@dytsou/github-readme-stats 1.0.1

package/src/common/cache.js

@@ -0,0 +1,153 @@
+// @ts-check
+
+import { clampValue } from "./ops.js";
+
+const MIN = 60;
+const HOUR = 60 * MIN;
+const DAY = 24 * HOUR;
+
+/**
+ * Common durations in seconds.
+ */
+const DURATIONS = {
+  ONE_MINUTE: MIN,
+  FIVE_MINUTES: 5 * MIN,
+  TEN_MINUTES: 10 * MIN,
+  FIFTEEN_MINUTES: 15 * MIN,
+  THIRTY_MINUTES: 30 * MIN,
+
+  TWO_HOURS: 2 * HOUR,
+  FOUR_HOURS: 4 * HOUR,
+  SIX_HOURS: 6 * HOUR,
+  EIGHT_HOURS: 8 * HOUR,
+  TWELVE_HOURS: 12 * HOUR,
+
+  ONE_DAY: DAY,
+  TWO_DAY: 2 * DAY,
+  SIX_DAY: 6 * DAY,
+  TEN_DAY: 10 * DAY,
+};
+
+/**
+ * Common cache TTL values in seconds.
+ */
+const CACHE_TTL = {
+  STATS_CARD: {
+    DEFAULT: DURATIONS.ONE_DAY,
+    MIN: DURATIONS.TWELVE_HOURS,
+    MAX: DURATIONS.TWO_DAY,
+  },
+  TOP_LANGS_CARD: {
+    DEFAULT: DURATIONS.SIX_DAY,
+    MIN: DURATIONS.TWO_DAY,
+    MAX: DURATIONS.TEN_DAY,
+  },
+  PIN_CARD: {
+    DEFAULT: DURATIONS.TEN_DAY,
+    MIN: DURATIONS.ONE_DAY,
+    MAX: DURATIONS.TEN_DAY,
+  },
+  GIST_CARD: {
+    DEFAULT: DURATIONS.TWO_DAY,
+    MIN: DURATIONS.ONE_DAY,
+    MAX: DURATIONS.TEN_DAY,
+  },
+  WAKATIME_CARD: {
+    DEFAULT: DURATIONS.ONE_DAY,
+    MIN: DURATIONS.TWELVE_HOURS,
+    MAX: DURATIONS.TWO_DAY,
+  },
+  ERROR: DURATIONS.TEN_MINUTES,
+};
+
+/**
+ * Resolves the cache seconds based on the requested, default, min, and max values.
+ *
+ * @param {Object} args The parameters object.
+ * @param {number} args.requested The requested cache seconds.
+ * @param {number} args.def The default cache seconds.
+ * @param {number} args.min The minimum cache seconds.
+ * @param {number} args.max The maximum cache seconds.
+ * @returns {number} The resolved cache seconds.
+ */
+const resolveCacheSeconds = ({ requested, def, min, max }) => {
+  let cacheSeconds = clampValue(isNaN(requested) ? def : requested, min, max);
+
+  if (process.env.CACHE_SECONDS) {
+    const envCacheSeconds = parseInt(process.env.CACHE_SECONDS, 10);
+    if (!isNaN(envCacheSeconds)) {
+      cacheSeconds = envCacheSeconds;
+    }
+  }
+
+  return cacheSeconds;
+};
+
+/**
+ * Disables caching by setting appropriate headers on the response object.
+ *
+ * @param {any} res The response object.
+ */
+const disableCaching = (res) => {
+  // Disable caching for browsers, shared caches/CDNs, and GitHub Camo.
+  res.setHeader(
+    "Cache-Control",
+    "no-cache, no-store, must-revalidate, max-age=0, s-maxage=0",
+  );
+  res.setHeader("Pragma", "no-cache");
+  res.setHeader("Expires", "0");
+};
+
+/**
+ * Sets the Cache-Control headers on the response object.
+ *
+ * @param {any} res The response object.
+ * @param {number} cacheSeconds The cache seconds to set in the headers.
+ */
+const setCacheHeaders = (res, cacheSeconds) => {
+  if (cacheSeconds < 1 || process.env.NODE_ENV === "development") {
+    disableCaching(res);
+    return;
+  }
+
+  res.setHeader(
+    "Cache-Control",
+    `max-age=${cacheSeconds}, ` +
+      `s-maxage=${cacheSeconds}, ` +
+      `stale-while-revalidate=${DURATIONS.ONE_DAY}`,
+  );
+};
+
+/**
+ * Sets the Cache-Control headers for error responses on the response object.
+ *
+ * @param {any} res The response object.
+ */
+const setErrorCacheHeaders = (res) => {
+  const envCacheSeconds = process.env.CACHE_SECONDS
+    ? parseInt(process.env.CACHE_SECONDS, 10)
+    : NaN;
+  if (
+    (!isNaN(envCacheSeconds) && envCacheSeconds < 1) ||
+    process.env.NODE_ENV === "development"
+  ) {
+    disableCaching(res);
+    return;
+  }
+
+  // Use lower cache period for errors.
+  res.setHeader(
+    "Cache-Control",
+    `max-age=${CACHE_TTL.ERROR}, ` +
+      `s-maxage=${CACHE_TTL.ERROR}, ` +
+      `stale-while-revalidate=${DURATIONS.ONE_DAY}`,
+  );
+};
+
+export {
+  resolveCacheSeconds,
+  setCacheHeaders,
+  setErrorCacheHeaders,
+  DURATIONS,
+  CACHE_TTL,
+};

