npm - @shopify/shop-minis-react - Versions diffs - 0.4.5 → 0.4.7 - Mend

@shopify/shop-minis-react 0.4.5 → 0.4.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/eslint/config.cjs +6 -1
package/eslint/rules/no-secrets.cjs +46 -4
package/eslint/rules/validate-manifest.cjs +73 -21
package/package.json +1 -1

package/eslint/config.cjs CHANGED Viewed

@@ -39,7 +39,12 @@ module.exports = {
     // Shop Minis custom rules
     'shop-minis/no-env-without-fallback': 'error',
     'shop-minis/no-internal-imports': 'error',
-    'shop-minis/no-secrets': 'error',
+    'shop-minis/no-secrets': [
+      'error',
+      {
+        ignoreContent: ['^data:', '^gid://'],
+      },
+    ],
     'shop-minis/prefer-sdk-components': 'warn',
     'shop-minis/prefer-sdk-hooks': 'warn',
     'shop-minis/validate-manifest': 'error',

package/eslint/rules/no-secrets.cjs CHANGED Viewed

@@ -1,7 +1,7 @@
 /* eslint-disable import/extensions */
 /**
  * ESLint rule wrapper for eslint-plugin-no-secrets with custom messages
- * @fileoverview Customized messages for detecting hardcoded secrets in Shop Minis
+ * and URL-aware delimiter handling
  */
 const noSecretsPlugin = require('eslint-plugin-no-secrets')
@@ -9,6 +9,21 @@ const noSecretsPlugin = require('eslint-plugin-no-secrets')
 // Get the original rule
 const originalRule = noSecretsPlugin.rules['no-secrets']
+/**
+ * Create a context-like object that overrides options while delegating
+ * all other property access to the original context
+ */
+function createContextWithOptions(context, newOptions) {
+  const wrapper = Object.create(context)
+  Object.defineProperty(wrapper, 'options', {
+    value: newOptions,
+    writable: false,
+    enumerable: true,
+    configurable: true,
+  })
+  return wrapper
+}
 module.exports = {
   meta: {
     ...originalRule.meta,
@@ -19,9 +34,36 @@ module.exports = {
         'Potential {{ name }} detected. Hardcoded credentials should never be committed. Please check the Shop Minis documentation learn how to handle these cases. You can disable this rule if it is not a credential.',
     },
   },
   create(context) {
-    // Create the original rule's visitor
-    const originalVisitor = originalRule.create(context)
-    return originalVisitor
+    const baseOptions = context.options[0] || {}
+    // Visitor for NON-URLs: no extra delimiters, skip URLs
+    const nonUrlContext = createContextWithOptions(context, [
+      {
+        ...baseOptions,
+        ignoreContent: [...(baseOptions.ignoreContent || []), '^https?://'],
+      },
+    ])
+    const nonUrlVisitor = originalRule.create(nonUrlContext)
+    // Visitor for URLs ONLY: with URL delimiters to reduce false positives
+    const urlContext = createContextWithOptions(context, [
+      {
+        ...baseOptions,
+        ignoreContent: [...(baseOptions.ignoreContent || []), '^(?!https?://)'],
+        additionalDelimiters: ['/', '\\?', '=', '&', '\\+'],
+      },
+    ])
+    const urlVisitor = originalRule.create(urlContext)
+    // Only process Literal nodes - skip TemplateElement to avoid false positives
+    // on template expressions like `${variable}` which get split incorrectly
+    return {
+      Literal(node) {
+        nonUrlVisitor.Literal?.(node)
+        urlVisitor.Literal?.(node)
+      },
+    }
   },
 }

package/eslint/rules/validate-manifest.cjs CHANGED Viewed

@@ -221,32 +221,84 @@ module.exports = {
       },
       // Detect browser API usage for permissions
-      MemberExpression(node) {
-        const sourceCode = context.getSourceCode()
-        const code = sourceCode.getText(node)
+      MemberExpression() {
+        // This visitor is kept for potential future permission detection
+        // getUserMedia detection has been moved to CallExpression for better constraint analysis
+      },
-        // Check for camera/microphone API
+      // Detect network requests and event listeners
+      CallExpression(node) {
+        // Check for getUserMedia calls
         if (
-          code.includes('navigator.mediaDevices.getUserMedia') ||
-          code.includes('navigator.getUserMedia')
+          node.callee.type === 'MemberExpression' &&
+          node.callee.property.name === 'getUserMedia'
         ) {
-          // Need to check the constraints to determine if it's camera or microphone
-          // For now, we'll flag both as potentially needed
-          requiredPermissions.add({
-            permission: 'CAMERA',
-            reason: 'getUserMedia API usage',
-            node,
-          })
-          requiredPermissions.add({
-            permission: 'MICROPHONE',
-            reason: 'getUserMedia API usage',
-            node,
-          })
+          // Validate it's actually navigator.getUserMedia or navigator.mediaDevices.getUserMedia
+          const sourceCode = context.getSourceCode()
+          const calleeText = sourceCode.getText(node.callee)
+          if (
+            calleeText.includes('navigator.mediaDevices.getUserMedia') ||
+            calleeText.includes('navigator.getUserMedia')
+          ) {
+            // Get the constraints argument (first argument)
+            const constraints = node.arguments[0]
+            let needsCamera = true
+            let needsMicrophone = true
+            if (constraints && constraints.type === 'ObjectExpression') {
+              // Check if video is explicitly set to false
+              const videoProp = constraints.properties.find(
+                prop =>
+                  prop.type === 'Property' &&
+                  prop.key &&
+                  (prop.key.name === 'video' ||
+                    (prop.key.type === 'Literal' && prop.key.value === 'video'))
+              )
+              if (
+                videoProp &&
+                videoProp.value.type === 'Literal' &&
+                videoProp.value.value === false
+              ) {
+                needsCamera = false
+              }
+              // Check if audio is explicitly set to false
+              const audioProp = constraints.properties.find(
+                prop =>
+                  prop.type === 'Property' &&
+                  prop.key &&
+                  (prop.key.name === 'audio' ||
+                    (prop.key.type === 'Literal' && prop.key.value === 'audio'))
+              )
+              if (
+                audioProp &&
+                audioProp.value.type === 'Literal' &&
+                audioProp.value.value === false
+              ) {
+                needsMicrophone = false
+              }
+            }
+            if (needsCamera) {
+              requiredPermissions.add({
+                permission: 'CAMERA',
+                reason: 'getUserMedia API usage with video',
+                node,
+              })
+            }
+            if (needsMicrophone) {
+              requiredPermissions.add({
+                permission: 'MICROPHONE',
+                reason: 'getUserMedia API usage with audio',
+                node,
+              })
+            }
+          }
         }
-      },
-      // Detect network requests and event listeners
-      CallExpression(node) {
         if (!node.arguments[0]) {
           return
         }

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@shopify/shop-minis-react",
   "license": "SEE LICENSE IN LICENSE.txt",
-  "version": "0.4.5",
+  "version": "0.4.7",
   "sideEffects": false,
   "type": "module",
   "engines": {