Merge pull request #1 from StudioLambda/fix/audit-high-severity-issues

ConsoleTVs · web-flow · commit 92089bf62d8a · 2026-04-12T14:05:55.000+02:00
Fix high-severity audit findings across matcher, router, CI, and build
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,8 +11,7 @@ concurrency:
   cancel-in-progress: true
 
 permissions:
-  contents: write
-  id-token: write
+  contents: read
 
 jobs:
   check:
@@ -74,6 +73,10 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build]
 
+    permissions:
+      contents: write
+      id-token: write
+
     # Only release on push to main, not on PRs
     if: ${{ github.event_name == 'push' }}
 
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -100,7 +100,7 @@
     "react": "^19.2.0",
     "react-dom": "^19.2.0",
     "typescript": "^6.0.2",
-    "vite": "^8.0.3",
+    "vite": "^8.0.8",
     "vite-plugin-dts": "^4.5.4",
     "vitest": "^4.0.7"
   }
diff --git a/src/react/components/Router.tsx b/src/react/components/Router.tsx
@@ -145,7 +145,18 @@ export interface RouterProps {
  */
 export function Router(options: RouterProps) {
   const contextNavigation = use(NavigationContext)
-  const navigation: Navigation = options.navigation ?? contextNavigation ?? window.navigation
+  const navigation: Navigation =
+    options.navigation ??
+    contextNavigation ??
+    (typeof window !== 'undefined' ? window.navigation : undefined)!
+
+  if (navigation === undefined || navigation === null) {
+    throw new Error(
+      'Router requires a navigation prop, NavigationContext provider, ' +
+        'or browser Navigation API support. ' +
+        'Use createMemoryNavigation() for SSR or non-browser environments.'
+    )
+  }
   const matcher: Matcher<Handler> = options.matcher ?? use(MatcherContext)
   const internalTransition = useTransition()
   const transition = options.transition ?? internalTransition
diff --git a/src/react/createRouter.test.ts b/src/react/createRouter.test.ts
@@ -394,6 +394,33 @@ describe('createRouter', { concurrent: true }, function () {
       expect(receivedUrl?.search).toBe('?q=test')
       expect(context.controller.redirect).toHaveBeenCalledWith('/new-search?q=test')
     })
+
+    it('does not inherit middleware from parent groups', function ({ expect }) {
+      const Auth = createMiddleware()
+
+      const router = createRouter(function (route) {
+        const authed = route().middleware([Auth]).group()
+
+        authed('/old').redirect('/new')
+      })
+
+      const match = router.match('/old')
+
+      expect(match).not.toBeNull()
+      expect(match?.handler.middlewares).toBeUndefined()
+    })
+
+    it('does not inherit scroll or focusReset configuration', function ({ expect }) {
+      const router = createRouter(function (route) {
+        route('/old').scroll('manual').focusReset('manual').redirect('/new')
+      })
+
+      const match = router.match('/old')
+
+      expect(match).not.toBeNull()
+      expect(match?.handler.scroll).toBeUndefined()
+      expect(match?.handler.focusReset).toBeUndefined()
+    })
   })
 
   describe('groups', { concurrent: true }, function () {
diff --git a/src/react/createRouter.ts b/src/react/createRouter.ts
@@ -412,14 +412,11 @@ function createRouteFactory(matcher: Matcher<Handler>, inherited: InheritedConfi
 
         const handler: Handler = {
           component: RedirectFallback,
-          middlewares: resolveMiddlewares(),
           prefetch: function (context) {
             const resolved = typeof target === 'function' ? target(context) : target
 
             context.controller.redirect(resolved)
           },
-          scroll: state.scroll,
-          focusReset: state.focusReset,
         }
 
         matcher.register(fullPath, handler)
diff --git a/src/react/hooks/useNextMatch.ts b/src/react/hooks/useNextMatch.ts
@@ -49,6 +49,6 @@ export function useNextMatch(options?: NextMatchOptions) {
       return fallbackResolved
     }
 