package/src/common/color.js

@@ -0,0 +1,194 @@
+// @ts-check
+
+import { themes } from "../../themes/index.js";
+
+/**
+ * Checks if a string is a valid hex color.
+ *
+ * @param {string} hexColor String to check.
+ * @returns {boolean} True if the given string is a valid hex color.
+ */
+const isValidHexColor = (hexColor) => {
+  return new RegExp(
+    /^([A-Fa-f0-9]{8}|[A-Fa-f0-9]{6}|[A-Fa-f0-9]{3}|[A-Fa-f0-9]{4})$/,
+  ).test(hexColor);
+};
+
+/**
+ * Check if the given string is a valid gradient.
+ *
+ * @param {string[]} colors Array of colors.
+ * @returns {boolean} True if the given string is a valid gradient.
+ */
+const isValidGradient = (colors) => {
+  return (
+    colors.length > 2 &&
+    colors.slice(1).every((color) => isValidHexColor(color))
+  );
+};
+
+/**
+ * Retrieves a gradient if color has more than one valid hex codes else a single color.
+ *
+ * @param {string} color The color to parse.
+ * @param {string | string[]} fallbackColor The fallback color.
+ * @returns {string | string[]} The gradient or color.
+ */
+const fallbackColor = (color, fallbackColor) => {
+  let gradient = null;
+
+  let colors = color ? color.split(",") : [];
+  if (colors.length > 1 && isValidGradient(colors)) {
+    gradient = colors;
+  }
+
+  return (
+    (gradient ? gradient : isValidHexColor(color) && `#${color}`) ||
+    fallbackColor
+  );
+};
+
+/**
+ * Object containing card colors.
+ * @typedef {{
+ *  titleColor: string;
+ *  iconColor: string;
+ *  textColor: string;
+ *  bgColor: string | string[];
+ *  borderColor: string;
+ *  ringColor: string;
+ * }} CardColors
+ */
+
+/**
+ * Returns theme based colors with proper overrides and defaults.
+ *
+ * @param {Object} args Function arguments.
+ * @param {string=} args.title_color Card title color.
+ * @param {string=} args.text_color Card text color.
+ * @param {string=} args.icon_color Card icon color.
+ * @param {string=} args.bg_color Card background color.
+ * @param {string=} args.border_color Card border color.
+ * @param {string=} args.ring_color Card ring color.
+ * @param {string=} args.theme Card theme.
+ * @returns {CardColors} Card colors.
+ */
+const getCardColors = ({
+  title_color,
+  text_color,
+  icon_color,
+  bg_color,
+  border_color,
+  ring_color,
+  theme,
+}) => {
+  const defaultTheme = themes["default"];
+  const isThemeProvided = theme !== null && theme !== undefined;
+
+  // @ts-ignore
+  const selectedTheme = isThemeProvided ? themes[theme] : defaultTheme;
+
+  const defaultBorderColor =
+    "border_color" in selectedTheme
+      ? selectedTheme.border_color
+      : // @ts-ignore
+        defaultTheme.border_color;
+
+  // get the color provided by the user else the theme color
+  // finally if both colors are invalid fallback to default theme
+  const titleColor = fallbackColor(
+    title_color || selectedTheme.title_color,
+    "#" + defaultTheme.title_color,
+  );
+
+  // get the color provided by the user else the theme color
+  // finally if both colors are invalid we use the titleColor
+  const ringColor = fallbackColor(
+    // @ts-ignore
+    ring_color || selectedTheme.ring_color,
