@mastra/github-signals 0.1.4-alpha.0 → 0.2.0-alpha.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +31 -0
- package/dist/index.cjs +52 -4
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.ts +21 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +52 -5
- package/dist/index.js.map +1 -1
- package/package.json +4 -4
package/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,36 @@
|
|
|
1
1
|
# @mastra/github-signals
|
|
2
2
|
|
|
3
|
+
## 0.2.0-alpha.0
|
|
4
|
+
|
|
5
|
+
### Minor Changes
|
|
6
|
+
|
|
7
|
+
- Random bump ([#18178](https://github.com/mastra-ai/mastra/pull/18178))
|
|
8
|
+
|
|
9
|
+
### Patch Changes
|
|
10
|
+
|
|
11
|
+
- Updated dependencies [[`7c0d868`](https://github.com/mastra-ai/mastra/commit/7c0d868d97d0fdbc04c14d0166dbf44d4c5a4a62), [`d9d2273`](https://github.com/mastra-ai/mastra/commit/d9d2273c702690c9a26eab2aebea879701d4355a), [`b04369d`](https://github.com/mastra-ai/mastra/commit/b04369d6b167c698ef103981171a8bf92808e756), [`8f3c262`](https://github.com/mastra-ai/mastra/commit/8f3c262587b335588a02d96b17fd6aca34c885b3)]:
|
|
12
|
+
- @mastra/core@1.45.0-alpha.0
|
|
13
|
+
|
|
14
|
+
## 0.1.4
|
|
15
|
+
|
|
16
|
+
### Patch Changes
|
|
17
|
+
|
|
18
|
+
- Security remediation for the 2026-06-17 "easy-day-js" supply-chain incident. Patch bump to publish clean versions and move the `latest` dist-tag forward, superseding the compromised versions that declared the malicious `easy-day-js` dependency. ([#18056](https://github.com/mastra-ai/mastra/pull/18056))
|
|
19
|
+
|
|
20
|
+
- Sanitize PR comment bodies at ingestion by stripping all XML/HTML-like markup — HTML comments (including the large base64 machine-state blobs review bots like CodeRabbit hide inside them), `<details>` sections (delimiters and their collapsed inner content), and any leftover partial markup — and stop persisting the full comment body in notification metadata (the truncated excerpt is retained). Markdown code spans and fenced code blocks are preserved, so human-authored code examples such as `` `<Component>` `` or fenced JSX survive sanitization. This prevents oversized bot payloads from bloating notifications and overflowing agent context windows. The sanitizer uses `indexOf`-based block scanning with no backtracking regex to avoid catastrophic backtracking (ReDoS) on adversarial input. ([#18094](https://github.com/mastra-ai/mastra/pull/18094))
|
|
21
|
+
|
|
22
|
+
- Updated dependencies [[`339c57c`](https://github.com/mastra-ai/mastra/commit/339c57c5b2c6dbe75a125e138228e0556528976f), [`1dd4117`](https://github.com/mastra-ai/mastra/commit/1dd4117dcbd8e031ede9f0489436bfbc6f0315b8), [`2b11d1f`](https://github.com/mastra-ai/mastra/commit/2b11d1f6ac7024c5dd2b2dd12a48a956ac9d63bd), [`77a2351`](https://github.com/mastra-ai/mastra/commit/77a2351ee79296e360bce822cb3391f7cfd6489d), [`b7dff0a`](https://github.com/mastra-ai/mastra/commit/b7dff0a3d1022eb6868f48dc40a2b1febd5c277f), [`02087e1`](https://github.com/mastra-ai/mastra/commit/02087e1fbc54aa07f3071f7a200df1bf5be601a8), [`49af8df`](https://github.com/mastra-ai/mastra/commit/49af8df589c4ff71a5015a4553b377b32704b691), [`30ce559`](https://github.com/mastra-ai/mastra/commit/30ce55902ecf819b8ab8697398dd68b108228063), [`c241b92`](https://github.com/mastra-ai/mastra/commit/c241b929dc8c8d6a7b7219c99ed13ac1f3124a77), [`7d6ff70`](https://github.com/mastra-ai/mastra/commit/7d6ff708727297a0526ca0e26e93eeb5bbaaa187), [`ab975d4`](https://github.com/mastra-ai/mastra/commit/ab975d4dd9488752f05bda7afa03166d207e3e2a), [`9d6aa1b`](https://github.com/mastra-ai/mastra/commit/9d6aa1bae407e2afa6a089abc2a6accbbcb287b8)]:
