fix: sanitize threshold values in complexity SQL queries

Coerce threshold warn values through Number() and guard with isNaN
before interpolating into SQL HAVING clauses, preventing malformed
queries when non-numeric values are provided in config.

Impact: 1 functions changed, 4 affected

Author: github-actions[bot]

src/complexity.js

@@ -389,13 +389,16 @@ export function complexityData(customDbPath, opts = {}) {
   if (aboveThreshold) {
     const conditions = [];
     if (thresholds.cognitive?.warn != null) {
-      conditions.push(`fc.cognitive >= ${thresholds.cognitive.warn}`);
+      const val = Number(thresholds.cognitive.warn);
+      if (!Number.isNaN(val)) conditions.push(`fc.cognitive >= ${val}`);
     }
     if (thresholds.cyclomatic?.warn != null) {
-      conditions.push(`fc.cyclomatic >= ${thresholds.cyclomatic.warn}`);
+      const val = Number(thresholds.cyclomatic.warn);
+      if (!Number.isNaN(val)) conditions.push(`fc.cyclomatic >= ${val}`);
     }
     if (thresholds.maxNesting?.warn != null) {
-      conditions.push(`fc.max_nesting >= ${thresholds.maxNesting.warn}`);
+      const val = Number(thresholds.maxNesting.warn);
+      if (!Number.isNaN(val)) conditions.push(`fc.max_nesting >= ${val}`);
     }
     if (conditions.length > 0) {
       having = `AND (${conditions.join(' OR ')})`;