chore(deps): bump vite-plus to v0.2.2#6
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces support for pull request descriptions, merge controls, and general comments in the UI, alongside improving ref parsing for Git repositories. Feedback on the changes highlights a critical runtime ReferenceError in bin/arguments.js due to an undefined repositoryPath variable, and a high-severity XSS vulnerability in core/lib/markdown.tsx where image sanitization could allow malicious HTML attributes to bypass filters.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| commitRef = source.commitRef; | ||
| } else if (requestedPath == null && existsSync(resolve(sourceCandidate))) { | ||
| requestedPath = sourceCandidate; | ||
| } else if (isGitRepository(repositoryPath)) { |
There was a problem hiding this comment.
The variable repositoryPath is not defined in the scope of parseArguments. This will cause a ReferenceError at runtime when this branch is executed. It should be replaced with resolve(requestedPath || process.cwd()) or similar, matching the pattern used in electron/main/command-line.cjs.
| } else if (isGitRepository(repositoryPath)) { | |
| } else if (isGitRepository(resolve(requestedPath || process.cwd()))) { |
| export const sanitizeMarkdownImages = (text: string): string => | ||
| text.replaceAll( | ||
| /!\[([^\]\n]*)\]\(([^)\s]+)(?:\s+(?:"[^"]*"|'[^']*'))?\)|<img\b[^>]*>/gi, | ||
| (match, markdownAlt: string | undefined, markdownSource: string | undefined) => { | ||
| const htmlImage = match.startsWith('<'); | ||
| const source = htmlImage ? getHtmlAttribute(match, 'src') : (markdownSource ?? ''); | ||
| if (getSafeImageSource(source)) { | ||
| return match; | ||
| } | ||
|
|
||
| const alt = htmlImage ? getHtmlAttribute(match, 'alt') : (markdownAlt ?? ''); | ||
| return alt; | ||
| }, | ||
| ); |
There was a problem hiding this comment.
When sanitizing HTML <img> tags, returning the raw match unchanged when the src is safe allows other potentially malicious attributes (such as onload, onerror, or onclick) to bypass sanitization. To prevent potential Cross-Site Scripting (XSS) attacks, reconstruct the <img> tag using only the allowed safe attributes (src, alt, width, height) instead of returning the original raw HTML string.
export const sanitizeMarkdownImages = (text: string): string =>
text.replaceAll(
/!\[([^\]\n]*)\]\(([^)\s]+)(?:\s+(?:"[^"]*"|'[^']*'))?\)|<img\b[^>]*>/gi,
(match, markdownAlt: string | undefined, markdownSource: string | undefined) => {
const htmlImage = match.startsWith('<');
const source = htmlImage ? getHtmlAttribute(match, 'src') : (markdownSource ?? '');
if (getSafeImageSource(source)) {
if (htmlImage) {
const alt = getHtmlAttribute(match, 'alt');
const width = getHtmlAttribute(match, 'width');
const height = getHtmlAttribute(match, 'height');
return `<img src="${source}"${alt ? ` alt="${alt}"` : ''}${width ? ` width="${width}"` : ''}${height ? ` height="${height}"` : ''} />`;
}
return match;
}
const alt = htmlImage ? getHtmlAttribute(match, 'alt') : (markdownAlt ?? '');
return alt;
},
);
Summary
Bump
vite-plusand related packages to the pkg.pr.new prerelease build for v0.2.2 (registry-bridge commit build) to smoke-test the prerelease.vite-plus+vite(alias to@voidzero-dev/vite-plus-core) andvitestpinned to the commit build across deps / overrides / catalogsminimumReleaseAgeenabled with thevite-plus/@voidzero-dev/*/ oxc / oxlint stack excluded.npmrc(or.yarnrc.yml) points the package manager at the registry bridge (prerelease scaffolding)Test plan