|
|
23
|
+
- @mastra/core@1.44.0
|
|
24
|
+
|
|
25
|
+
## 0.1.4-alpha.1
|
|
26
|
+
|
|
27
|
+
### Patch Changes
|
|
28
|
+
|
|
29
|
+
- Sanitize PR comment bodies at ingestion by stripping all XML/HTML-like markup — HTML comments (including the large base64 machine-state blobs review bots like CodeRabbit hide inside them), `<details>` sections (delimiters and their collapsed inner content), and any leftover partial markup — and stop persisting the full comment body in notification metadata (the truncated excerpt is retained). Markdown code spans and fenced code blocks are preserved, so human-authored code examples such as `` `<Component>` `` or fenced JSX survive sanitization. This prevents oversized bot payloads from bloating notifications and overflowing agent context windows. The sanitizer uses `indexOf`-based block scanning with no backtracking regex to avoid catastrophic backtracking (ReDoS) on adversarial input. ([#18094](https://github.com/mastra-ai/mastra/pull/18094))
|
|
30
|
+
|
|
31
|
+
- Updated dependencies [[`b7dff0a`](https://github.com/mastra-ai/mastra/commit/b7dff0a3d1022eb6868f48dc40a2b1febd5c277f), [`02087e1`](https://github.com/mastra-ai/mastra/commit/02087e1fbc54aa07f3071f7a200df1bf5be601a8), [`ab975d4`](https://github.com/mastra-ai/mastra/commit/ab975d4dd9488752f05bda7afa03166d207e3e2a)]:
|
|
32
|
+
- @mastra/core@1.44.0-alpha.1
|
|
33
|
+
|
|
3
34
|
## 0.1.4-alpha.0
|
|
4
35
|
|
|
5
36
|
### Patch Changes
|
package/dist/index.cjs
CHANGED
|
@@ -150,8 +150,53 @@ function getPrLabel(subscription, snapshot) {
|
|
|
150
150
|
function getMergedNotificationSummary(label) {
|
|
151
151
|
return `${label} was merged. This thread has been automatically unsubscribed from this PR. Resubscribe if you still need updates.`;
|
|
152
152
|
}
|
|
153
|
+
function stripBlocks(text, open, close) {
|
|
154
|
+
const haystack = text.toLowerCase();
|
|
155
|
+
const openLower = open.toLowerCase();
|
|
156
|
+
const closeLower = close.toLowerCase();
|
|
157
|
+
let result = "";
|
|
158
|
+
let cursor = 0;
|
|
159
|
+
for (; ; ) {
|
|
160
|
+
const start = haystack.indexOf(openLower, cursor);
|
|
161
|
+
if (start === -1) {
|
|
162
|
+
result += text.slice(cursor);
|
|
163
|
+
return result;
|
|
164
|
+
}
|
|
165
|
+
result += text.slice(cursor, start);
|
|
166
|
+
const end = haystack.indexOf(closeLower, start + openLower.length);
|
|
167
|
+
if (end === -1) return result;
|
|
168
|
+
cursor = end + closeLower.length;
|
|
169
|
+
}
|
|
170
|
+
}
|
|
171
|
+
var CODE_TOKEN_PREFIX = "\0CODE";
|
|
172
|
+
var CODE_TOKEN_SUFFIX = "\0";
|
|
173
|
+
function preserveMarkdownCode(text) {
|
|
174
|
+
const preserved = [];
|
|
175
|
+
const stash = (match) => {
|
|
176
|
+
const token = `${CODE_TOKEN_PREFIX}${preserved.length}${CODE_TOKEN_SUFFIX}`;
|
|
177
|
+
preserved.push(match);
|
|
178
|
+
return token;
|
|
179
|
+
};
|
|
180
|
+
const protectedText = text.replace(/```[\s\S]*?```/g, stash).replace(/(`{2,})(?!`)[\s\S]*?[^`]\1(?!`)/g, stash).replace(/`[^`\n]*`/g, stash);
|
|
181
|
+
return {
|
|
182
|
+
text: protectedText,
|
|
183
|
+
restore: (sanitized) => sanitized.replace(/\u0000CODE(\d+)\u0000/g, (_, index) => preserved[Number(index)] ?? "")
|
|
184
|
+
};