+    titleColor,
+  );
+  const iconColor = fallbackColor(
+    icon_color || selectedTheme.icon_color,
+    "#" + defaultTheme.icon_color,
+  );
+  const textColor = fallbackColor(
+    text_color || selectedTheme.text_color,
+    "#" + defaultTheme.text_color,
+  );
+  const bgColor = fallbackColor(
+    bg_color || selectedTheme.bg_color,
+    "#" + defaultTheme.bg_color,
+  );
+
+  const borderColor = fallbackColor(
+    border_color || defaultBorderColor,
+    "#" + defaultBorderColor,
+  );
+
+  if (
+    typeof titleColor !== "string" ||
+    typeof textColor !== "string" ||
+    typeof ringColor !== "string" ||
+    typeof iconColor !== "string" ||
+    typeof borderColor !== "string"
+  ) {
+    throw new Error(
+      "Unexpected behavior, all colors except background should be string.",
+    );
+  }
+
+  return { titleColor, iconColor, textColor, bgColor, borderColor, ringColor };
+};
+
+/**
+ * Validates and canonicalizes color parameters to prevent XSS.
+ * Returns a canonicalized color string (hex digits without #) for valid colors,
+ * or undefined for invalid colors, allowing renderError to use safe defaults.
+ * This ensures we never output user-controlled strings directly.
+ * Note: Returns without # prefix to match getCardColors expectations.
+ *
+ * @param {string|undefined} color The color value to validate and canonicalize.
+ * @returns {string|undefined} Canonicalized color (hex without #) or undefined.
+ */
+const validateColor = (color) => {
+  if (!color || typeof color !== "string") {
+    return undefined;
+  }
+  // Remove leading # if present and trim whitespace
+  const hexColor = color.replace(/^#/, "").trim();
+  // Only allow 3, 4, 6, or 8 digit hex codes - strict validation
+  if (
+    /^(?:[0-9A-Fa-f]{3}|[0-9A-Fa-f]{4}|[0-9A-Fa-f]{6}|[0-9A-Fa-f]{8})$/.test(
+      hexColor,
+    )
+  ) {
+    // Return canonicalized format: validated hex lowercase (never the original user string)
+    // Note: No # prefix as getCardColors expects colors without #
+    return hexColor.toLowerCase();
+  }
+  return undefined;
+};
+
+/**
+ * Validates theme parameter to prevent XSS.
+ * Returns undefined for invalid themes, allowing renderError to use safe defaults.
+ *
+ * @param {string|undefined} theme The theme name to validate.
+ * @returns {string|undefined} Validated theme name or undefined.
+ */
+const validateTheme = (theme) => {
+  if (!theme || typeof theme !== "string") {
+    return undefined;
+  }
+  // Check if theme exists in themes object (whitelist validation)
+  return themes[theme] ? theme : undefined;
+};
+
+export {
+  isValidHexColor,
+  isValidGradient,
+  getCardColors,
+  validateColor,
+  validateTheme,
+};

package/src/common/envs.js

@@ -0,0 +1,15 @@
+// @ts-check
+
+const whitelist = process.env.WHITELIST
+  ? process.env.WHITELIST.split(",")
+  : undefined;
+
+const gistWhitelist = process.env.GIST_WHITELIST
+  ? process.env.GIST_WHITELIST.split(",")
+  : undefined;
+
+const excludeRepositories = process.env.EXCLUDE_REPO
+  ? process.env.EXCLUDE_REPO.split(",")
+  : [];
+
+export { whitelist, gistWhitelist, excludeRepositories };

