@networkpro/web 1.15.0 → 1.15.1

package/.node-version

@@ -1 +1 @@
-24.3.0
+24.4.0

package/.nvmrc

@@ -1 +1 @@
-24.3.0
+24.4.0

package/CHANGELOG.md

@@ -22,6 +22,41 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 ---
 
+## [1.15.1] - 2025-07-12
+
+### Added
+
+- Added `Report-To` header in `src/hooks.server.js` to support modern CSP reporting
+
+### Changed
+
+- Bumped project version to `1.15.1`
+- Updated CSP report URL in `src/hooks.server.js` to use external endpoint
+- Updated `sitemap.xml` to reflect latest site structure
+- Updated `.node-version` and `.nvmrc` to `v24.4.0`
+- Cleaned up `netlify.toml`:
+  - Removed `[[edge_functions]]` block
+  - Confirmed `ENV_MODE` remains for internal tooling
+- Updated to latest versions:
+  - `@eslint/js` to `^9.31.0`
+  - `@playwright/test` to `^1.54.1`
+  - `@sveltejs/kit` to `2.22.5`
+  - `@sveltejs/vite-plugin-svelte` to `6.0.0`
+  - `eslint` to `^9.31.0`
+  - `eslint-plugin-jsdoc` to `^51.3.4`
+  - `playwright` to `^1.54.1`
+  - `posthog-js` to `^1.257.0`
+  - `stylelint` to `^16.21.1`
+  - `svelte` to `5.35.6`
+  - `vite` to `7.0.4`
+
+### Removed
+
+- Deleted `/netlify/edge-functions/` and `csp-report.js` (CSP report handling is now in its own project)
+- Removed `tests/unit/server/csp-report.test.js` from project, as CSP endpoint has been relocated
+
+---
+
 ## [1.15.0] - 2025-07-01
 
 ### Added
@@ -615,7 +650,8 @@ This project attempts to follow [Keep a Changelog](https://keepachangelog.com/en
 
 <!-- Link references -->
 
-[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.15.0...HEAD
+[Unreleased]: https://github.com/netwk-pro/netwk-pro.github.io/compare/v1.15.1...HEAD
+[1.15.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.15.1
 [1.15.0]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.15.0
 [1.14.2]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.14.2
 [1.14.1]: https://github.com/netwk-pro/netwk-pro.github.io/releases/tag/v1.14.1

package/netlify.toml

@@ -2,7 +2,6 @@
   command = "npm run build"
 
 [build.environment]
-  NODE_VERSION = "22"
   ENV_MODE = "prod"
 