|
|
185
|
+
}
|
|
186
|
+
function sanitizeCommentText(body) {
|
|
187
|
+
const { text: protectedBody, restore } = preserveMarkdownCode(body);
|
|
188
|
+
let text = stripBlocks(protectedBody, "<!--", "-->");
|
|
189
|
+
text = stripBlocks(text, "<details", "</details>");
|
|
190
|
+
const stripped = text.replace(/<\/?[a-zA-Z][^<>]*>/g, "").replace(/<[!/a-zA-Z][\s\S]*$/g, "").replace(/</g, "").replace(/\n{3,}/g, "\n\n").trim();
|
|
191
|
+
return restore(stripped);
|
|
192
|
+
}
|
|
193
|
+
function sanitizeCommentBody(body) {
|
|
194
|
+
if (body === void 0) return void 0;
|
|
195
|
+
const sanitized = sanitizeCommentText(body);
|
|
196
|
+
return sanitized.length > 0 ? sanitized : void 0;
|
|
197
|
+
}
|
|
153
198
|
function getCommentExcerpt(body) {
|
|
154
|
-
const excerpt = body.replace(/\s+/g, " ").trim();
|
|
199
|
+
const excerpt = sanitizeCommentText(body).replace(/\s+/g, " ").trim();
|
|
155
200
|
return excerpt.length > 240 ? `${excerpt.slice(0, 237)}...` : excerpt;
|
|
156
201
|
}
|
|
157
202
|
function getCommentNotificationSummary(pr, snapshot) {
|
|
@@ -503,14 +548,14 @@ var GitcrawlSyncClient = class {
|
|
|
503
548
|
latestCommentAuthor: readString(latestComment?.author_login),
|
|
504
549
|
latestCommentAuthorType: readString(latestComment?.author_type),
|
|
505
550
|
latestCommentIsBot: latestComment?.is_bot === 1,
|
|
506
|
-
latestCommentBody: readString(latestComment?.body),
|
|
551
|
+
latestCommentBody: sanitizeCommentBody(readString(latestComment?.body)),
|
|
507
552
|
latestCommentUrl: readString(latestComment?.html_url),
|
|
508
553
|
latestCommentUpdatedAt: readString(latestComment?.updated_at),
|
|
509
554
|
latestComments: latestComments.map((comment) => ({
|
|
510
555
|
author: readString(comment.author_login),
|
|
511
556
|
authorType: readString(comment.author_type),
|
|
512
557
|
isBot: comment.is_bot === 1,
|
|
513
|
-
body: readString(comment.body),
|
|
558
|
+
body: sanitizeCommentBody(readString(comment.body)),
|
|
514
559
|
url: readString(comment.html_url),
|
|
515
560
|
updatedAt: readString(comment.updated_at)
|
|
516
561
|
}))
|
|
@@ -1012,7 +1057,9 @@ var GithubSignals = class extends signals.SignalProvider {
|
|
|
1012
1057
|
latestCommentAuthor: input.snapshot.latestCommentAuthor,
|
|
1013
1058
|
latestCommentAuthorType: input.snapshot.latestCommentAuthorType,
|
|
1014
1059
|
latestCommentIsBot: input.snapshot.latestCommentIsBot,
|
|
1015
|
-
latestCommentBody:
|
|
1060
|
+
// Intentionally omit the full latestCommentBody here: persisting it verbatim bloats
|
|
1061
|
+
// notification payloads (a single CodeRabbit comment can exceed 100KB) and can overflow
|
|
1062
|
+
// agent context windows when listed. The 240-char latestCommentExcerpt is stored instead.
|
|
1016
1063
|
latestCommentExcerpt,
|
|
1017
1064
|
latestCommentUrl: input.snapshot.latestCommentUrl,
|
|
1018
1065
|
latestCommentUpdatedAt: input.snapshot.latestCommentUpdatedAt,
|
|
@@ -1334,5 +1381,6 @@ exports.GitRemoteRepositoryResolver = GitRemoteRepositoryResolver;
|
|
|
1334
1381
|
exports.GitcrawlSyncClient = GitcrawlSyncClient;
|
|
1335
1382
|
exports.GithubSignals = GithubSignals;
|
|
1336
1383
|
exports.normalizeGithubChecksForSnapshot = normalizeGithubChecksForSnapshot;
|
|
1384
|
+
exports.sanitizeCommentText = sanitizeCommentText;
|
|
1337
1385
|
//# sourceMappingURL=index.cjs.map
|
|
1338
1386
|
//# sourceMappingURL=index.cjs.map
|