package/src/common/error.js

@@ -0,0 +1,84 @@
+// @ts-check
+
+/**
+ * @type {string} A general message to ask user to try again later.
+ */
+const TRY_AGAIN_LATER = "Please try again later";
+
+/**
+ * @type {Object<string, string>} A map of error types to secondary error messages.
+ */
+const SECONDARY_ERROR_MESSAGES = {
+  MAX_RETRY:
+    "You can deploy own instance or wait until public will be no longer limited",
+  NO_TOKENS:
+    "Please add an env variable called PAT_1 with your GitHub API token in vercel",
+  USER_NOT_FOUND: "Make sure the provided username is not an organization",
+  GRAPHQL_ERROR: TRY_AGAIN_LATER,
+  GITHUB_REST_API_ERROR: TRY_AGAIN_LATER,
+  WAKATIME_USER_NOT_FOUND: "Make sure you have a public WakaTime profile",
+};
+
+/**
+ * Custom error class to handle custom GRS errors.
+ */
+class CustomError extends Error {
+  /**
+   * Custom error constructor.
+   *
+   * @param {string} message Error message.
+   * @param {string} type Error type.
+   */
+  constructor(message, type) {
+    super(message);
+    this.type = type;
+    this.secondaryMessage = SECONDARY_ERROR_MESSAGES[type] || type;
+  }
+
+  static MAX_RETRY = "MAX_RETRY";
+  static NO_TOKENS = "NO_TOKENS";
+  static USER_NOT_FOUND = "USER_NOT_FOUND";
+  static GRAPHQL_ERROR = "GRAPHQL_ERROR";
+  static GITHUB_REST_API_ERROR = "GITHUB_REST_API_ERROR";
+  static WAKATIME_ERROR = "WAKATIME_ERROR";
+}
+
+/**
+ * Missing query parameter class.
+ */
+class MissingParamError extends Error {
+  /**
+   * Missing query parameter error constructor.
+   *
+   * @param {string[]} missedParams An array of missing parameters names.
+   * @param {string=} secondaryMessage Optional secondary message to display.
+   */
+  constructor(missedParams, secondaryMessage) {
+    const msg = `Missing params ${missedParams
+      .map((p) => `"${p}"`)
+      .join(", ")} make sure you pass the parameters in URL`;
+    super(msg);
+    this.missedParams = missedParams;
+    this.secondaryMessage = secondaryMessage;
+  }
+}
+
+/**
+ * Retrieve secondary message from an error object.
+ *
+ * @param {Error} err The error object.
+ * @returns {string|undefined} The secondary message if available, otherwise undefined.
+ */
+const retrieveSecondaryMessage = (err) => {
+  return "secondaryMessage" in err && typeof err.secondaryMessage === "string"
+    ? err.secondaryMessage
+    : undefined;
+};
+
+export {
+  CustomError,
+  MissingParamError,
+  SECONDARY_ERROR_MESSAGES,
+  TRY_AGAIN_LATER,
+  retrieveSecondaryMessage,
+};

package/src/common/fmt.js

@@ -0,0 +1,90 @@
+// @ts-check
+
+import wrap from "word-wrap";
+import { encodeHTML } from "./html.js";
+
+/**
+ * Retrieves num with suffix k(thousands) precise to given decimal places.
+ *
+ * @param {number} num The number to format.
+ * @param {number=} precision The number of decimal places to include.
+ * @returns {string|number} The formatted number.
+ */
+const kFormatter = (num, precision) => {
+  const abs = Math.abs(num);
+  const sign = Math.sign(num);
+
+  if (typeof precision === "number" && !isNaN(precision)) {
+    return (sign * (abs / 1000)).toFixed(precision) + "k";
+  }
+
+  if (abs < 1000) {
+    return sign * abs;
+  }
+
+  return sign * parseFloat((abs / 1000).toFixed(1)) + "k";
+};
+
+/**
+ * Convert bytes to a human-readable string representation.
+ *
+ * @param {number} bytes The number of bytes to convert.
+ * @returns {string} The human-readable representation of bytes.
+ * @throws {Error} If bytes is negative or too large.
+ */
+const formatBytes = (bytes) => {
+  if (bytes < 0) {
+    throw new Error("Bytes must be a non-negative number");
+  }
+
+  if (bytes === 0) {
+    return "0 B";
+  }
+
+  const sizes = ["B", "KB", "MB", "GB", "TB", "PB", "EB"];
+  const base = 1024;
+  const i = Math.floor(Math.log(bytes) / Math.log(base));
+
+  if (i >= sizes.length) {
+    throw new Error("Bytes is too large to convert to a human-readable string");
+  }
+
+  return `${(bytes / Math.pow(base, i)).toFixed(1)} ${sizes[i]}`;
+};
+
+/**
+ * Split text over multiple lines based on the card width.
+ *
+ * @param {string} text Text to split.
+ * @param {number} width Line width in number of characters.
+ * @param {number} maxLines Maximum number of lines.
+ * @returns {string[]} Array of lines.
+ */
+const wrapTextMultiline = (text, width = 59, maxLines = 3) => {
+  const fullWidthComma = "，";
+  const encoded = encodeHTML(text);
+  const isChinese = encoded.includes(fullWidthComma);
+
+  let wrapped = [];
+
+  if (isChinese) {
+    wrapped = encoded.split(fullWidthComma); // Chinese full punctuation
+  } else {
+    wrapped = wrap(encoded, {
+      width,
+    }).split("\n"); // Split wrapped lines to get an array of lines
+  }
+
+  const lines = wrapped.map((line) => line.trim()).slice(0, maxLines); // Only consider maxLines lines
+
+  // Add "..." to the last line if the text exceeds maxLines
+  if (wrapped.length > maxLines) {
+    lines[maxLines - 1] += "...";
+  }
+
+  // Remove empty lines if text fits in less than maxLines lines
+  const multiLineText = lines.filter(Boolean);
+  return multiLineText;
+};
+
+export { kFormatter, formatBytes, wrapTextMultiline };

