Skip to content

update deps#61

Open
kakkokari-gtyih wants to merge 5 commits intomisskey-dev:masterfrom
kakkokari-gtyih:update-deps-5
Open

update deps#61
kakkokari-gtyih wants to merge 5 commits intomisskey-dev:masterfrom
kakkokari-gtyih:update-deps-5

Conversation

@kakkokari-gtyih
Copy link

@kakkokari-gtyih kakkokari-gtyih commented Feb 15, 2026

  • 依存関係の更新
  • 脆弱性のある private-ipipaddr.js に置き換え
  • テストを修正

Copilot AI reviewed Feb 17, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

依存関係の更新を行い、脆弱性指摘のある private-ipipaddr.js ベースの判定に置き換えつつ、テストを新しい挙動に合わせて調整するPRです。

Changes:

  • 主要依存関係/開発依存関係(got/cheerio/vitest等)を更新し、バージョンを固定化
  • private-ip を削除し、ipaddr.js を用いたIPレンジ判定に切り替え
  • SUMMALY_ALLOW_PRIVATE_IP の扱いを整理し、テスト構成を再編(localhost遮断のデフォルト挙動を追加検証)

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/utils/got.ts private-ip から ipaddr.js へ置換し、レスポンスIPに対するブロック判定を更新
src/utils/encoding.ts CommonJS/ESM相互運用を意識した import 形式へ変更
test/index.test.ts localhost遮断のデフォルト挙動に合わせて環境変数のセット範囲を整理、テストをdescribe単位で再編
package.json 依存関係更新・固定化、packageManager を pnpm v10 に更新、private-ip を削除して ipaddr.js を追加
pnpm-lock.yaml 依存関係更新に伴うロックファイル更新
pnpm-workspace.yaml pnpm設定(onlyBuiltDependencies)を追加
.npmrc save-exact=true を追加
CHANGELOG.md unreleased に依存関係更新の記載を追加

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/utils/got.ts
ip = (ip as IPv6).toIPv4Address();
}
if (ip.range() !== 'unicast') {
throw new StatusError(`Private IP rejected ${res.ip}`, 400, 'Private IP Rejected');
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ip.range() !== 'unicast' rejects more than just private IPs (e.g. loopback, link-local, documentation, transition ranges, etc.), but the thrown error message/statusMessage say “Private IP rejected”. This can be misleading for callers and tests; consider either tightening the check to only private ranges, or updating the message to reflect “non-public/non-global IP rejected” (optionally include ip.range() in the message for clarity).

Suggested change
throw new StatusError(`Private IP rejected ${res.ip}`, 400, 'Private IP Rejected');
throw new StatusError(`Non-public IP rejected ${res.ip} (range: ${ip.range()})`, 400, 'Non-public IP Rejected');

Copilot uses AI. Check for mistakes.
pnpm-workspace.yaml
Comment on lines +1 to +2
onlyBuiltDependencies:
- esbuild
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pnpm-workspace.yaml is being introduced but doesn’t define any packages: entries. In many pnpm setups, having a workspace file without packages can cause pnpm to treat the repo as a (misconfigured) workspace and fail or behave unexpectedly. If the goal is only to configure onlyBuiltDependencies, consider adding packages: ['.'] (or the appropriate globs), or moving this setting to a pnpm config location that doesn’t implicitly enable workspace mode.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kakkokari-gtyih