@mastra/github-signals 0.1.4-alpha.0 → 0.2.0-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,36 @@
1
1
  # @mastra/github-signals
2
2
 
3
+ ## 0.2.0-alpha.0
4
+
5
+ ### Minor Changes
6
+
7
+ - Random bump ([#18178](https://github.com/mastra-ai/mastra/pull/18178))
8
+
9
+ ### Patch Changes
10
+
11
+ - Updated dependencies [[`7c0d868`](https://github.com/mastra-ai/mastra/commit/7c0d868d97d0fdbc04c14d0166dbf44d4c5a4a62), [`d9d2273`](https://github.com/mastra-ai/mastra/commit/d9d2273c702690c9a26eab2aebea879701d4355a), [`b04369d`](https://github.com/mastra-ai/mastra/commit/b04369d6b167c698ef103981171a8bf92808e756), [`8f3c262`](https://github.com/mastra-ai/mastra/commit/8f3c262587b335588a02d96b17fd6aca34c885b3)]:
12
+ - @mastra/core@1.45.0-alpha.0
13
+
14
+ ## 0.1.4
15
+
16
+ ### Patch Changes
17
+
18
+ - Security remediation for the 2026-06-17 "easy-day-js" supply-chain incident. Patch bump to publish clean versions and move the `latest` dist-tag forward, superseding the compromised versions that declared the malicious `easy-day-js` dependency. ([#18056](https://github.com/mastra-ai/mastra/pull/18056))
19
+
20
+ - Sanitize PR comment bodies at ingestion by stripping all XML/HTML-like markup — HTML comments (including the large base64 machine-state blobs review bots like CodeRabbit hide inside them), `<details>` sections (delimiters and their collapsed inner content), and any leftover partial markup — and stop persisting the full comment body in notification metadata (the truncated excerpt is retained). Markdown code spans and fenced code blocks are preserved, so human-authored code examples such as `` `<Component>` `` or fenced JSX survive sanitization. This prevents oversized bot payloads from bloating notifications and overflowing agent context windows. The sanitizer uses `indexOf`-based block scanning with no backtracking regex to avoid catastrophic backtracking (ReDoS) on adversarial input. ([#18094](https://github.com/mastra-ai/mastra/pull/18094))
21
+
22
+ - Updated dependencies [[`339c57c`](https://github.com/mastra-ai/mastra/commit/339c57c5b2c6dbe75a125e138228e0556528976f), [`1dd4117`](https://github.com/mastra-ai/mastra/commit/1dd4117dcbd8e031ede9f0489436bfbc6f0315b8), [`2b11d1f`](https://github.com/mastra-ai/mastra/commit/2b11d1f6ac7024c5dd2b2dd12a48a956ac9d63bd), [`77a2351`](https://github.com/mastra-ai/mastra/commit/77a2351ee79296e360bce822cb3391f7cfd6489d), [`b7dff0a`](https://github.com/mastra-ai/mastra/commit/b7dff0a3d1022eb6868f48dc40a2b1febd5c277f), [`02087e1`](https://github.com/mastra-ai/mastra/commit/02087e1fbc54aa07f3071f7a200df1bf5be601a8), [`49af8df`](https://github.com/mastra-ai/mastra/commit/49af8df589c4ff71a5015a4553b377b32704b691), [`30ce559`](https://github.com/mastra-ai/mastra/commit/30ce55902ecf819b8ab8697398dd68b108228063), [`c241b92`](https://github.com/mastra-ai/mastra/commit/c241b929dc8c8d6a7b7219c99ed13ac1f3124a77), [`7d6ff70`](https://github.com/mastra-ai/mastra/commit/7d6ff708727297a0526ca0e26e93eeb5bbaaa187), [`ab975d4`](https://github.com/mastra-ai/mastra/commit/ab975d4dd9488752f05bda7afa03166d207e3e2a), [`9d6aa1b`](https://github.com/mastra-ai/mastra/commit/9d6aa1bae407e2afa6a089abc2a6accbbcb287b8)]:
23
+ - @mastra/core@1.44.0
24
+
25
+ ## 0.1.4-alpha.1
26
+
27
+ ### Patch Changes
28
+
29
+ - Sanitize PR comment bodies at ingestion by stripping all XML/HTML-like markup — HTML comments (including the large base64 machine-state blobs review bots like CodeRabbit hide inside them), `<details>` sections (delimiters and their collapsed inner content), and any leftover partial markup — and stop persisting the full comment body in notification metadata (the truncated excerpt is retained). Markdown code spans and fenced code blocks are preserved, so human-authored code examples such as `` `<Component>` `` or fenced JSX survive sanitization. This prevents oversized bot payloads from bloating notifications and overflowing agent context windows. The sanitizer uses `indexOf`-based block scanning with no backtracking regex to avoid catastrophic backtracking (ReDoS) on adversarial input. ([#18094](https://github.com/mastra-ai/mastra/pull/18094))
30
+
31
+ - Updated dependencies [[`b7dff0a`](https://github.com/mastra-ai/mastra/commit/b7dff0a3d1022eb6868f48dc40a2b1febd5c277f), [`02087e1`](https://github.com/mastra-ai/mastra/commit/02087e1fbc54aa07f3071f7a200df1bf5be601a8), [`ab975d4`](https://github.com/mastra-ai/mastra/commit/ab975d4dd9488752f05bda7afa03166d207e3e2a)]:
32
+ - @mastra/core@1.44.0-alpha.1
33
+
3
34
  ## 0.1.4-alpha.0
4
35
 
5
36
  ### Patch Changes
package/dist/index.cjs CHANGED
@@ -150,8 +150,53 @@ function getPrLabel(subscription, snapshot) {
