chore: backport security and scaffolding improvements from audit#22
Merged
Conversation
Addresses GHSA-4w7w-66w2-5vf9 in vite ^8.0.0. Patch-level bump within the same major; no breaking changes to plugin surface.
Replace blank screen (auth.isLoading returning null) with a nav + content skeleton. On cold-start backends (scale-to-zero, Railway cold) the prior behavior showed an empty white screen for 5-15s; the skeleton gives the user immediate shape feedback.
- CSP: add form-action, upgrade-insecure-requests, img-src https: - CI: restrict GITHUB_TOKEN to contents:read (least privilege) - Add .github/CODEOWNERS catch-all placeholder - .gitignore: .playwright-mcp/ and local review screenshots - vite-env.d.ts: type VITE_API_URL and VITE_LOG_LEVEL - .env.example: document standard env vars for new projects
Mobile/tablet review screenshots aren't a common enough artifact to warrant template-level gitignore entries. Keep .playwright-mcp/ since MCP session logs are tool-generated and ubiquitous.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Backports template-level fixes discovered during a security / analytics / legal audit across projects spawned from this template. Full plan in
BACKPORT_FROM_AUDIT.md(templates root).Changes
Security
fix(deps): vite^8.0.0→^8.0.8for path traversal CVE (GHSA-4w7w-66w2-5vf9). Patch bump within same major.index.htmlCSP: addform-action 'self',upgrade-insecure-requests,https:toimg-src. Preserves existingconnect-src 'self' http://localhost:*so first-run dev against a local API still works..github/workflows/ci.yml: add top-levelpermissions: contents: read(least-privilegeGITHUB_TOKEN).UX
if (auth.isLoading) return nullwith anAppShellSkeletonthat renders a nav + content placeholder during auth hydration. On cold-start backends (Cloud Run scale-to-zero, Railway cold) the blank-screen window was 5-15s; skeleton gives immediate shape feedback.src/components/ui/skeleton.tsxshadcn primitive (matches template'sComponentProps/data-slotstyle).Scaffolding
.github/CODEOWNERSplaceholder (* @amrtgaber) so spawned projects get review enforcement from day one..gitignore: add.playwright-mcp/(MCP session debug logs).src/vite-env.d.ts: typeVITE_API_URLandVITE_LOG_LEVELonImportMetaEnvfor autocomplete and typo detection..env.exampledocumenting standard env vars.Not included
DataTable skeleton rows — no DataTable component exists in this template yet, so nothing to update. Worth revisiting if one gets added.
Test plan
pnpm lint— 0 errors (4 pre-existing warnings insrc/routes/__root.tsxnot introduced by this PR)pnpm format:check— cleanpnpm tsc --noEmit— cleanpnpm test:run— 2/2 passingpnpm build— clean with vite 8.0.8pnpm devstill works with local API backend