Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates dependencies and migrates build tools to use ts-builder across the model and ui packages. Feedback highlights a security regression in the ui/index.html file where the addition of 'unsafe-eval' to the Content Security Policy increases vulnerability to XSS attacks. Furthermore, the removal of vite and its associated plugins from devDependencies in both the model and ui packages may lead to build failures or IDE resolution issues if the existing configuration files still depend on them.
| <head> | ||
| <meta charset="UTF-8" /> | ||
| <meta http-equiv="Content-Security-Policy" content="script-src 'self' blob: data:"> | ||
| <meta http-equiv="Content-Security-Policy" content="script-src 'self' blob: data: 'unsafe-eval'"> |
There was a problem hiding this comment.
Adding 'unsafe-eval' to the Content-Security-Policy is a significant security regression. It allows the execution of arbitrary strings as code, which is a primary vector for Cross-Site Scripting (XSS) attacks. If this was added to resolve a build or runtime issue (e.g., with a Vue compiler or a specific dependency), please investigate if there is a more secure alternative, such as using a runtime-only build or adjusting the build tool configuration to avoid generating code that requires eval().
| "@milaboratories/ts-builder": "catalog:", | ||
| "@milaboratories/ts-configs": "catalog:", | ||
| "@platforma-sdk/block-tools": "catalog:", | ||
| "@milaboratories/graph-maker": "catalog:", | ||
| "typescript": "catalog:", | ||
| "vite": "catalog:", | ||
| "tsup": "catalog:" | ||
| }, | ||
| "tsup": { | ||
| "entry": [ | ||
| "src/index.ts" | ||
| ], | ||
| "splitting": false, | ||
| "treeshake": true, | ||
| "clean": true, | ||
| "format": [ | ||
| "cjs", | ||
| "esm" | ||
| ], | ||
| "dts": true, | ||
| "minify": false, | ||
| "sourcemap": true | ||
| "typescript": "catalog:" | ||
| } |
There was a problem hiding this comment.
The vite package was removed from devDependencies, but model/vite.config.mts still exists and imports from it. This can lead to broken IDE integration and potential build failures if the environment expects vite to be a direct dependency of the package. If the configuration file is still in use, vite should remain in devDependencies.
| "@milaboratories/ts-builder": "catalog:", | ||
| "@milaboratories/ts-configs": "catalog:", | ||
| "@vitejs/plugin-vue": "catalog:", | ||
| "sass": "catalog:", | ||
| "typescript": "catalog:", | ||
| "vite": "catalog:", | ||
| "vitest": "catalog:", | ||
| "vue-tsc": "catalog:" | ||
| "typescript": "catalog:" | ||
| } |
There was a problem hiding this comment.
Several devDependencies such as vite, @milaboratories/build-configs, and @vitejs/plugin-vue were removed, yet ui/vite.config.ts still imports from them. This will likely cause issues with TypeScript resolution and IDE features (like autocompletion and error checking). It is recommended to keep these as explicit devDependencies if the configuration file depends on them.
1 participant
No description provided.