Dependabot/npm and yarn/frontend/types/node 25.9.1#878
Merged
hman38705 merged 23 commits intoJun 17, 2026
Conversation
…-src unsafe-eval allows execution of strings as JavaScript (eval, Function constructor, setTimeout with string argument) which is the primary vector for XSS escalation. Removing it closes that attack surface without requiring any application code changes. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…t-dynamic unsafe-inline bypasses XSS protections entirely because any injected <script> tag executes. Replacing it with 'strict-dynamic' propagates trust from explicitly nonce-tagged scripts to their dynamically loaded children, which is required for Next.js chunk loading to work without unsafe-inline. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
upgrade-insecure-requests instructs browsers to automatically upgrade any http:// sub-resource requests to https://, preventing mixed-content attacks without requiring every URL in the codebase to be audited. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Generates a cryptographically random nonce for every request and injects it into the Content-Security-Policy script-src directive. The nonce is also forwarded as the x-nonce request header so server components can attach it to inline <script> tags (e.g. the dark-mode init script in layout.tsx). Per-request nonces make 'strict-dynamic' effective: only scripts whose <script> tag carries the matching nonce are trusted, blocking injected scripts even if they appear before the CSP header is applied. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Makes RootLayout async so it can read the x-nonce header set by middleware, then attaches it to the dark-mode initialisation <script> tag via the nonce attribute. Browsers only execute the inline script when the nonce matches the value in the CSP header, satisfying the strict-dynamic policy without requiring the script to be moved to a separate file. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Turns on the full strict flag set: noImplicitAny, strictNullChecks, strictFunctionTypes, strictBindCallApply, strictPropertyInitialization, noImplicitThis, useUnknownInCatchVariables, and alwaysStrict. These catch a broad class of runtime errors — null dereferences, wrong callback signatures, uninitialised class fields — at build time rather than in production. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…h options noImplicitReturns errors when a code path in a function with a non-void return type can exit without returning a value — a silent bug source. noFallthroughCasesInSwitch errors when a non-empty switch case falls through to the next case without a break or return, which is almost always a bug rather than intentional. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
With strict mode enabled, catch variables and explicitly-typed unknown values must be narrowed before accessing their properties. Replacing let err: any with let err: unknown and adding an object-type guard makes the error path type-safe: the compiler will catch any future attempt to access err properties without narrowing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…c hook With useUnknownInCatchVariables (part of strict mode), catch variables have type unknown. Casting directly with as Error is an assertion the compiler accepts but does not verify — a non-Error rejection would store a malformed object in state. The instanceof guard with String() fallback is safe for any thrown value. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
e.target.value is string, but setLocale expects a Locale union type. The previous as any silently allowed any string through. Using as Locale keeps the same runtime behaviour while documenting the intent and letting the compiler catch accidental non-Locale values at call sites. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The silent Err(_) => true branch hid Redis connectivity problems from operators. Adding a tracing::warn with the error and key makes the fail-open event observable in logs and metrics, so on-call can distinguish intentional fail-open from a Redis outage causing rate limiting to be silently bypassed. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The unwrap() panicked with no context. expect() with a description makes the invariant explicit: remove() can only return None if the email key was deleted between the find() and remove() calls, which cannot happen in single-threaded test code. Callers now get a diagnostic message instead of a bare 'called Option::unwrap() on a None value'. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…iscarding unwrap_or_default() swallowed body-read failures with no trace, making SendGrid errors appear as empty responses. Adding a tracing::warn before falling back to an empty string ensures the read failure is visible in observability tooling while still propagating the HTTP status code in the bail! message. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The previous unwrap_or_else silently fell back to logging the original unredacted body with no indication that redaction failed. Adding a tracing::warn makes the fallback visible so operators know when sensitive fields may have been logged in plain text. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…table lock The previous DELETE had no LIMIT so on a table with many expired pending rows it would lock all matching rows at once, potentially blocking active subscriber inserts for seconds. The subquery-with-LIMIT approach caps each call to batch_size rows; callers loop until 0 rows are returned to drain the full backlog without holding the lock continuously. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Exposes the per-run delete limit added to newsletter_delete_expired_pending as a tunable config value. Defaults to 500 rows per run which is safe for most deployments; operators on high-traffic instances can lower it further or operators on small instances can raise it to drain backlogs faster. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Threads the NEWSLETTER_CLEANUP_BATCH_SIZE config value through to the database call so the hourly cleanup task honours the per-run row cap added in the previous commit instead of defaulting to an unbounded delete. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The four Config struct literals in config.rs tests were missing the new newsletter_cleanup_batch_size field added in the previous commit. Using the default value of 500 keeps test intent unchanged while satisfying the exhaustive struct initialisation required by Rust. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ed_at) The queue worker's primary scan — pending jobs ordered by priority then scheduled_at — required the planner to use one of the two single-column indexes and filter/sort on the remaining columns. The composite index covers the WHERE clause and the ORDER BY in a single index scan, reducing I/O on high-throughput instances where the pending set is large. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… DESC) Ordered event fetching for a single job — used in analytics and webhook processing — required sorting after an index scan on email_job_id alone. The composite index satisfies both the equality predicate and the ORDER BY timestamp DESC in a single B-tree scan, eliminating the sort step for the common per-job timeline query. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… cleanup query The cleanup DELETE scans WHERE confirmed = FALSE AND created_at <= threshold. A partial index limited to unconfirmed rows keeps the index small (only pending entries, not the full subscriber table) while allowing the planner to evaluate the created_at range filter directly from the index, avoiding a heap scan of confirmed subscribers. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ueries Background jobs that close markets past their deadline query WHERE status = 'active' AND ends_at < NOW(). The existing composite index on (status, total_volume, ends_at) leads with volume and is not selective for deadline scans. A partial index scoped to active markets only — which shrinks as markets resolve — provides an O(log n) path for deadline-based lookups without scanning the full markets table. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Adds the four indexes introduced in migrations 013–016 to the canonical reference file so operators running manual schema inspections or applying the sql/ files directly (e.g. in dev) have a complete picture without reading individual migration files. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Type of Change
Testing Done
Checklist
Related Issues
Closes #