-    return matcher.match(new URL(destination).pathname) ?? fallbackResolved
+    return matcher.match(new URL(destination, 'http://localhost').pathname) ?? fallbackResolved
   }
 }
diff --git a/src/router/matcher.test.ts b/src/router/matcher.test.ts
@@ -175,5 +175,103 @@ describe('router', function () {
       expect(route).not.toBeNull()
       expect(route?.params).toStrictEqual({ id: '42', path: 'docs/readme.md' })
     })
+
+    it('matches a route with handler value 0', function ({ expect }) {
+      const router = createMatcher<number>()
+
+      router.register('/zero', 0)
+
+      const route = router.match('/zero')
+
+      expect(route).not.toBeNull()
+      expect(route?.handler).toBe(0)
+    })
+
+    it('matches a route with handler value empty string', function ({ expect }) {
+      const router = createMatcher<string>()
+
+      router.register('/empty', '')
+
+      const route = router.match('/empty')
+
+      expect(route).not.toBeNull()
+      expect(route?.handler).toBe('')
+    })
+
+    it('matches a route with handler value false', function ({ expect }) {
+      const router = createMatcher<boolean>()
+
+      router.register('/false', false)
+
+      const route = router.match('/false')
+
+      expect(route).not.toBeNull()
+      expect(route?.handler).toBe(false)
+    })
+
+    it('matches a wildcard route with handler value 0', function ({ expect }) {
+      const router = createMatcher<number>()
+
+      router.register('/files/*path', 0)
+
+      const route = router.match('/files/readme.md')
+
+      expect(route).not.toBeNull()
+      expect(route?.handler).toBe(0)
+      expect(route?.params).toStrictEqual({ path: 'readme.md' })
+    })
+
+    it('matches root handler', function ({ expect }) {
+      const router = createMatcher<number>()
+
+      router.register('/', 1)
+
+      const route = router.match('/')
+
+      expect(route).not.toBeNull()
+      expect(route?.handler).toBe(1)
+    })
+  })
+
+  describe('param name conflicts', function () {
+    it('throws on conflicting dynamic param names at the same level', function ({ expect }) {
+      const router = createMatcher<number>()
+
+      router.register('/user/:id/profile', 1)
+
+      expect(function () {
+        router.register('/user/:name/settings', 2)
+      }).toThrow('conflicting dynamic param name')
+    })
+
+    it('throws on conflicting wildcard param names at the same level', function ({ expect }) {
+      const router = createMatcher<number>()
+
+      router.register('/files/*path', 1)
+
+      expect(function () {
+        router.register('/files/*filepath', 2)
+      }).toThrow('conflicting wildcard param name')
+    })
+
+    it('allows the same dynamic param name at the same level', function ({ expect }) {
+      const router = createMatcher<number>()
+
+      router.register('/user/:id/profile', 1)
+
+      expect(function () {
+        router.register('/user/:id/settings', 2)
+      }).not.toThrow()
+    })
+
+    it('allows the same wildcard param name at the same level', function ({ expect }) {
+      const router = createMatcher<number>()
+
+      router.register('/files/*path', 1)
+
+      expect(function () {
+        router.register('/other/*path', 2)
+      }).not.toThrow()
+    })
   })
 })
diff --git a/src/router/matcher.ts b/src/router/matcher.ts
@@ -156,6 +156,11 @@ export function createMatcher<T>(options?: Options<T>): Matcher<T> {
 
         if (!node.wildcard) {
           node.wildcard = { children: new Map(), name }
+        } else if (node.wildcard.name !== name) {
+          throw new Error(
+            `conflicting wildcard param name at "${pattern}": ` +
+              `existing "*${node.wildcard.name}" vs new "*${name}"`
+          )
         }
 
         node = node.wildcard
@@ -167,6 +172,11 @@ export function createMatcher<T>(options?: Options<T>): Matcher<T> {
 
         if (!node.child) {
           node.child = { children: new Map(), name }
+        } else if (node.child.name !== name) {
+          throw new Error(
+            `conflicting dynamic param name at "${pattern}": ` +
+              `existing ":${node.child.name}" vs new ":${name}"`
+          )
         }
 
         node = node.child
@@ -216,7 +226,7 @@ export function createMatcher<T>(options?: Options<T>): Matcher<T> {
       params: Record<string, string>
     ): Resolved<T> | null {
       if (index === segments.length) {
-        return node.handler ? { handler: node.handler, params } : null
+        return node.handler !== undefined ? { handler: node.handler, params } : null
       }
 
       const segment = segments[index]
@@ -242,7 +252,7 @@ export function createMatcher<T>(options?: Options<T>): Matcher<T> {
         }
       }
 
-      if (node.wildcard && node.wildcard.name && node.wildcard.handler) {
+      if (node.wildcard && node.wildcard.name && node.wildcard.handler !== undefined) {
         const rest = segments.slice(index).join('/')
 
         return {
diff --git a/vite.config.ts b/vite.config.ts
@@ -46,7 +46,13 @@ export default defineConfig({
     }),
     dts({
       include: ['**/*.ts*'],
-      exclude: ['**/*.test.ts*'],
+      exclude: [
+        '**/*.test.ts*',
+        '**/example.tsx',
+        '**/ExampleMain.tsx',
+        '**/examples/**',
+        '**/test-helpers.ts',
+      ],
       outDir: '../../dist',
       root: './src/react',
     }),

Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@`
`100`	`100`	`"react": "^19.2.0",`
`101`	`101`	`"react-dom": "^19.2.0",`
`102`	`102`	`"typescript": "^6.0.2",`
`103`		`- "vite": "^8.0.3",`
	`103`	`+ "vite": "^8.0.8",`
`104`	`104`	`"vite-plugin-dts": "^4.5.4",`
`105`	`105`	`"vitest": "^4.0.7"`
`106`	`106`	`}`
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,6 @@ export function useNextMatch(options?: NextMatchOptions) {`
`49`	`49`	`return fallbackResolved`
`50`	`50`	`}`
`51`	`51`
`52`		`- return matcher.match(new URL(destination).pathname) ?? fallbackResolved`
	`52`	`+ return matcher.match(new URL(destination, 'http://localhost').pathname) ?? fallbackResolved`
`53`	`53`	`}`
`54`	`54`	`}`