f08055c7ae
Upgrade the JavaScript bundles inlined into the offline HTML export: DOMPurify 3.1.7 -> 3.4.9 (clears 10 OSV advisories), marked 12.0.2 -> 18.0.5, highlight.js 11.9.0 -> 11.11.1. mermaid 10.9.6 and MathJax 3.2.2 are kept (no known CVEs) and now guarded rather than chased. Pin every bundle in assets/web_export/MANIFEST.json (npm name, version, source, sha256, licence) and add tool/check_bundled_js.dart: it verifies each file still matches the manifest hash and queries the OSV database for known vulnerabilities. Wired as `make deps-check`, into `check-full`, and into CI next to the licence check. THIRD_PARTY_NOTICES.md updated for the now-standalone DOMPurify bundle. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
41 lines
1 KiB
YAML
41 lines
1 KiB
YAML
name: CI
|
|
|
|
on:
|
|
push:
|
|
branches: ["**"]
|
|
pull_request:
|
|
|
|
jobs:
|
|
check:
|
|
name: Format · Analyze · Test
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Flutter
|
|
uses: subosito/flutter-action@v2
|
|
with:
|
|
channel: stable
|
|
flutter-version: 3.44.1
|
|
cache: true
|
|
|
|
- name: Flutter version
|
|
run: flutter --version
|
|
|
|
- name: Install dependencies
|
|
run: flutter pub get
|
|
|
|
# The same quality gate developers run locally:
|
|
# format-check + flutter analyze + the full test suite.
|
|
- name: Quality gate (make check)
|
|
run: make check
|
|
|
|
# Fail the build if any dependency is not open source.
|
|
- name: Licence compliance (make licenses)
|
|
run: make licenses
|
|
|
|
# Fail the build if a vendored JS bundle drifted from its manifest or a
|
|
# pinned version has a known vulnerability (queries the OSV database).
|
|
- name: Bundled JS security (make deps-check)
|
|
run: make deps-check
|