package/src/common/html.js

@@ -0,0 +1,43 @@
+// @ts-check
+
+import escapeHtml from "escape-html";
+
+/**
+ * Encode string as HTML to prevent XSS.
+ * Uses the well-known escape-html library which encodes &, <, >, ", '.
+ * This is recognized by security scanners like CodeQL.
+ *
+ * @param {string} str String to encode.
+ * @returns {string} Encoded string.
+ */
+const encodeHTML = (str) => {
+  // escape-html handles XSS-critical characters: & < > " '
+  // Also remove backspace character which could cause display issues
+  return escapeHtml(str).replace(/\u0008/gim, "");
+};
+
+/**
+ * Escape CSS/attribute value to prevent XSS in SVG attributes.
+ * This function ensures that color values and other CSS values
+ * are safe to use in SVG attribute contexts.
+ *
+ * @param {string|string[]} value The CSS/attribute value to escape.
+ * @returns {string} Escaped value safe for use in SVG attributes.
+ */
+const escapeCSSValue = (value) => {
+  // Convert non-string values (e.g., arrays for gradients) to string first
+  const strValue = typeof value === "string" ? value : String(value);
+
+  // Escape quotes and special characters that could break out of attribute context
+  return strValue
+    .replace(/\\/g, "\\\\") // Escape backslashes first
+    .replace(/"/g, '\\"') // Escape double quotes
+    .replace(/'/g, "\\'") // Escape single quotes
+    .replace(/\n/g, "\\A ") // Escape newlines
+    .replace(/\r/g, "") // Remove carriage returns
+    .replace(/\f/g, "") // Remove form feeds
+    .replace(/</g, "\\3C ") // Escape less-than
+    .replace(/>/g, "\\3E "); // Escape greater-than
+};
+
+export { encodeHTML, escapeCSSValue };

package/src/common/http.js

@@ -0,0 +1,24 @@
+// @ts-check
+
+import axios from "axios";
+
+/**
+ * Send GraphQL request to GitHub API.
+ *
+ * @param {import('axios').AxiosRequestConfig['data']} data Request data.
+ * @param {import('axios').AxiosRequestConfig['headers']} headers Request headers.
+ * @returns {Promise<any>} Request response.
+ */
+const request = (data, headers) => {
+  return axios({
+    url: "https://api.github.com/graphql",
+    method: "post",
+    headers: {
+      "User-Agent": "github-readme-stats",
+      ...headers,
+    },
+    data,
+  });
+};
+
+export { request };

