npm - dh-remixer-sdk - Versions diffs - 0.0.32-bcfeba4 → 0.0.32 - Mend

dh-remixer-sdk 0.0.32-bcfeba4 → 0.0.32

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/package.json +1 -1
package/scripts/sdk-update/index.mjs +0 -3
package/templates/base/filemap.json +1 -2
package/templates/base/package.json +0 -1
package/templates/base/vite.config.ts +22 -3
package/scripts/sdk-update/manual-unlocked-file-update.mjs +0 -21
package/templates/base/security/semgrep-build-guard.yml +0 -118

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "dh-remixer-sdk",
-  "version": "0.0.32-bcfeba4",
+  "version": "0.0.32",
   "type": "module",
   "files": [
     "templates",

package/scripts/sdk-update/index.mjs CHANGED Viewed

@@ -10,7 +10,6 @@ import {
 } from "./fs-utils.mjs";
 import { getDeletionList, getExtractionList } from "./sdk-utils.mjs";
 import { PROJECT_ROOT } from "./vars.mjs";
-import { manualUnlockedFileUpdate } from "./manual-unlocked-file-update.mjs";
 async function main() {
   const targetPackageJson = await getTargetPackageJson();
@@ -35,8 +34,6 @@ async function main() {
   const deletionList = await getDeletionList(templateType);
   const extractionList = await getExtractionList(templateType);
-  await manualUnlockedFileUpdate();
   // Delete old files
   await Promise.all(
     deletionList.map((relativePath) =>

package/templates/base/filemap.json CHANGED Viewed

@@ -20,6 +20,5 @@
   "remixer/forms.ts": "lib/remixer/forms.ts",
   "remixer/runtime.ts": "lib/remixer/runtime.ts",
   "remixer/storage.ts": "lib/remixer/storage.ts",
-  "remixer/supabase.ts": "lib/remixer/supabase.ts",
-  "security/semgrep-build-guard.yml": "security/semgrep-build-guard.yml"
+  "remixer/supabase.ts": "lib/remixer/supabase.ts"
 }

package/templates/base/package.json CHANGED Viewed

@@ -8,7 +8,6 @@
     "start": "vite preview --host 0.0.0.0 --mode production --port ${PORT:-4173}",
     "dev": "vite --host 0.0.0.0 --port ${PORT:-4173} --mode development",
     "lint": "echo 'Linting not implemented!'",
-    "security-check": "semgrep --config security/semgrep-build-guard.yml --error .",
     "remixer-sdk:update": "bun install dh-remixer-sdk@${REMIXER_SDK_TAG:-latest} && sdk-update"
   },
   "dependencies": {

package/templates/base/vite.config.ts CHANGED Viewed

@@ -2,14 +2,33 @@ import { defineConfig, Plugin } from "vite";
 import react from "@vitejs/plugin-react";
 import tailwindcss from "tailwindcss";
 import autoprefixer from "autoprefixer";
-import tailwindConfig from "./tailwind.config.json";
+import tailwindConfig from "./tailwind.config.ts";
 import path from "path";
+import { execSync } from "node:child_process";
 const PREVIEW_DOMAINS = [
   '.remixer.ai',
   '.dreamhosters.ai',
 ];
+function ssgPostbuild(): Plugin {
+  let config;
+  return {
+    name: "ssg-postbuild",
+    configResolved(resolvedConfig) {
+      config = resolvedConfig;
+    },
+    writeBundle() {
+      execSync(`BUILD_DIR=${config.build.outDir} npx ssg-helmet`, {
+        stdio: "inherit",
+      });
+    },
+  };
+}
 function injectRemixerMetaTagPlugin(): Plugin {
   return {
     name: "vite-plugin-inject-remixer-meta-tag",
@@ -28,13 +47,12 @@ function injectRemixerBadgePlugin(): Plugin {
     transformIndexHtml(html) {
       try {
-        const IS_SHOW_REMIXER_BADGE = process.env.IS_SHOW_REMIXER_BADGE === 'true';
         const REMIXER_BADGE_TYPE: string = process.env.REMIXER_BADGE_TYPE || 'DEFAULT';
         const domain = process.env.NEXT_PUBLIC_DOMAIN || '';
         const isPreviewService = PREVIEW_DOMAINS.some(pd => domain.endsWith(pd));
-        if (!IS_SHOW_REMIXER_BADGE && !isPreviewService) return html
+        if (!isPreviewService) return html
         const DICTIONARY: Record<string, string> = {
           UPGRADE_PLAN: 'https://unpkg.com/dh-remixer-badge@latest/dist/upgradeBadge.js',
@@ -184,6 +202,7 @@ export default defineConfig({
     tailwindProdPlugin(),
     react(),
     injectRemixerMetaTagPlugin(),
+    // ssgPostbuild()
   ],
   resolve: {
     alias: {

