feat: implement prettier and fix all issues#7385
Merged
jasonsaayman merged 6 commits intov1.xfrom Feb 14, 2026
Merged
Conversation
jasonsaayman
added
priority::low
![github-advanced-security[bot]](proxy.php?url=https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
![github-code-quality[bot]](proxy.php?url=https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
![cubic-dev-ai[bot]](proxy.php?url=https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
4 issues found across 181 files
Confidence score: 3/5
- There is a concrete runtime risk in
lib/adapters/fetch.js: theencodeTextfallback usesnew Request(str), which can throw invalid URL errors whenTextEncoderis missing, potentially breaking text encoding in affected environments. - The HTML example files include innerHTML usage and missing
rel="noopener noreferrer"; these are security concerns but appear limited to examples, so overall impact is narrower. - Score reflects a real functional risk in a core adapter plus medium‑severity example security hygiene issues; likely fixable, but worth addressing before merging.
- Pay close attention to
lib/adapters/fetch.js,examples/get/index.html,examples/postMultipartFormData/index.html- text encoding fallback and example page security hygiene.
Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="examples/get/index.html">
<violation number="1" location="examples/get/index.html:23">
P2: Add rel="noopener noreferrer" to external links that open in a new tab to prevent window.opener security issues.</violation>
</file>
<file name="examples/postMultipartFormData/index.html">
<violation number="1" location="examples/postMultipartFormData/index.html:514">
P2: Avoid injecting server response data with innerHTML; render it as text to prevent HTML execution from echoed content.</violation>
<violation number="2" location="examples/postMultipartFormData/index.html:524">
P2: Use textContent for the error output to avoid rendering HTML from error messages or response data.</violation>
</file>
<file name="lib/adapters/fetch.js">
<violation number="1" location="lib/adapters/fetch.js:61">
P1: The fallback for `encodeText` (used when `TextEncoder` is missing) incorrectly uses `Request` instead of `Response`. `new Request(str)` treats `str` as a URL, which will either throw an invalid URL error (for plain text) or result in an empty body. `new Response(str)` correctly creates a response with `str` as the body, allowing conversion to ArrayBuffer.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
jasonsaayman
changed the title
Contributor
There was a problem hiding this comment.
1 issue found across 7 files (changes from recent commits).
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="lib/utils.js">
<violation number="1" location="lib/utils.js:261">
P2: Avoid throwing in trim for long strings. This introduces a breaking runtime error for legitimate large payloads (e.g., stringifySafely uses utils.trim), turning valid data into failures.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
1 issue found across 1 file (changes from recent commits).
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="lib/utils.js">
<violation number="1" location="lib/utils.js:261">
P0: Duplicate `const trim` declaration causes a `SyntaxError` that will crash the module on load. The ReDoS guard removal left behind the original function signature, and a second `const trim = (str) => {` was added. Remove the duplicate line to restore a single valid declaration.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by cubic
Implemented Prettier and stricter ESLint repo-wide, stabilized CI/test tooling, hardened the examples server against path traversal, and made utils.trim non-throwing. Also corrected a small regression introduced during the lint/format pass.
Description
Summary of changes
Reasoning
Additional context
Docs
Testing
Written for commit a133ffd. Summary will update on new commits.