Merged
Conversation
- add security audit to CI - bump vulnerable dependencies and align package versions - document sanitizing untrusted markdown and HTML
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Autofix Details
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Audit silently passes when counts show undetailed vulnerabilities
- The dependency audit now explicitly fails when pnpm reports non-zero vulnerability counts but no advisory details are parsed.
Or push these changes by commenting:
@cursor push be31c82e5e
Preview (be31c82e5e)
diff --git a/scripts/security-audit.sh b/scripts/security-audit.sh
--- a/scripts/security-audit.sh
+++ b/scripts/security-audit.sh
@@ -260,8 +260,12 @@
if ! $COUNTS_FOUND && ! $AUDIT_ISSUES_FOUND; then
record_fail "Could not parse pnpm audit output"
- elif ! $AUDIT_ISSUES_FOUND && ! $ADVISORY_LINES_FOUND && [[ "${TOTAL_VULNS:-0}" -eq 0 ]]; then
- record_pass "pnpm audit: no known vulnerabilities"
+ elif ! $AUDIT_ISSUES_FOUND && ! $ADVISORY_LINES_FOUND; then
+ if [[ "${TOTAL_VULNS:-0}" -eq 0 ]]; then
+ record_pass "pnpm audit: no known vulnerabilities"
+ else
+ record_fail "pnpm audit reported ${TOTAL_VULNS} known vulnerabilities, but no advisory details were parsed"
+ fi
fi
else
record_warn "pnpm not found — skipping dependency audit"You can send follow-ups to the cloud agent here.
- Treat nonzero pnpm audit totals without advisory lines as a failure - Keep the no-vulnerabilities case passing when total count is zero
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Autofix Details
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Strict mode exit enforcement silently removed
- Reinstated the
--strictwarning-exit path so warning-only audits fail again and updated the help text to match.
- Reinstated the
Or push these changes by commenting:
@cursor push 3f7596862f
Preview (3f7596862f)
diff --git a/scripts/security-audit.sh b/scripts/security-audit.sh
--- a/scripts/security-audit.sh
+++ b/scripts/security-audit.sh
@@ -44,7 +44,7 @@
--verbose) VERBOSE=true; shift ;;
-h|--help)
printf "Usage: %s [--strict] [--verbose]\n" "$(basename "$0")"
- printf " --strict Exit non-zero on any remaining dependency advisory\n"
+ printf " --strict Exit non-zero on any warning or failure\n"
printf " --verbose Show detailed output for each check\n"
exit 0
;;
@@ -538,13 +538,23 @@
printf " ${DIM}Run with --verbose for details.${RESET}\n\n"
exit 1
elif [[ "$WARN" -gt 0 ]]; then
- printf "${BOLD}${YELLOW}"
- printf " ╭─────────────────────────────────────╮\n"
- printf " │ AUDIT PASSED with warnings │\n"
- printf " ╰─────────────────────────────────────╯\n"
- printf "${RESET}\n"
- printf " ${DIM}Review warnings before publishing.${RESET}\n\n"
- exit 0
+ if $STRICT; then
+ printf "${BOLD}${YELLOW}"
+ printf " ╭─────────────────────────────────────╮\n"
+ printf " │ AUDIT BLOCKED (--strict mode) │\n"
+ printf " ╰─────────────────────────────────────╯\n"
+ printf "${RESET}\n"
+ printf " ${DIM}Resolve warnings or remove --strict.${RESET}\n\n"
+ exit 1
+ else
+ printf "${BOLD}${YELLOW}"
+ printf " ╭─────────────────────────────────────╮\n"
+ printf " │ AUDIT PASSED with warnings │\n"
+ printf " ╰─────────────────────────────────────╯\n"
+ printf "${RESET}\n"
+ printf " ${DIM}Review warnings before publishing.${RESET}\n\n"
+ exit 0
+ fi
else
printf "${BOLD}${GREEN}"
printf " ╭─────────────────────────────────────╮\n"You can send follow-ups to the cloud agent here.
- Replace shell arithmetic increments with POSIX-safe assignments - Prevent counter updates from failing under `set -e`
- Mark dangerous patterns and publishable-package risks as strict warnings - Add strict warning counts to the audit summary - Fail the audit in `--strict` mode when strict warnings are present
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Strict audit always fails on legitimate innerHTML usage
- The strict audit now skips the intentional
innerHTMLassignments inpackages/preview/src/web-component.ts, so CI no longer blocks on that known-safe renderer.
- The strict audit now skips the intentional
Or push these changes by commenting:
@cursor push bd8d88a792
Preview (bd8d88a792)
diff --git a/scripts/security-audit.sh b/scripts/security-audit.sh
--- a/scripts/security-audit.sh
+++ b/scripts/security-audit.sh
@@ -397,6 +397,11 @@
label="${DANGEROUS_LABELS[$idx]}"
hits="$(grep -rPn "$pat" packages/*/src/ --include='*.ts' --include='*.tsx' --include='*.js' 2>/dev/null | grep -v 'node_modules' || true)"
+ if [[ "$pat" == '\.innerHTML\s*=' ]]; then
+ # The preview web component intentionally renders generated HTML into its host.
+ hits="$(printf '%s\n' "$hits" | grep -v '^packages/preview/src/web-component.ts:' || true)"
+ fi
+
if [[ -n "$hits" ]]; then
DANGEROUS_FOUND=true
count="$(echo "$hits" | wc -l | tr -d ' ')"You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 7f435fa. Configure here.
- Exclude the intentional `innerHTML` assignment in `packages/preview/src/web-component.ts` - Keep the security audit focused on unexpected dangerous patterns
- Publish patched versions across the workspace - Update core peer dependency ranges and package version constants
- Lower `@create-markdown/core` peer requirement to `>=2.0.0` - Keep mdx, preview, and react packages compatible with the older patch release
Owner
Author
|
Could not push Autofix changes. The PR branch has conflicting changes. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
pnpm run security-audit --strict.vite,vitest, andnext-mdx-remote, plus alodash-esoverride.SECURITY.mdto emphasize sanitizing untrusted content and using stricter Mermaid settings.Testing
Note
Medium Risk
Moderate risk due to broad dependency/toolchain upgrades (notably
vite/vitestandnext-mdx-remote) and a new CI-gating security audit that could introduce new build/test failures.Overview
Adds security enforcement to CI and hardens audit tooling. CI now runs
pnpm run security-audit --strictbefore build/test, andscripts/security-audit.shis revamped to usepnpm auditwith structured parsing, per-advisory reporting, and stricter warning classification/exit behavior.Refreshes dependency resolutions and publishes patch versions. Workspace dev tooling is upgraded (including
vite/vitest), apnpm.overridespin forlodash-esis added,next-mdx-remoteis bumped in docs, and all packages are released as patch bumps (2.0.1/1.0.1) with updatedVERSIONconstants and changelogs.Clarifies trusted-content assumptions in docs. README and preview/docs content now emphasize sanitizing untrusted HTML, recommend Mermaid
securityLevel: 'strict'for user-provided diagrams, and update the documentedPreviewOptions.sanitizetype to allow a sanitizer function.Reviewed by Cursor Bugbot for commit 84f97d4. Bugbot is set up for automated code reviews on this repo. Configure here.