@codyswann/lisa 1.43.2 → 1.43.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -110,6 +110,74 @@ function loadConfig() {
|
|
|
110
110
|
const config = loadConfig();
|
|
111
111
|
const { collect, assertions: a } = config;
|
|
112
112
|
|
|
113
|
+
/**
|
|
114
|
+
* Config keys that have explicit assertion mappings in the assertions object
|
|
115
|
+
* below. Any config key NOT in this set will be auto-converted to a
|
|
116
|
+
* kebab-case Lighthouse assertion name and applied as a dynamic override.
|
|
117
|
+
*/
|
|
118
|
+
const handledKeys = new Set([
|
|
119
|
+
"buttonName",
|
|
120
|
+
"validSourceMaps",
|
|
121
|
+
"errorsInConsole",
|
|
122
|
+
"performance",
|
|
123
|
+
"firstContentfulPaint",
|
|
124
|
+
"largestContentfulPaint",
|
|
125
|
+
"interactive",
|
|
126
|
+
"cumulativeLayoutShift",
|
|
127
|
+
"totalByteWeight",
|
|
128
|
+
"scriptSize",
|
|
129
|
+
"fontDisplay",
|
|
130
|
+
"imageAspectRatio",
|
|
131
|
+
"metaDescription",
|
|
132
|
+
"unusedJavascript",
|
|
133
|
+
"bootupTime",
|
|
134
|
+
"mainthreadWorkBreakdown",
|
|
135
|
+
"maxPotentialFid",
|
|
136
|
+
"legacyJavascript",
|
|
137
|
+
"legacyJavascriptInsight",
|
|
138
|
+
"speedIndex",
|
|
139
|
+
"unusedCssRules",
|
|
140
|
+
"usesRelPreconnect",
|
|
141
|
+
"fontDisplayInsight",
|
|
142
|
+
"networkDependencyTreeInsight",
|
|
143
|
+
"duplicatedJavascriptInsight",
|
|
144
|
+
]);
|
|
145
|
+
|
|
146
|
+
/**
|
|
147
|
+
* Converts camelCase config keys to kebab-case Lighthouse assertion names.
|
|
148
|
+
*
|
|
149
|
+
* @param {string} str - camelCase string
|
|
150
|
+
* @returns {string} kebab-case string
|
|
151
|
+
*/
|
|
152
|
+
function toKebabCase(str) {
|
|
153
|
+
return str.replace(/([a-z0-9])([A-Z])/g, "$1-$2").toLowerCase();
|
|
154
|
+
}
|
|
155
|
+
|
|
156
|
+
/**
|
|
157
|
+
* Builds assertion overrides for config keys not handled by the explicit
|
|
158
|
+
* assertions below. Allows projects to tune or disable any Lighthouse
|
|
159
|
+
* preset assertion via lighthouserc-config.json without modifying this file.
|
|
160
|
+
*
|
|
161
|
+
* A minScore of 0 turns the assertion "off" entirely.
|
|
162
|
+
*
|
|
163
|
+
* @param {object} assertions - Merged assertion config
|
|
164
|
+
* @param {Set<string>} handled - Keys already handled by explicit assertions
|
|
165
|
+
* @returns {object} Extra assertion overrides keyed by kebab-case name
|
|
166
|
+
*/
|
|
167
|
+
function buildExtraAssertions(assertions, handled) {
|
|
168
|
+
const extra = {};
|
|
169
|
+
for (const [key, value] of Object.entries(assertions)) {
|
|
170
|
+
if (handled.has(key)) continue;
|
|
171
|
+
const assertionName = toKebabCase(key);
|
|
172
|
+
if (value.minScore === 0) {
|
|
173
|
+
extra[assertionName] = "off";
|
|
174
|
+
} else {
|
|
175
|
+
extra[assertionName] = ["warn", value];
|
|
176
|
+
}
|
|
177
|
+
}
|
|
178
|
+
return extra;
|
|
179
|
+
}
|
|
180
|
+
|
|
113
181
|
module.exports = {
|
|
114
182
|
ci: {
|
|
115
183
|
collect: {
|
|
@@ -214,6 +282,11 @@ module.exports = {
|
|
|
214
282
|
"warn",
|
|
215
283
|
{ minScore: a.duplicatedJavascriptInsight.minScore },
|
|
216
284
|
],
|
|
285
|
+
|
|
286
|
+
// Dynamic overrides for any extra config keys not handled above.
|
|
287
|
+
// Projects can tune or disable any preset assertion by adding it
|
|
288
|
+
// to lighthouserc-config.json (e.g., "doctype": { "minScore": 0 }).
|
|
289
|
+
...buildExtraAssertions(a, handledKeys),
|
|
217
290
|
},
|
|
218
291
|
},
|
|
219
292
|
|
package/package.json
CHANGED
|
@@ -95,7 +95,7 @@
|
|
|
95
95
|
"axios": ">=1.13.5"
|
|
96
96
|
},
|
|
97
97
|
"name": "@codyswann/lisa",
|
|
98
|
-
"version": "1.43.
