.1",
+    "@checkstack/scripts": "0.3.2",
     "@checkstack/test-utils-frontend": "0.0.5",
     "@checkstack/tsconfig": "0.0.7",
     "@storybook/addon-a11y": "^10.3.6",

package/src/components/LinksEditor.tsx

@@ -10,6 +10,24 @@ export interface HotLink {
   url: string;
 }
 
+// Parse a user-supplied URL and return its canonicalized form ONLY when the
+// scheme is `http:` / `https:`. Returns `undefined` for any other scheme
+// (`javascript:`, `data:`, `vbscript:`, etc.) so callers can refuse to
+// render an anchor at all. The returned string is `URL.toString()` — i.e.
+// a re-serialized URL — so taint analysis sees a fresh, sanitized value
+// rather than the raw input flowing through. CodeQL js/xss-through-dom.
+function safeHref(raw: string): string | undefined {
+  try {
+    const parsed = new URL(raw);
+    if (parsed.protocol === "http:" || parsed.protocol === "https:") {
+      return parsed.toString();
+    }
+    return undefined;
+  } catch {
+    return undefined;
+  }
+}
+
 export interface LinksEditorProps<T extends HotLink> {
   /** Currently attached links. */
   links: T[];
@@ -60,6 +78,11 @@ export function LinksEditor<T extends HotLink>({
       setError("Must be a valid URL (include http:// or https://)");
       return;
     }
+    const parsed = new URL(trimmedUrl);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      setError("Only http:// and https:// URLs are allowed");
+      return;
+    }
     setError(undefined);
     await onAdd({ label: label.trim() || undefined, url: trimmedUrl });
     setLabel("");
@@ -77,42 +100,54 @@ export function LinksEditor<T extends HotLink>({
 
       {links.length > 0 ? (
         <div className="border rounded-lg divide-y">
-          {links.map((link) => (
-            <div
-              key={link.id}
-              className="flex items-center justify-between p-3 gap-2"
-            >
-              <div className="flex items-center gap-2 min-w-0 flex-1">
-                <ExternalLink className="h-4 w-4 text-muted-foreground shrink-0" />
-                <div className="min-w-0">
-                  <a
-                    href={link.url}
-                    target="_blank"
-                    rel="noopener noreferrer"
-                    className="text-sm text-primary hover:underline truncate block"
-                  >
-                    {link.label ?? link.url}
-                  </a>
-                  {link.label && (
-                    <span className="text-xs text-muted-foreground truncate block">
-                      {link.url}
-                    </span>
-                  )}
+          {links.map((link) => {
+            const href = safeHref(link.url);
+            return (
+              <div
+                key={link.id}
+                className="flex items-center justify-between p-3 gap-2"
+              >
+                <div className="flex items-center gap-2 min-w-0 flex-1">
+                  <ExternalLink className="h-4 w-4 text-muted-foreground shrink-0" />
+                  <div className="min-w-0">
+                    {href ? (
+                      <a
+                        href={href}
+                        target="_blank"
+                        rel="noopener noreferrer"
+                        className="text-sm text-primary hover:underline truncate block"
+                      >
+                        {link.label ?? link.url}
+                      </a>
+                    ) : (
+                      <span
+                        className="text-sm text-muted-foreground truncate block"
+                        title="Unsafe URL scheme — link disabled"
+                      >
+                        {link.label ?? link.url}
+                      </span>
+                    )}
+                    {link.label && (
+                      <span className="text-xs text-muted-foreground truncate block">
+                        {link.url}
+                      </span>
+                    )}
+                  </div>
                 </div>
+                {canManage && (
+                  <Button
+                    variant="ghost"
+                    size="sm"
+                    onClick={() => void onRemove(link)}
+                    disabled={busy}
+                    aria-label="Remove link"
+                  >
+                    <Trash2 className="h-4 w-4" />
+                  </Button>
+                )}
               </div>
-              {canManage && (
-                <Button
-                  variant="ghost"
-                  size="sm"
-                  onClick={() => void onRemove(link)}
-                  disabled={busy}
-                  aria-label="Remove link"
-                >
-                  <Trash2 className="h-4 w-4" />
-                </Button>
-              )}
-            </div>
-          ))}
+            );
+          })}
         </div>
       ) : (
         <p className="text-sm text-muted-foreground">No links attached</p>