package/src/common/icons.js

@@ -0,0 +1,63 @@
+// @ts-check
+
+import escapeHtml from "escape-html";
+
+const icons = {
+  star: `<path fill-rule="evenodd" d="M8 .25a.75.75 0 01.673.418l1.882 3.815 4.21.612a.75.75 0 01.416 1.279l-3.046 2.97.719 4.192a.75.75 0 01-1.088.791L8 12.347l-3.766 1.98a.75.75 0 01-1.088-.79l.72-4.194L.818 6.374a.75.75 0 01.416-1.28l4.21-.611L7.327.668A.75.75 0 018 .25zm0 2.445L6.615 5.5a.75.75 0 01-.564.41l-3.097.45 2.24 2.184a.75.75 0 01.216.664l-.528 3.084 2.769-1.456a.75.75 0 01.698 0l2.77 1.456-.53-3.084a.75.75 0 01.216-.664l2.24-2.183-3.096-.45a.75.75 0 01-.564-.41L8 2.694v.001z"/>`,
+  commits: `<path fill-rule="evenodd" d="M1.643 3.143L.427 1.927A.25.25 0 000 2.104V5.75c0 .138.112.25.25.25h3.646a.25.25 0 00.177-.427L2.715 4.215a6.5 6.5 0 11-1.18 4.458.75.75 0 10-1.493.154 8.001 8.001 0 101.6-5.684zM7.75 4a.75.75 0 01.75.75v2.992l2.028.812a.75.75 0 01-.557 1.392l-2.5-1A.75.75 0 017 8.25v-3.5A.75.75 0 017.75 4z"/>`,
+  prs: `<path fill-rule="evenodd" d="M7.177 3.073L9.573.677A.25.25 0 0110 .854v4.792a.25.25 0 01-.427.177L7.177 3.427a.25.25 0 010-.354zM3.75 2.5a.75.75 0 100 1.5.75.75 0 000-1.5zm-2.25.75a2.25 2.25 0 113 2.122v5.256a2.251 2.251 0 11-1.5 0V5.372A2.25 2.25 0 011.5 3.25zM11 2.5h-1V4h1a1 1 0 011 1v5.628a2.251 2.251 0 101.5 0V5A2.5 2.5 0 0011 2.5zm1 10.25a.75.75 0 111.5 0 .75.75 0 01-1.5 0zM3.75 12a.75.75 0 100 1.5.75.75 0 000-1.5z"/>`,
+  prs_merged: `<path fill-rule="evenodd" d="M5.45 5.154A4.25 4.25 0 0 0 9.25 7.5h1.378a2.251 2.251 0 1 1 0 1.5H9.25A5.734 5.734 0 0 1 5 7.123v3.505a2.25 2.25 0 1 1-1.5 0V5.372a2.25 2.25 0 1 1 1.95-.218ZM4.25 13.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5Zm8.5-4.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5ZM5 3.25a.75.75 0 1 0 0 .005V3.25Z" />`,
+  prs_merged_percentage: `<path fill-rule="evenodd" d="M13.442 2.558a.625.625 0 0 1 0 .884l-10 10a.625.625 0 1 1-.884-.884l10-10a.625.625 0 0 1 .884 0zM4.5 6a1.5 1.5 0 1 1 0-3 1.5 1.5 0 0 1 0 3zm0 1a2.5 2.5 0 1 0 0-5 2.5 2.5 0 0 0 0 5zm7 6a1.5 1.5 0 1 1 0-3 1.5 1.5 0 0 1 0 3zm0 1a2.5 2.5 0 1 0 0-5 2.5 2.5 0 0 0 0 5z" />`,
+  issues: `<path fill-rule="evenodd" d="M8 1.5a6.5 6.5 0 100 13 6.5 6.5 0 000-13zM0 8a8 8 0 1116 0A8 8 0 010 8zm9 3a1 1 0 11-2 0 1 1 0 012 0zm-.25-6.25a.75.75 0 00-1.5 0v3.5a.75.75 0 001.5 0v-3.5z"/>`,
+  icon: `<path fill-rule="evenodd" d="M2 2.5A2.5 2.5 0 014.5 0h8.75a.75.75 0 01.75.75v12.5a.75.75 0 01-.75.75h-2.5a.75.75 0 110-1.5h1.75v-2h-8a1 1 0 00-.714 1.7.75.75 0 01-1.072 1.05A2.495 2.495 0 012 11.5v-9zm10.5-1V9h-8c-.356 0-.694.074-1 .208V2.5a1 1 0 011-1h8zM5 12.25v3.25a.25.25 0 00.4.2l1.45-1.087a.25.25 0 01.3 0L8.6 15.7a.25.25 0 00.4-.2v-3.25a.25.25 0 00-.25-.25h-3.5a.25.25 0 00-.25.25z"/>`,