 [dev]
@@ -10,10 +9,6 @@
   targetPort = 5173
   port = 8888
 
-[[edge_functions]]
-  path = "/api/csp-report"
-  function = "csp-report"
-
 [[plugins]]
   package = "netlify-plugin-submit-sitemap"
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@networkpro/web",
   "private": false,
-  "version": "1.15.0",
+  "version": "1.15.1",
   "description": "Locking Down Networks, Unlocking Confidence™ | Security, Networking, Privacy — Network Pro Strategies",
   "keywords": [
     "advisory",
@@ -79,26 +79,26 @@
   },
   "dependencies": {
     "dompurify": "^3.2.6",
-    "posthog-js": "^1.256.0",
+    "posthog-js": "^1.257.0",
     "semver": "^7.7.2",
-    "svelte": "5.34.9"
+    "svelte": "5.35.6"
   },
   "devDependencies": {
     "@eslint/compat": "^1.3.1",
-    "@eslint/js": "^9.30.0",
+    "@eslint/js": "^9.31.0",
     "@lhci/cli": "^0.15.1",
-    "@playwright/test": "^1.53.2",
+    "@playwright/test": "^1.54.1",
     "@sveltejs/adapter-netlify": "^5.0.2",
-    "@sveltejs/kit": "2.22.2",
-    "@sveltejs/vite-plugin-svelte": "5.1.0",
+    "@sveltejs/kit": "2.22.5",
+    "@sveltejs/vite-plugin-svelte": "^6.0.0",
     "@testing-library/jest-dom": "^6.6.3",
     "@testing-library/svelte": "^5.2.8",
     "@vitest/coverage-v8": "^3.2.4",
     "autoprefixer": "^10.4.21",
     "browserslist": "^4.25.1",
-    "eslint": "^9.30.0",
+    "eslint": "^9.31.0",
     "eslint-config-prettier": "^10.1.5",
-    "eslint-plugin-jsdoc": "^51.3.1",
+    "eslint-plugin-jsdoc": "^51.3.4",
     "eslint-plugin-svelte": "^3.10.1",
     "globals": "^16.3.0",
     "jsdom": "^26.1.0",
@@ -106,11 +106,11 @@
     "markdownlint": "^0.38.0",
     "markdownlint-cli2": "^0.18.1",
     "mdsvex": "^0.12.6",
-    "playwright": "^1.53.2",
+    "playwright": "^1.54.1",
     "postcss": "^8.5.6",
     "prettier": "^3.6.2",
     "prettier-plugin-svelte": "^3.4.0",
-    "stylelint": "^16.21.0",
+    "stylelint": "^16.21.1",
     "stylelint-config-html": "^1.1.0",
     "stylelint-config-recommended": "^16.0.0",
     "stylelint-order": "^7.0.0",
@@ -118,7 +118,7 @@
     "svelte-eslint-parser": "^1.2.0",
     "svelte-preprocess": "^6.0.3",
     "typescript": "^5.8.3",
-    "vite": "6.3.5",
+    "vite": "^7.0.4",
     "vite-plugin-lightningcss": "^0.0.5",
     "vite-tsconfig-paths": "^5.1.4",
     "vitest": "^3.2.4"

package/src/app.html

@@ -63,7 +63,7 @@
       content="bx4ham0zkpvzztzu213bhpt76m9siq" />
     <!-- cspell:enable -->
 
-    <meta name="generator" content="SvelteKit 2.22.2" />
+    <meta name="generator" content="SvelteKit 2.22.5" />
 
     <script src="/disableSw.js"></script>
 

package/src/hooks.server.js

@@ -25,7 +25,10 @@ export async function handle({ event, resolve }) {
   console.log('[CSP Debug] ENV_MODE:', process.env.ENV_MODE);
 
   // Determine report URI
-  const reportUri = isProdEnvironment ? '/api/csp-report' : '/api/mock-csp';
+  const reportUri =
+    isProdEnvironment && !isTestEnvironment
+      ? 'https://csp.netwk.pro/.netlify/functions/csp-report'
+      : '/api/mock-csp';
 
   // Construct base policy
   const cspDirectives = [
@@ -40,7 +43,9 @@ export async function handle({ event, resolve }) {
     "object-src 'none';",
     "frame-ancestors 'none';",
     'upgrade-insecure-requests;',
+    // Report CSP violations to external endpoint hosted at csp.netwk.pro
     `report-uri ${reportUri};`,
+    'report-to csp-endpoint;',
   ];
 
   // Loosen up CSP for test environments
@@ -54,6 +59,20 @@ export async function handle({ event, resolve }) {
     cspDirectives[5] = "connect-src 'self';";
   }
 
+  response.headers.set(
+    'Report-To',
+    JSON.stringify({
+      group: 'csp-endpoint',
+      max_age: 10886400, // 18 weeks
+      endpoints: [
+        {
+          url: 'https://csp.netwk.pro/.netlify/functions/csp-report',
+        },
+      ],
+      include_subdomains: true,
+    }),
+  );
+
   response.headers.set('Content-Security-Policy', cspDirectives.join(' '));
 
   // Set other security headers

package/static/sitemap.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- Sitemap last updated on 2025-06-11 -->
+<!-- Sitemap last updated on July 12, 2025 -->
 