|
|
98
|
+
"version": "1.43.4",
|
|
99
99
|
"description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
|
|
100
100
|
"main": "dist/index.js",
|
|
101
101
|
"bin": {
|
|
@@ -63,13 +63,24 @@ if [ "$PACKAGE_MANAGER" = "yarn" ]; then
|
|
|
63
63
|
fi
|
|
64
64
|
|
|
65
65
|
elif [ "$PACKAGE_MANAGER" = "npm" ]; then
|
|
66
|
-
# Run npm audit and
|
|
67
|
-
npm audit --
|
|
68
|
-
|
|
66
|
+
# Run npm audit in JSON mode and filter out known false positives before failing.
|
|
67
|
+
# npm audit lacks a native --ignore flag, so we parse JSON and exclude by GHSA ID.
|
|
68
|
+
|
|
69
|
+
# Excluding GHSA-3ppc-4f35-3m26: minimatch ReDoS via repeated wildcards
|
|
70
|
+
# Nested dep in aws-cdk-lib; fix requires minimatch v10 (incompatible with ^3.1.2)
|
|
71
|
+
# Risk: None - dev-time CDK tooling, no production runtime exposure
|
|
72
|
+
|
|
73
|
+
# Excluding GHSA-2g4f-4pwh-qvx6: ajv ReDoS with $data option
|
|
74
|
+
# Nested dep in aws-cdk-lib and eslint; no fix available via npm
|
|
75
|
+
# Risk: Low - $data option not used in this application
|
|
76
|
+
|
|
77
|
+
AUDIT_JSON=$(npm audit --production --json 2>/dev/null || true)
|
|
78
|
+
UNFIXED_HIGH=$(echo "$AUDIT_JSON" | jq '[.vulnerabilities | to_entries[] | select(.value.severity == "high" or .value.severity == "critical") | .value.via[] | select(type == "object") | .url | ltrimstr("https://github.com/advisories/")] | unique | map(select(. == "GHSA-3ppc-4f35-3m26" or . == "GHSA-2g4f-4pwh-qvx6" | not)) | length')
|
|
79
|
+
if [ "$UNFIXED_HIGH" -gt 0 ]; then
|
|
69
80
|
echo "⚠️ Security audit failed. Please fix high/critical vulnerabilities before pushing."
|
|
70
81
|
exit 1
|
|
71
82
|
fi
|
|
72
|
-
echo "✅ No high or critical vulnerabilities found in production dependencies"
|
|
83
|
+
echo "✅ No high or critical vulnerabilities found in production dependencies (excluding known false positives)"
|
|
73
84
|
|
|
74
85
|
elif [ "$PACKAGE_MANAGER" = "bun" ]; then
|
|
75
86
|
# Excluding GHSA-5j98-mcp5-4vw2 (CVE-2025-64756): glob CLI command injection
|
|
@@ -967,12 +967,25 @@ jobs:
|
|
|
967
967
|
- name: 🔒 Run security audit
|
|
968
968
|
run: |
|
|
969
969
|
if [ "${{ inputs.package_manager }}" = "npm" ]; then
|
|
970
|
-
# Run audit and
|
|
971
|
-
npm audit
|
|
972
|
-
|
|
973
|
-
|
|
974
|
-
|
|
970
|
+
# Run npm audit in JSON mode and filter out known false positives before failing.
|
|
971
|
+
# npm audit lacks a native --ignore flag, so we parse JSON and exclude by GHSA ID.
|
|
972
|
+
|
|
973
|
+
# Excluding GHSA-3ppc-4f35-3m26: minimatch ReDoS via repeated wildcards
|
|
974
|
+
# Nested dep in aws-cdk-lib; fix requires minimatch v10 (incompatible with ^3.1.2)
|
|
975
|
+
# Risk: None - dev-time CDK tooling, no production runtime exposure
|
|
976
|
+
|
|
977
|
+
# Excluding GHSA-2g4f-4pwh-qvx6: ajv ReDoS with $data option
|
|
978
|
+
# Nested dep in aws-cdk-lib and eslint; no fix available via npm
|
|
979
|
+
# Risk: Low - $data option not used in this application
|
|
980
|
+
|
|
981
|
+
AUDIT_JSON=$(npm audit --production --json 2>/dev/null || true)
|
|
982
|
+
UNFIXED_HIGH=$(echo "$AUDIT_JSON" | jq '[.vulnerabilities | to_entries[] | select(.value.severity == "high" or .value.severity == "critical") | .value.via[] | select(type == "object") | .url | ltrimstr("https://github.com/advisories/")] | unique | map(select(. == "GHSA-3ppc-4f35-3m26" or . == "GHSA-2g4f-4pwh-qvx6" | not)) | length')
|
|
983
|
+
if [ "$UNFIXED_HIGH" -gt 0 ]; then
|
|
984
|
+
echo "::warning::Found high or critical vulnerabilities (after excluding known false positives)"
|
|
985
|
+
npm audit --production --audit-level=high || true
|
|
986
|
+
exit 1
|
|
975
987
|
fi
|
|
988
|
+
echo "::notice::No high or critical vulnerabilities found (excluding known false positives)"
|
|
976
989
|
elif [ "${{ inputs.package_manager }}" = "yarn" ]; then
|
|
977
990
|
# Yarn audit outputs newline-delimited JSON, so we need to parse each line
|
|
978
991
|
|