+  contribs: `<path fill-rule="evenodd" d="M2 2.5A2.5 2.5 0 014.5 0h8.75a.75.75 0 01.75.75v12.5a.75.75 0 01-.75.75h-2.5a.75.75 0 110-1.5h1.75v-2h-8a1 1 0 00-.714 1.7.75.75 0 01-1.072 1.05A2.495 2.495 0 012 11.5v-9zm10.5-1V9h-8c-.356 0-.694.074-1 .208V2.5a1 1 0 011-1h8zM5 12.25v3.25a.25.25 0 00.4.2l1.45-1.087a.25.25 0 01.3 0L8.6 15.7a.25.25 0 00.4-.2v-3.25a.25.25 0 00-.25-.25h-3.5a.25.25 0 00-.25.25z"/>`,
+  fork: `<path fill-rule="evenodd" d="M5 3.25a.75.75 0 11-1.5 0 .75.75 0 011.5 0zm0 2.122a2.25 2.25 0 10-1.5 0v.878A2.25 2.25 0 005.75 8.5h1.5v2.128a2.251 2.251 0 101.5 0V8.5h1.5a2.25 2.25 0 002.25-2.25v-.878a2.25 2.25 0 10-1.5 0v.878a.75.75 0 01-.75.75h-4.5A.75.75 0 015 6.25v-.878zm3.75 7.378a.75.75 0 11-1.5 0 .75.75 0 011.5 0zm3-8.75a.75.75 0 100-1.5.75.75 0 000 1.5z"></path>`,
+  reviews: `<path fill-rule="evenodd" d="M8 2c1.981 0 3.671.992 4.933 2.078 1.27 1.091 2.187 2.345 2.637 3.023a1.62 1.62 0 0 1 0 1.798c-.45.678-1.367 1.932-2.637 3.023C11.67 13.008 9.981 14 8 14c-1.981 0-3.671-.992-4.933-2.078C1.797 10.83.88 9.576.43 8.898a1.62 1.62 0 0 1 0-1.798c.45-.677 1.367-1.931 2.637-3.022C4.33 2.992 6.019 2 8 2ZM1.679 7.932a.12.12 0 0 0 0 .136c.411.622 1.241 1.75 2.366 2.717C5.176 11.758 6.527 12.5 8 12.5c1.473 0 2.825-.742 3.955-1.715 1.124-.967 1.954-2.096 2.366-2.717a.12.12 0 0 0 0-.136c-.412-.621-1.242-1.75-2.366-2.717C10.824 4.242 9.473 3.5 8 3.5c-1.473 0-2.825.742-3.955 1.715-1.124.967-1.954 2.096-2.366 2.717ZM8 10a2 2 0 1 1-.001-3.999A2 2 0 0 1 8 10Z"/>`,
+  discussions_started: `<path fill-rule="evenodd" d="M1.75 1h8.5c.966 0 1.75.784 1.75 1.75v5.5A1.75 1.75 0 0 1 10.25 10H7.061l-2.574 2.573A1.458 1.458 0 0 1 2 11.543V10h-.25A1.75 1.75 0 0 1 0 8.25v-5.5C0 1.784.784 1 1.75 1ZM1.5 2.75v5.5c0 .138.112.25.25.25h1a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h3.5a.25.25 0 0 0 .25-.25v-5.5a.25.25 0 0 0-.25-.25h-8.5a.25.25 0 0 0-.25.25Zm13 2a.25.25 0 0 0-.25-.25h-.5a.75.75 0 0 1 0-1.5h.5c.966 0 1.75.784 1.75 1.75v5.5A1.75 1.75 0 0 1 14.25 12H14v1.543a1.458 1.458 0 0 1-2.487 1.03L9.22 12.28a.749.749 0 0 1 .326-1.275.749.749 0 0 1 .734.215l2.22 2.22v-2.19a.75.75 0 0 1 .75-.75h1a.25.25 0 0 0 .25-.25Z" />`,
+  discussions_answered: `<path fill-rule="evenodd" d="M13.78 4.22a.75.75 0 0 1 0 1.06l-7.25 7.25a.75.75 0 0 1-1.06 0L2.22 9.28a.751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018L6 10.94l6.72-6.72a.75.75 0 0 1 1.06 0Z" />`,
+  gist: `<path fill-rule="evenodd" d="M0 1.75C0 .784.784 0 1.75 0h12.5C15.216 0 16 .784 16 1.75v12.5A1.75 1.75 0 0 1 14.25 16H1.75A1.75 1.75 0 0 1 0 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h12.5a.25.25 0 0 0 .25-.25V1.75a.25.25 0 0 0-.25-.25Zm7.47 3.97a.75.75 0 0 1 1.06 0l2 2a.75.75 0 0 1 0 1.06l-2 2a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734L10.69 8 9.22 6.53a.75.75 0 0 1 0-1.06ZM6.78 6.53 5.31 8l1.47 1.47a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215l-2-2a.75.75 0 0 1 0-1.06l2-2a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042Z" />`,