 <urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
 
@@ -7,7 +7,7 @@
 
     <loc>https://netwk.pro</loc>
 
-    <lastmod>2025-06-10</lastmod>
+    <lastmod>2025-07-12</lastmod>
 
     <changefreq>weekly</changefreq>
 
@@ -43,7 +43,7 @@
 
     <loc>https://netwk.pro/privacy-dashboard</loc>
 
-    <lastmod>2025-05-28</lastmod>
+    <lastmod>2025-06-30</lastmod>
 
     <changefreq>monthly</changefreq>
 
@@ -55,7 +55,7 @@
 
     <loc>https://netwk.pro/privacy</loc>
 
-    <lastmod>2025-06-02</lastmod>
+    <lastmod>2025-06-30</lastmod>
 
     <changefreq>monthly</changefreq>
 

package/netlify/edge-functions/csp-report.js

@@ -1,160 +0,0 @@
-/* ==========================================================================
-edge-functions/csp-report.js
-
-Copyright © 2025 Network Pro Strategies (Network Pro™)
-SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
-This file is part of Network Pro.
-========================================================================== */
-
-/**
- * @file csp-report.js
- * @description Netlify Edge Function to handle CSP violation reports.
- *
- * Accepts POST requests to /api/csp-report and logs relevant CSP reports.
- * Filters out common low-value reports (e.g., img-src) to reduce invocation
- * cost. Alerts on high-risk violations via ntfy topic.
- *
- * @module netlify/edge-functions
- * @author SunDevil311
- * @updated 2025-05-31
- */
-
-/**
- * Netlify Edge Function entry point for CSP reporting.
- *
- * @param {Request} request - The incoming HTTP request object
- * @param {import('@netlify/edge-functions').Context} _context - The Netlify Edge Function context (unused)
- * @returns {Promise<Response>} HTTP Response with status 204 or 405
- */
-export default async (request, _context) => {
-  if (request.method !== 'POST') {
-    return new Response('Method Not Allowed', { status: 405 });
-  }
-
-  try {
-    const body = await request.json();
-    const report = body['csp-report'];
-
-    // Ignore if report is missing or malformed
-    if (!report || typeof report !== 'object') {
-      return new Response(null, { status: 204 });
-    }
-
-    const violated = report['violated-directive'] ?? '';
-    const blockedUri = report['blocked-uri'] ?? '';
-
-    // Filter: Skip noisy or unactionable reports
-    const ignored = [
-      violated.startsWith('img-src'),
-      blockedUri === '',
-      blockedUri === 'eval',
-      blockedUri === 'about',
-      blockedUri.startsWith('chrome-extension://'),
-      blockedUri.startsWith('moz-extension://'),
-      !report['source-file'],
-      !report['document-uri'],
-    ].some(Boolean);
-
-    if (ignored) {
-      console.log('[CSP-Edge] Ignored low-value violation:', {
-        directive: violated,
-        uri: blockedUri,
-      });
-      return new Response(null, { status: 204 });
-    }
-
-    // Send alert for high-risk directives
-    await sendToNtfy(violated, blockedUri, report);
-
-    // Log useful violations
-    console.log('[CSP-Edge] Violation:', {
-      directive: violated,
-      uri: blockedUri,
-      referrer: report['referrer'],
-      source: report['source-file'],
-      line: report['line-number'],
-    });
-  } catch (err) {
-    console.warn('[CSP-Edge] Failed to parse CSP report:', err.message);
-  }
-
-  return new Response(null, { status: 204 });
-};
-
-const recentViolations = new Map();
-const VIOLATION_TTL_MS = 60_000;
-
-/**
- * Sends a high-priority alert to your ntfy topic for high-risk CSP violations.
- * Applies rate-limiting to avoid sending duplicate alerts within 60 seconds.
- *
- * @param {string} violated - The violated CSP directive
- * @param {string} blockedUri - The URI that was blocked
- * @param {Record<string, any>} report - The full CSP report object
- */
-async function sendToNtfy(violated, blockedUri, report) {
-  const highRiskDirectives = [
-    'script-src',
-    'form-action',
-    'frame-ancestors',
-    'base-uri',
-  ];
-
-  const directiveKey = violated.split(' ')[0]; // strip fallback values or sources
-  const isHighRisk = highRiskDirectives.includes(directiveKey);
-  console.log(
-    `[CSP-Edge] Directive ${directiveKey} is ${isHighRisk ? '' : 'not '}high-risk`,
-  );
-  if (!isHighRisk) return;
-
-  const key = `${violated}|${blockedUri}`;
-  const now = Date.now();
-
-  // Skip and log if violation was reported recently
-  if (
-    recentViolations.has(key) &&
-    now - recentViolations.get(key) < VIOLATION_TTL_MS
-  ) {
-    console.log(`[CSP-Edge] Skipped duplicate alert for ${key}`);
-    return;
-  }
-
-  // Record the current timestamp
-  recentViolations.set(key, now);
-
-  // Cleanup old entries (memory-safe for low volume)
-  for (const [k, t] of recentViolations.entries()) {
-    if (now - t > VIOLATION_TTL_MS) {
-      recentViolations.delete(k);
-    }
-  }
-
-  const topicUrl = 'https://ntfy.neteng.pro/csp-alerts';
-
-  const message = [
-    `🚨 CSP Violation Detected`,
-    `Directive: ${violated}`,
-    `Blocked URI: ${blockedUri}`,
-    `Referrer: ${report.referrer || 'N/A'}`,
-    `Source: ${report['source-file'] || 'N/A'}`,
-    `Line: ${report['line-number'] || 'N/A'}`,
-  ].join('\n');
-
-  await fetch(topicUrl, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'text/plain',
-      'X-Title': 'High-Risk CSP Violation',
-      'X-Priority': '5',
-    },
-    body: message,
-  });
-}
-
-/**
- * Configuration block for the Edge Function.
- * This sets the endpoint route to /api/csp-report
- */
-export const config = {
-  path: '/api/csp-report',
-};