package/scripts/sdk-update/manual-unlocked-file-update.mjs DELETED Viewed

@@ -1,21 +0,0 @@
-import path from "node:path";
-import fs from "node:fs/promises";
-export async function manualUnlockedFileUpdate() {
-  const projectRoot = path.resolve(process.env.INIT_CWD ?? process.cwd());
-  const tailwindTsPath = path.join(projectRoot, "tailwind.config.ts");
-  const tailwindJsonPath = path.join(projectRoot, "tailwind.config.json");
-  const tailwindTs = await fs.readFile(tailwindTsPath, "utf8");
-  if (!tailwindTs) return;
-  const match = tailwindTs.match(/\{[\s\S]*\}/);
-  const extracted = match ? match[0] : null;
-  if (!extracted) return;
-  const obj = new Function(`return (${extracted})`)();
-  await fs.writeFile(tailwindJsonPath, JSON.stringify(obj, null, 2), "utf8");
-  await fs.unlink(tailwindTsPath);
-}

package/templates/base/security/semgrep-build-guard.yml DELETED Viewed

@@ -1,118 +0,0 @@
-# Semgrep ruleset — build-time credential-exfiltration tripwires.
-#
-# Run from the project root, before `bun install` / `vite build`:
-#   semgrep --config security/semgrep-build-guard.yml --error .
-#
-# These rules are a pre-build GATE, not a guarantee — static analysis is
-# evadable by obfuscation. Pair with the runtime controls in security/README.md
-# (no ambient AWS creds, IMDS disabled, blocked link-local egress).
-rules:
-  - id: shell-exec-in-build-config
-    languages: [typescript, javascript]
-    severity: ERROR
-    message: >
-      Shell / child_process execution found in a build config file. Config files
-      are executed by Node at build time and must never spawn processes.
-    paths:
-      include:
-        - "*.config.*"
-        - "*.config"
-        - ".*rc"
-        - ".*rc.*"
-        - "vite.config.*"
-        - "tailwind.config.*"
-        - "postcss.config.*"
-      exclude: &trusted_paths
-        # Locked, operator-authored files (enforced by the platform's
-        # filemap.json lock model) and this ruleset itself. Scanning them yields
-        # only false positives. Semgrep targets the USER-WRITABLE surface only.
-        - "vite.config.ts"
-        - "security/"
-    patterns:
-      - pattern-either:
-          - pattern: require('child_process')
-          - pattern: require("child_process")
-          - pattern: import 'child_process'
-          - pattern: import "child_process"
-          - pattern: import 'node:child_process'
-          - pattern: import "node:child_process"
-          - pattern: $X.execSync(...)
-          - pattern: $X.exec(...)
-          - pattern: $X.execFileSync(...)
-          - pattern: $X.spawnSync(...)
-          - pattern: $X.spawn(...)
-  - id: network-call-in-build-config
-    languages: [typescript, javascript]
-    severity: ERROR
-    message: >
-      Outbound network call (fetch/http/https/net) found in a build config file.
-      A build config has no legitimate reason to make network requests.
-    paths:
-      include:
-        - "*.config.*"
-        - "vite.config.*"
-        - "tailwind.config.*"
-        - "postcss.config.*"
-      exclude: *trusted_paths
-    patterns:
-      - pattern-either:
-          - pattern: fetch(...)
-          - pattern: require('http')
-          - pattern: require('https')
-          - pattern: require('net')
-          - pattern: require('dgram')
-          - pattern: import 'node:http'
-          - pattern: import 'node:https'
-          - pattern: import 'node:net'
-  - id: credential-path-or-imds-access
-    languages: [typescript, javascript]
-    severity: ERROR
-    message: >
-      Reference to AWS credential material (IMDS, container-credential endpoint,
-      ~/.aws, or AWS_* container creds env). This is a credential-exfiltration
-      signature.
-    paths:
-      exclude: *trusted_paths
-    patterns:
-      - pattern-either:
-          - pattern-regex: "169\\.254\\.169\\.254"
-          - pattern-regex: "169\\.254\\.170\\.2"
-          - pattern-regex: "AWS_CONTAINER_CREDENTIALS"
-          - pattern-regex: "\\.aws/credentials"
-          - pattern-regex: "security-credentials"
-  - id: filesystem-read-in-build-config
-    languages: [typescript, javascript]
-    severity: WARNING
-    message: >
-      Filesystem read in a build config file. Verify it only reads project
-      assets and never credential/secret paths.
-    paths:
-      include:
-        - "*.config.*"
-        - "vite.config.*"
-        - "tailwind.config.*"
-        - "postcss.config.*"
-      exclude: *trusted_paths
-    patterns:
-      - pattern-either:
-          - pattern: $FS.readFileSync(...)
-          - pattern: $FS.readFile(...)
-          - pattern: require('fs')
-          - pattern: import 'node:fs'
-  - id: dynamic-code-eval
-    languages: [typescript, javascript]
-    severity: ERROR
-    message: >
-      Dynamic code evaluation (eval / Function constructor / dynamic require of a
-      computed name). Common obfuscation for build-time RCE.
-    paths:
-      exclude: *trusted_paths
-    patterns:
-      - pattern-either:
-          - pattern: eval(...)
-          - pattern: new Function(...)