+};
+
+/**
+ * Get rank icon
+ *
+ * **Security Note:** This function safely handles untrusted input by HTML-encoding
+ * the `rankLevel` parameter. Data from external APIs (like GitHub) is sanitized
+ * before being inserted into the SVG.
+ *
+ * @param {string} rankIcon - The rank icon type.
+ * @param {string} rankLevel - The rank level (will be HTML-encoded).
+ * @param {number} percentile - The rank percentile.
+ * @returns {string} - The SVG code of the rank icon
+ */
+const rankIcon = (rankIcon, rankLevel, percentile) => {
+  switch (rankIcon) {
+    case "github":
+      return `
+        <svg x="-38" y="-30" height="66" width="66" aria-hidden="true" viewBox="0 0 16 16" version="1.1" data-view-component="true" data-testid="github-rank-icon">
+          <path d="M8 0c4.42 0 8 3.58 8 8a8.013 8.013 0 0 1-5.45 7.59c-.4.08-.55-.17-.55-.38 0-.27.01-1.13.01-2.2 0-.75-.25-1.23-.54-1.48 1.78-.2 3.65-.88 3.65-3.95 0-.88-.31-1.59-.82-2.15.08-.2.36-1.02-.08-2.12 0 0-.67-.22-2.2.82-.64-.18-1.32-.27-2-.27-.68 0-1.36.09-2 .27-1.53-1.03-2.2-.82-2.2-.82-.44 1.1-.16 1.92-.08 2.12-.51.56-.82 1.28-.82 2.15 0 3.06 1.86 3.75 3.64 3.95-.23.2-.44.55-.51 1.07-.46.21-1.61.55-2.33-.66-.15-.24-.6-.83-1.23-.82-.67.01-.27.38.01.53.34.19.73.9.82 1.13.16.45.68 1.31 2.69.94 0 .67.01 1.3.01 1.49 0 .21-.15.45-.55.38A7.995 7.995 0 0 1 0 8c0-4.42 3.58-8 8-8Z"></path>
+        </svg>
+      `;
+    case "percentile":
+      // percentile.toFixed(1) produces numeric strings (e.g., "99.5"), safe to use directly
+      return `
+        <text x="-5" y="-12" alignment-baseline="central" dominant-baseline="central" text-anchor="middle" data-testid="percentile-top-header" class="rank-percentile-header">
+          Top
+        </text>
+        <text x="-5" y="12" alignment-baseline="central" dominant-baseline="central" text-anchor="middle" data-testid="percentile-rank-value" class="rank-percentile-text">
+          ${percentile.toFixed(1)}%
+        </text>
+      `;
+    case "default":
+    default:
+      // Sanitize rankLevel from external API to prevent XSS
+      return `
+        <text x="-5" y="3" alignment-baseline="central" dominant-baseline="central" text-anchor="middle" data-testid="level-rank-icon">
+          ${escapeHtml(rankLevel || "")}
+        </text>
+      `;
+  }
+};
+
+export { icons, rankIcon };
+export default icons;

package/src/common/index.js

@@ -0,0 +1,13 @@
+// @ts-check
+
+export { blacklist } from "./blacklist.js";
+export { Card } from "./Card.js";
+export { I18n } from "./I18n.js";
+export { icons } from "./icons.js";
+export { retryer } from "./retryer.js";
+export {
+  ERROR_CARD_LENGTH,
+  renderError,
+  flexLayout,
+  measureText,
+} from "./render.js";