Skip to content

chore(deps): bump vite-plus to v0.2.2#6

Draft
fengmk2 wants to merge 2 commits into
mainfrom
update-vite-plus-prerelease-test-0.2.2
Draft

chore(deps): bump vite-plus to v0.2.2#6
fengmk2 wants to merge 2 commits into
mainfrom
update-vite-plus-prerelease-test-0.2.2

Conversation

@fengmk2

@fengmk2 fengmk2 commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Summary

Bump vite-plus and related packages to the pkg.pr.new prerelease build for v0.2.2 (registry-bridge commit build) to smoke-test the prerelease.

  • vite-plus + vite (alias to @voidzero-dev/vite-plus-core) and vitest pinned to the commit build across deps / overrides / catalogs
  • minimumReleaseAge enabled with the vite-plus / @voidzero-dev/* / oxc / oxlint stack excluded
  • .npmrc (or .yarnrc.yml) points the package manager at the registry bridge (prerelease scaffolding)

Test plan

  • CI passes

@fengmk2 fengmk2 self-assigned this Jul 2, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces support for pull request descriptions, merge controls, and general comments in the UI, alongside improving ref parsing for Git repositories. Feedback on the changes highlights a critical runtime ReferenceError in bin/arguments.js due to an undefined repositoryPath variable, and a high-severity XSS vulnerability in core/lib/markdown.tsx where image sanitization could allow malicious HTML attributes to bypass filters.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread bin/arguments.js
commitRef = source.commitRef;
} else if (requestedPath == null && existsSync(resolve(sourceCandidate))) {
requestedPath = sourceCandidate;
} else if (isGitRepository(repositoryPath)) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

The variable repositoryPath is not defined in the scope of parseArguments. This will cause a ReferenceError at runtime when this branch is executed. It should be replaced with resolve(requestedPath || process.cwd()) or similar, matching the pattern used in electron/main/command-line.cjs.

Suggested change
} else if (isGitRepository(repositoryPath)) {
} else if (isGitRepository(resolve(requestedPath || process.cwd()))) {

Comment thread core/lib/markdown.tsx
Comment on lines +104 to +117
export const sanitizeMarkdownImages = (text: string): string =>
text.replaceAll(
/!\[([^\]\n]*)\]\(([^)\s]+)(?:\s+(?:"[^"]*"|'[^']*'))?\)|<img\b[^>]*>/gi,
(match, markdownAlt: string | undefined, markdownSource: string | undefined) => {
const htmlImage = match.startsWith('<');
const source = htmlImage ? getHtmlAttribute(match, 'src') : (markdownSource ?? '');
if (getSafeImageSource(source)) {
return match;
}

const alt = htmlImage ? getHtmlAttribute(match, 'alt') : (markdownAlt ?? '');
return alt;
},
);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

When sanitizing HTML <img> tags, returning the raw match unchanged when the src is safe allows other potentially malicious attributes (such as onload, onerror, or onclick) to bypass sanitization. To prevent potential Cross-Site Scripting (XSS) attacks, reconstruct the <img> tag using only the allowed safe attributes (src, alt, width, height) instead of returning the original raw HTML string.

export const sanitizeMarkdownImages = (text: string): string =>
  text.replaceAll(
    /!\[([^\]\n]*)\]\(([^)\s]+)(?:\s+(?:"[^"]*"|'[^']*'))?\)|<img\b[^>]*>/gi,
    (match, markdownAlt: string | undefined, markdownSource: string | undefined) => {
      const htmlImage = match.startsWith('<');
      const source = htmlImage ? getHtmlAttribute(match, 'src') : (markdownSource ?? '');
      if (getSafeImageSource(source)) {
        if (htmlImage) {
          const alt = getHtmlAttribute(match, 'alt');
          const width = getHtmlAttribute(match, 'width');
          const height = getHtmlAttribute(match, 'height');
          return `<img src="${source}"${alt ? ` alt="${alt}"` : ''}${width ? ` width="${width}"` : ''}${height ? ` height="${height}"` : ''} />`;
        }
        return match;
      }

      const alt = htmlImage ? getHtmlAttribute(match, 'alt') : (markdownAlt ?? '');
      return alt;
    },
  );

@fengmk2 fengmk2 closed this Jul 2, 2026
@fengmk2 fengmk2 reopened this Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant