#185 Fixing critical vulnerabilities on 2.0.0-beta.2, caused by gh-pages@3.1.0 by isahann · Pull Request #186 · angular-schule/angular-cli-ghpages
added 5 commits
May 7, 2024 20:06
isahann
changed the title
Fixing critical vulnerabilities on 2.0.0-beta.2, caused by gh-pages@3.1.0
#185 Fixing critical vulnerabilities on 2.0.0-beta.2, caused by gh-pages@3.1.0
JohannesHoppe added a commit that referenced this pull request
Nov 23, 2025
This massive update increases test coverage from 213 to 285 tests (+72 tests, +34%) to prepare for the gh-pages v6 upgrade (PR #186). All critical paths are now tested, prepareOptions is refactored into testable functions, and a public API is exported. ## Phase 1: Critical Test Gaps (20 new tests) ### gh-pages Error Callback Tests (4 tests) - Add tests for the "do NOT await" error handling pattern - Test error rejection, message preservation, and auth failures - Verifies we never fall into gh-pages v3 silent failure trap - File: src/engine/engine.spec.ts ### Monkeypatch Verification Tests (5 tests) - Add first-ever tests for util.debuglog interception (was 0% coverage) - Test gh-pages logging forwarding to Angular logger - Test message formatting with placeholders - Verify critical ordering (monkeypatch before gh-pages require) - File: src/engine/engine.spec.ts ### Real Filesystem Tests (11 tests) - Create first-ever real filesystem integration tests - Use actual temp directories instead of mocks - Test .nojekyll, CNAME, and 404.html file creation - Test graceful error handling when index.html missing - File: src/engine/engine-filesystem.spec.ts (NEW) ## Phase 2: Refactor prepareOptions (34 new tests) ### Code Refactoring - Extract prepareOptions (157 lines) into 6 testable functions: 1. setupMonkeypatch() - Intercept util.debuglog 2. mapNegatedBooleans() - Transform noDotfiles → dotfiles 3. handleUserCredentials() - Create user object or warn 4. warnDeprecatedParameters() - Warn about deprecated noSilent 5. appendCIMetadata() - Add CI environment metadata 6. injectTokenIntoRepoUrl() - Inject authentication tokens - prepareOptions() is now a clean orchestrator function - File: src/engine/engine.ts ### Intensive Tests - Add 34 comprehensive tests covering 100% of option transformation logic - Test every extracted function exhaustively with all edge cases - Covers all boolean combinations, CI environments, and token scenarios - File: src/engine/prepare-options.spec.ts (NEW) ## Phase 3: Export Public API (18 new tests) ### Public API Exports - Export Schema, PublishOptions, DeployUser, and other types - Export defaults configuration object - Export core functions (deployToGHPages, angularDeploy) - Export advanced functions (all prepareOptions helpers) - Users can now extend angular-cli-ghpages functionality - File: src/public_api.ts ### Public API Tests - Add 18 tests verifying all exports are accessible - Test type compilation and runtime function availability - Include example usage scenarios - File: src/public-api.spec.ts (NEW) ## Documentation - Add TEST_COVERAGE_PLAN.md documenting the complete plan - Includes implementation order, success criteria, and file listing - Documents context from PR #186 analysis ## Test Results - Test suites: 16 → 18 (+2) - Tests: 213 → 285 (+72, +34%) - Pass rate: 100% (285/285) - Zero regressions ## Breaking Changes None - all changes are backwards compatible. The refactoring maintains exact same behavior while adding exports and improving testability. ## Related - Addresses PR #186 preparation (gh-pages v3 → v6 upgrade) - Completes audit remediation priorities 7-10 - Enables future refactoring with test safety net
JohannesHoppe added a commit that referenced this pull request
Nov 24, 2025
Add extensive test coverage for PR #186 breaking change analysis: 1. Commander v3 Boolean Defaults (NEW FILE) - pr-186-commander-defaults.spec.ts (9 tests) - Tests Commander v3 fork --no- option behavior - Covers all edge cases: single, double, triple negations - Documents why we forked Commander v3 (avoid v9+ breaking changes) - Eliminates all 'as any' violations (HARD RULE compliance) 2. gh-pages v6.1.0+ File Creation Compatibility - engine-filesystem.spec.ts (+3 tests) - Verifies we DON'T pass cname/nojekyll to gh-pages - Documents that gh-pages v6+ would create duplicates - Explains future upgrade path options 3. gh-pages Promise Bug Documentation - engine.gh-pages-behavior.spec.ts (documentation block) - Documents gh-pages v3.1.0 early error promise bug - Explains our callback workaround in engine.ts - Notes fix in v5.0.0+ and upgrade implications Test Results: - 354 tests passing (consolidated redundant tests) - Zero 'as any' violations - Complete edge case coverage - Production-ready for external audit Related: PR #186 (gh-pages v3→v6 & commander v3→v14 analysis)
JohannesHoppe added a commit that referenced this pull request
Dec 14, 2025
Major version upgrade with no breaking changes detected. All 381 tests pass without modification. Key findings: - gh-pages/lib/git internal API unchanged - Error message format compatible - Git command behavior unchanged - Promise handling already defensive (works with v3 and v6) Closes #186
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters