Document trusted patterns for semgrep (#16423)

* chore: annotate trusted semgrep patterns

* chore: remove changeset from semgrep annotation PR

Author: matthewp

packages/astro-prism/src/plugin.ts

@@ -31,6 +31,8 @@ export function addAstro(Prism: typeof import('prismjs')) {
 			.replace(/<SPREAD>/g, function () {
 				return spread;
 			});
+		// nosemgrep: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
+		// Built from static Prism token sources, not user input.
 		return RegExp(source, flags);
 	}
 

packages/astro/src/core/app/manifest.ts

@@ -88,6 +88,8 @@ export function deserializeRouteData(rawRouteData: SerializedRouteData): RouteDa
 	return {
 		route: rawRouteData.route,
 		type: rawRouteData.type,
+		// nosemgrep: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
+		// This pattern is serialized from Astro's own route manifest.
 		pattern: new RegExp(rawRouteData.pattern),
 		params: rawRouteData.params,
 		component: rawRouteData.component,

packages/astro/src/core/routing/pattern.ts

@@ -41,6 +41,8 @@ export function getPattern(
 	if (addTrailingSlash === 'never' && base !== '/') {
 		initial = '';
 	}
+	// nosemgrep: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
+	// The pattern is assembled from escaped route segments generated by Astro.
 	return new RegExp(`^${pathname || initial}${trailing}`);
 }
 

packages/astro/src/prefetch/index.ts

@@ -332,6 +332,8 @@ function onPageLoad(cb: () => void) {
 function appendSpeculationRules(url: string, eagerness: PrefetchOptions['eagerness']) {
 	const script = document.createElement('script');
 	script.type = 'speculationrules';
+	// nosemgrep: javascript.lang.security.audit.unknown-value-with-script-tag.unknown-value-with-script-tag
+	// This writes JSON via textContent, not executable JavaScript source.
 	script.textContent = JSON.stringify({
 		prerender: [
 			{

packages/astro/src/vite-plugin-config-alias/index.ts

@@ -89,6 +89,8 @@ const getViteResolveAlias = (settings: AstroSettings) => {
 				// id is already the wildcard part (e.g., 'extra.css' for '@styles/*')
 				// resolvedValues still have the * in them, so replace * with id
 				for (const resolvedValue of resolvedValues) {
+					// nosemgrep: javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization
+					// `id` is the wildcard capture from the alias match and only substitutes the tsconfig `*`.
 					const resolved = resolvedValue.replace('*', id);
 					const stats = fs.statSync(resolved, { throwIfNoEntry: false });
 					if (stats && stats.isFile()) {

packages/integrations/netlify/src/index.ts

@@ -95,6 +95,8 @@ export function remotePatternToRegex(
 		regexStr += '([?][^#]*)?';
 	}
 	try {
+		// nosemgrep: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
+		// This only validates the generated pattern before handing it to Netlify.
 		new RegExp(regexStr);
 	} catch {
 		logger.warn(

packages/integrations/partytown/src/sirv.ts

@@ -183,6 +183,8 @@ export default function (dir, opts = {}) {
 		if (opts.dotfiles) ignores.push(/\/\.\w/);
 		else ignores.push(/\/\.well-known/);
 		[].concat(opts.ignores || []).forEach((x) => {
+			// nosemgrep: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
+			// This mirrors sirv's developer-supplied ignore patterns.
 			ignores.push(new RegExp(x, 'i'));
 		});
 	}

packages/integrations/preact/src/static-html.ts

@@ -16,6 +16,8 @@ type Props = {
 const StaticHtml = ({ value, name, hydrate = true }: Props) => {
 	if (!value) return null;
 	const tagName = hydrate ? 'astro-slot' : 'astro-static-slot';
+	// nosemgrep: typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml
+	// Astro passes framework-rendered HTML through this adapter boundary intentionally.
 	return h(tagName, { name, dangerouslySetInnerHTML: { __html: value } });
 };