150
150
  function getMergedNotificationSummary(label) {
151
151
  return `${label} was merged. This thread has been automatically unsubscribed from this PR. Resubscribe if you still need updates.`;
152
152
  }
153
+ function stripBlocks(text, open, close) {
154
+ const haystack = text.toLowerCase();
155
+ const openLower = open.toLowerCase();
156
+ const closeLower = close.toLowerCase();
157
+ let result = "";
158
+ let cursor = 0;
159
+ for (; ; ) {
160
+ const start = haystack.indexOf(openLower, cursor);
161
+ if (start === -1) {
162
+ result += text.slice(cursor);
163
+ return result;
164
+ }
165
+ result += text.slice(cursor, start);
166
+ const end = haystack.indexOf(closeLower, start + openLower.length);
167
+ if (end === -1) return result;
168
+ cursor = end + closeLower.length;
169
+ }
170
+ }
171
+ var CODE_TOKEN_PREFIX = "\0CODE";
172
+ var CODE_TOKEN_SUFFIX = "\0";
173
+ function preserveMarkdownCode(text) {
174
+ const preserved = [];
175
+ const stash = (match) => {
176
+ const token = `${CODE_TOKEN_PREFIX}${preserved.length}${CODE_TOKEN_SUFFIX}`;
177
+ preserved.push(match);
178
+ return token;
179
+ };
180
+ const protectedText = text.replace(/```[\s\S]*?```/g, stash).replace(/(`{2,})(?!`)[\s\S]*?[^`]\1(?!`)/g, stash).replace(/`[^`\n]*`/g, stash);
181
+ return {
182
+ text: protectedText,
183
+ restore: (sanitized) => sanitized.replace(/\u0000CODE(\d+)\u0000/g, (_, index) => preserved[Number(index)] ?? "")
184
+ };
185
+ }
186
+ function sanitizeCommentText(body) {
187
+ const { text: protectedBody, restore } = preserveMarkdownCode(body);
188
+ let text = stripBlocks(protectedBody, "<!--", "-->");
189
+ text = stripBlocks(text, "<details", "</details>");
190
+ const stripped = text.replace(/<\/?[a-zA-Z][^<>]*>/g, "").replace(/<[!/a-zA-Z][\s\S]*$/g, "").replace(/</g, "").replace(/\n{3,}/g, "\n\n").trim();
191
+ return restore(stripped);
192
+ }
193
+ function sanitizeCommentBody(body) {
194
+ if (body === void 0) return void 0;
195
+ const sanitized = sanitizeCommentText(body);
196
+ return sanitized.length > 0 ? sanitized : void 0;
197
+ }
153
198
  function getCommentExcerpt(body) {
154
- const excerpt = body.replace(/\s+/g, " ").trim();
199
+ const excerpt = sanitizeCommentText(body).replace(/\s+/g, " ").trim();
155
200
  return excerpt.length > 240 ? `${excerpt.slice(0, 237)}...` : excerpt;
156
201
  }
157
202
  function getCommentNotificationSummary(pr, snapshot) {
@@ -503,14 +548,14 @@ var GitcrawlSyncClient = class {
503
548
  latestCommentAuthor: readString(latestComment?.author_login),
504
549
  latestCommentAuthorType: readString(latestComment?.author_type),
505
550
  latestCommentIsBot: latestComment?.is_bot === 1,
506
- latestCommentBody: readString(latestComment?.body),
551
+ latestCommentBody: sanitizeCommentBody(readString(latestComment?.body)),
507
552
  latestCommentUrl: readString(latestComment?.html_url),
508
553
  latestCommentUpdatedAt: readString(latestComment?.updated_at),
509
554
  latestComments: latestComments.map((comment) => ({
510
555
  author: readString(comment.author_login),
511
556
  authorType: readString(comment.author_type),
512
557
  isBot: comment.is_bot === 1,
513
- body: readString(comment.body),
558
+ body: sanitizeCommentBody(readString(comment.body)),
514
559
  url: readString(comment.html_url),
515
560
  updatedAt: readString(comment.updated_at)
516
561
  }))
@@ -1012,7 +1057,9 @@ var GithubSignals = class extends signals.SignalProvider {
1012
1057
  latestCommentAuthor: input.snapshot.latestCommentAuthor,
1013
1058
  latestCommentAuthorType: input.snapshot.latestCommentAuthorType,
1014
1059
  latestCommentIsBot: input.snapshot.latestCommentIsBot,
1015
- latestCommentBody: input.snapshot.latestCommentBody,
1060
+ // Intentionally omit the full latestCommentBody here: persisting it verbatim bloats
1061
+ // notification payloads (a single CodeRabbit comment can exceed 100KB) and can overflow
1062
+ // agent context windows when listed. The 240-char latestCommentExcerpt is stored instead.
1016
1063
  latestCommentExcerpt,
1017
1064
  latestCommentUrl: input.snapshot.latestCommentUrl,
1018
1065
  latestCommentUpdatedAt: input.snapshot.latestCommentUpdatedAt,
@@ -1334,5 +1381,6 @@ exports.GitRemoteRepositoryResolver = GitRemoteRepositoryResolver;
1334
1381
  exports.GitcrawlSyncClient = GitcrawlSyncClient;
1335
1382
  exports.GithubSignals = GithubSignals;
1336
1383
  exports.normalizeGithubChecksForSnapshot = normalizeGithubChecksForSnapshot;
1384
+ exports.sanitizeCommentText = sanitizeCommentText;
1337
1385
  //# sourceMappingURL=index.cjs.map
1338
1386
  //# sourceMappingURL=index.cjs.map