package/tests/unit/server/csp-report.test.js

@@ -1,81 +0,0 @@
-/* ==========================================================================
-tests/unit/server/csp-report.test.js
-
-Copyright © 2025 Network Pro Strategies (Network Pro™)
-SPDX-License-Identifier: CC-BY-4.0 OR GPL-3.0-or-later
-This file is part of Network Pro.
-========================================================================== */
-
-/**
- * Tests the edge-functions/csp-report.js CSP reporting endpoint
- *
- * @module tests/unit
- * @author SunDevil311
- * @updated 2025-05-31
- */
-
-/** @file Unit tests for edge-functions/csp-report.js using Vitest */
-/** @typedef {import('vitest').TestContext} TestContext */
-
-import { beforeEach, describe, expect, it, vi } from 'vitest';
-import handler from '../../../netlify/edge-functions/csp-report.js';
-
-// 🧪 Mock fetch used by sendToNtfy inside the Edge Function
-global.fetch = vi.fn(() =>
-  Promise.resolve({ ok: true, status: 200, text: () => 'OK' }),
-);
-
-describe('csp-report.js', () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-  });
-
-  it('should handle a valid CSP report', async () => {
-    const req = new Request('http://localhost/api/csp-report', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({
-        'csp-report': {
-          'document-uri': 'https://example.com',
-          'violated-directive': 'script-src',
-          'blocked-uri': 'https://malicious.site',
-        },
-      }),
-    });
-
-    const res = await handler(req, {});
-    expect(res.status).toBe(204);
-  });
-
-  it('should reject non-POST requests', async () => {
-    const req = new Request('http://localhost/api/csp-report', {
-      method: 'GET',
-    });
-
-    const res = await handler(req, {});
-    const text = await res.text();
-    expect(res.status).toBe(405);
-    expect(text).toContain('Method Not Allowed');
-  });
-
-  it('should handle malformed JSON', async () => {
-    const badJson = '{ invalid json }';
-    const req = new Request('http://localhost/api/csp-report', {
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
-      body: badJson,
-    });
-
-    const res = await handler(req, {});
-    expect(res.status).toBe(204); // The current handler swallows errors silently
-  });
-
-  it('should handle missing body', async () => {
-    const req = new Request('http://localhost/api/csp-report', {
-      method: 'POST',
-    });
-
-    const res = await handler(req, {});
-    expect(res.status).toBe(204); // No body is also treated silently
-  });
-});