fix: 7 ESLint errors blocking CI on fresh install (closes #47) (#49)

thunpisit · claude · web-flow · commit 174267e84b35 · 2026-05-03T17:29:25.000+07:00
The CI gate (.github/workflows/deploy.yml) runs `pnpm run lint`,
which fails on every push because of legitimately-flagged code
patterns. None of these are real bugs — they're cases where the
linter rule is correct in general but doesn't fit our specific
intent. Fixed each at the smallest scope:

- CookieBanner.svelte: privacyHref is operator-supplied (built from
  layout's `localePath()` → /[locale]/privacy-policy), not a
  build-time route — eslint-disable for svelte/no-navigation-without-resolve.
- Seo.svelte: emit JSON-LD via concatenated string + escaped
  &lt;/script&gt; sequence so untrusted JSON values can't break out;
  eslint-disable svelte/no-at-html-tags + drop the unnecessary `\/`
  escape.
- webhooks/index.ts: drop the dead initializer on `responseExcerpt`
  (every code path reassigns before reading).
- dashboard/+page.server.ts: drop unused `and` from drizzle-orm
  import.
- media/+page.svelte: lookup map is local to a $derived block,
  rebuilt every invocation, never reactive — plain Map is correct;
  eslint-disable svelte/prefer-svelte-reactivity with rationale.
- (www)/[locale]/[...slug]/+page.svelte: trusted server-rendered
  markdown — same eslint-disable pattern blog/[slug] already uses.

After: `pnpm run lint` reports 0 errors (407 paraglide-generated
prettier warnings remain — those are auto-generated and gitignored
in spirit; separate cleanup).

Build still green; svelte-check unchanged.

Co-authored-by: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/src/lib/components/consent/CookieBanner.svelte b/src/lib/components/consent/CookieBanner.svelte
@@ -46,6 +46,7 @@
 				<p class="font-medium text-foreground mb-1">{m.cookie_banner_title()}</p>
 				<p>
 					{m.cookie_banner_body()}
+					<!-- eslint-disable-next-line svelte/no-navigation-without-resolve -- privacy href is operator-supplied (always /[locale]/privacy-policy from layout); not a build-time route -->
 					<a href={privacyHref} class="underline hover:text-foreground">{m.cookie_banner_learn_more()}</a>
 				</p>
 				{#if detailsOpen}
diff --git a/src/lib/components/seo/Seo.svelte b/src/lib/components/seo/Seo.svelte
@@ -88,9 +88,16 @@
 		<meta name="twitter:site" content={defaults.twitter} />
 	{/if}
 
-	<!-- JSON-LD: one <script> per entry for maximum tooling compatibility -->
+	<!-- JSON-LD: one <script> per entry for maximum tooling compatibility.
+		 Using {@html} is required to emit a literal <script> tag (Svelte
+		 strips them in normal markup). The payload is server-built JSON
+		 from our own typed builders ($lib/seo) — never user input — and
+		 we escape any "</script>" sequence before injection so a JSON
+		 value can't break out of the tag. -->
 	{#each jsonLd as ld, i (i)}
-		{@html `<script type="application/ld+json">${JSON.stringify(ld)}<\/script>`}
+		{@const safeJson = JSON.stringify(ld).replace(/<\/script>/gi, '<\\/script>')}
+		<!-- eslint-disable-next-line svelte/no-at-html-tags -- trusted: server-built JSON-LD with </script> escaped -->
+		{@html '<script type="application/ld+json">' + safeJson + '<' + '/script>'}
 	{/each}
 
 	<!-- RSS auto-discovery -->
diff --git a/src/lib/server/webhooks/index.ts b/src/lib/server/webhooks/index.ts
@@ -79,7 +79,9 @@ async function deliverOne(
   for (let attempt = 1; attempt <= MAX_INLINE_ATTEMPTS; attempt++) {
     const t0 = Date.now();
     let responseStatus: number | null = null;
-    let responseExcerpt: string | null = null;
+    // Assigned in every code path below; no initializer to satisfy
+    // no-useless-assignment.
+    let responseExcerpt: string | null;
     let ok = false;
     try {
       const ctrl = new AbortController();
diff --git a/src/routes/(cms)/cms/dashboard/+page.server.ts b/src/routes/(cms)/cms/dashboard/+page.server.ts
@@ -1,6 +1,6 @@
 import { redirect, error } from "@sveltejs/kit";
 import { drizzle } from "drizzle-orm/d1";
-import { desc, eq, and, gte } from "drizzle-orm";
+import { desc, eq, gte } from "drizzle-orm";
 import * as schema from "$lib/server/content/schema";
 import { canManageUsers } from "$lib/server/auth/permissions";
 import { AnalyticsService } from "$lib/server/analytics";
diff --git a/src/routes/(cms)/cms/media/+page.svelte b/src/routes/(cms)/cms/media/+page.svelte
@@ -34,8 +34,11 @@
 		Boolean(data.user && ['super_admin', 'admin', 'editor'].includes(data.user.role)),
 	);
 
-	// Build a parent → children map for the folder tree.
+	// Build a parent → children map for the folder tree. Local to the
+	// derived; never read reactively (rebuilt every invocation), so a
+	// plain Map is correct — no need for SvelteMap's reactivity overhead.
 	const childrenByParent = $derived.by(() => {
+		// eslint-disable-next-line svelte/prefer-svelte-reactivity -- local lookup, not reactive state
 		const map = new Map<string | null, MediaFolderRecord[]>();
 		for (const f of data.folders) {
 			const parent = f.parentId ?? null;
diff --git a/src/routes/(www)/[locale]/[...slug]/+page.svelte b/src/routes/(www)/[locale]/[...slug]/+page.svelte
@@ -22,6 +22,7 @@
 		<h1 class="text-4xl font-bold mb-2">{data.title}</h1>
 	</header>
 	<div class="prose prose-neutral dark:prose-invert max-w-none">
+		<!-- eslint-disable-next-line svelte/no-at-html-tags -- trusted: server-rendered markdown from CMS -->
 		{@html data.htmlContent}
 	</div>
 </article>
