github · design-extractHEAD

Evidence

FROM node:20-slim

# Playwright chromium deps

RUN apt-get update && apt-get install -y --no-install-recommends \

      ca-certificates fonts-liberation libasound2 libatk-bridge2.0-0 libatk1.0-0 \

      libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 libgbm1 \

      libgcc1 libglib2.0-0 libgtk-3-0 libnspr4 libnss3 libpango-1.0-0 \

      libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 \

      libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 lib

Remediation

Create and switch to a non-root user before the CMD / ENTRYPOINT: RUN adduser --system --uid 1000 app USER 1000 Or reuse the base image's shipped non-root account (e.g. `USER nobody`, `USER nonroot` on distroless). Multi-stage builds only need the USER directive in the final stage.

Evidence

uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis

        uses: github/codeql-action/analyze@v3

        with:

          category: /language:javascript-typescript

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

if: |

      (github.event_name == 'pull_request' && github.event.pull_request.draft == false)

      || (github.event_name == 'issue_comment' && github.event.issue.pull_request != null && startsWith(github.event.comment.body, '/bot'))

    uses: bot-manavarya/reviewer/.github/workflows/review.yml@main

    with:

      provider: 'gemini'

      model: 'gemini-2.5-flash'

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

queries: security-and-quality

      - name: Autobuild

        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis

        uses: github/codeql-action/analyze@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

contents: read

    steps:

      - name: Checkout

        uses: actions/checkout@v4

      - name: Initialize CodeQL

        uses: github/codeql-action/init@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: actions/checkout@v4

      - name: Initialize CodeQL

        uses: github/codeql-action/init@v3

        with:

          languages: javascript-typescript

          queries: security-and-quality

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

// GitHub Actions niceties: if running in GHA, write the report to the step summary.

  if (process.env.GITHUB_STEP_SUMMARY) {

    try { writeFileSync(process.env.GITHUB_STEP_SUMMARY, md, { flag: 'a' }); } catch {}

  }

  const threshold = opts.failOn || 'notable-drift';

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

// history.replaceState avoids a Next router navigation (we want to keep

        // the live extraction state, just change the URL).

        if (typeof window !== 'undefined' && event.hash) {

          try { window.history.replaceState({}, '', `/x/${event.hash}`); } catch {}

        }

        break;

      }

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

if ((e.duration || 0) > window.__dlVitals.inp) window.__dlVitals.inp = e.duration;

          }

        }).observe({ type: 'event', buffered: true, durationThreshold: 16 });

      } catch {}

    });

    const start = Date.now();

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

function parseJsonLoose(text) {

  try { return JSON.parse(text); } catch { /* try to find a JSON object */ }

  const m = text.match(/\{[\s\S]*\}/);

  if (m) { try { return JSON.parse(m[0]); } catch {} }

  return null;

}

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

if (opts.open !== false) {

        const { spawn } = await import('child_process');

        const cmd = process.platform === 'darwin' ? 'open' : process.platform === 'win32' ? 'start' : 'xdg-open';

        try { spawn(cmd, [`http://localhost:${port}`], { stdio: 'ignore', detached: true }).unref(); } catch {}

      }

    } catch (err) {

      console.error(chalk.red(`\n  ${err.message}\n`));

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

try {

    await page.goto(url, { waitUntil: 'networkidle', timeout: 25000 });

  } catch {

    try { await page.goto(url, { waitUntil: 'domcontentloaded', timeout: 15000 }); } catch {}

  }

  // Scripted motion pass: slow scroll → hover first CTA → scroll back.

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

var cur = document.documentElement.getAttribute('data-theme') === 'dark' ? '' : 'dark';

        if (cur) document.documentElement.setAttribute('data-theme', cur);

        else document.documentElement.removeAttribute('data-theme');

        try { localStorage.setItem('dl-theme', cur); } catch (e) {}

      });

    })();

  </script>

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

new PerformanceObserver((list) => {

          for (const e of list.getEntries()) window.__dlVitals.lcp = e.startTime;

        }).observe({ type: 'largest-contentful-paint', buffered: true });

      } catch {}

      try {

        let cls = 0;

        new PerformanceObserver((list) => {

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

for (const inr of rule.cssRules) {

                if (inr.selectorText) inner.push(inr.selectorText);

              }

            } catch {}

            results.containerQueries.push({

              condition: rule.conditionText || rule.containerQuery || '',

              selectorText: inner.join(', '),

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

(function () {

      var btn = document.getElementById('themeBtn');

      var saved = null;

      try { saved = localStorage.getItem('dl-theme'); } catch (e) {}

      if (saved) document.documentElement.setAttribute('data-theme', saved);

      btn && btn.addEventListener('click', function () {

        var cur = document.documentElement.getAttribute('data-theme') === 'dark' ? '' : 'dark';

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

try {

    for (const f of readdirSync(videoDir)) unlinkSync(join(videoDir, f));

    rmdirSync(videoDir);

  } catch {}

  const result = {

    url,

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

try {

        const btn = await page.$('button, [role="button"], a.btn, .button, [class*="btn"]');

        if (btn) await btn.hover({ timeout: 1000 }).catch(() => {});

      } catch {}

    }

    await page.waitForTimeout(frameMs);

  }

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

}

      }

      if (buffer.trim()) {

        try { handleEvent(JSON.parse(buffer.trim())); } catch {}

      }

    } catch (err) {

      setErrorMsg('Stream interrupted. Try another URL.');

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

if (!res.ok) {

      let body = null;

      try { body = await res.json(); } catch {}

      if (res.status === 429) {

        setRateLimitMsg(body?.error || 'Rate limit reached. Try again in 24h.');

      } else if (res.status === 400) {

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

var cur = document.documentElement.getAttribute('data-theme') === 'dark' ? '' : 'dark';

        if (cur) document.documentElement.setAttribute('data-theme', cur);

        else document.documentElement.removeAttribute('data-theme');

        try { localStorage.setItem('dl-theme', cur); } catch (e) {}

      });

    })();

  </script>

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

}

        } catch { /* cross-origin — already tracked */ }

      }

    } catch {}

    for (const link of document.querySelectorAll('link[href*="fonts.googleapis.com"]')) {

      results.fontData.googleFontsLinks.push(link.href);

    }

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

await navigator.clipboard.writeText(content);

      setCopied(true);

      setTimeout(() => setCopied(false), 1500);

    } catch {}

  }, [content]);

  const downloadFile = useCallback(() => {

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

(function () {

      var btn = document.getElementById('themeBtn');

      var saved = null;

      try { saved = localStorage.getItem('dl-theme'); } catch (e) {}

      if (saved) document.documentElement.setAttribute('data-theme', saved);

      btn && btn.addEventListener('click', function () {

        var cur = document.documentElement.getAttribute('data-theme') === 'dark' ? '' : 'dark';

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

}

          window.__dlVitals.cls = cls;

        }).observe({ type: 'layout-shift', buffered: true });

      } catch {}

      try {

        new PerformanceObserver((list) => {

          for (const e of list.getEntries()) {

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.