security fixes

.github/workflows/deploy.yml

@@ -5,11 +5,6 @@ on:
     branches: [main]
   workflow_dispatch:
 
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
 concurrency:
   group: pages
   cancel-in-progress: true
@@ -17,24 +12,29 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
         with:
           node-version: 20
           cache: npm
       - run: npm ci
       - run: npm run build
-      - uses: actions/upload-pages-artifact@v3
+      - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa  # v3.0.1
         with:
           path: dist
 
   deploy:
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     steps:
-      - uses: actions/deploy-pages@v4
+      - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e  # v4.0.5
         id: deployment

.github/workflows/fetch-issues.yml

@@ -10,20 +10,17 @@ concurrency:
   group: fetch-issues
   cancel-in-progress: false
 
-permissions:
-  contents: write
-  pages: write
-  id-token: write
-
 jobs:
   fetch:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     outputs:
       changed: ${{ steps.fetch.outputs.changed }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
         with:
           node-version: 20
           cache: npm
@@ -63,11 +60,11 @@ jobs:
     if: needs.fetch.outputs.changed == 'true'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
         with:
           ref: main  # ensure we get the just-pushed commit
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4.4.0
         with:
           node-version: 20
           cache: npm
@@ -75,13 +72,16 @@ jobs:
       - run: npm ci
       - run: npm run build
 
-      - uses: actions/upload-pages-artifact@v3
+      - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa  # v3.0.1
         with:
           path: dist
 
   deploy:
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      pages: write
+      id-token: write
     concurrency:
       group: pages
       cancel-in-progress: true
@@ -89,5 +89,5 @@ jobs:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     steps:
-      - uses: actions/deploy-pages@v4
+      - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e  # v4.0.5
         id: deployment

package.json

@@ -11,7 +11,6 @@
     "lint": "eslint ."
   },
   "dependencies": {
-    "@octokit/rest": "^22.0.1",
     "@radix-ui/react-dialog": "^1.1.15",
     "@radix-ui/react-slot": "^1.2.4",
     "@radix-ui/react-tooltip": "^1.2.8",
@@ -24,6 +23,7 @@
     "tailwind-merge": "^3.5.0"
   },
   "devDependencies": {
+    "@octokit/rest": "^22.0.1",
     "@eslint/js": "^9.39.1",
     "@tailwindcss/typography": "^0.5.19",
     "@tailwindcss/vite": "^4.2.1",

scripts/fetch-issues.js

@@ -143,7 +143,7 @@ async function main() {
         updatedAt:     raw.updated_at ?? raw.created_at,
         commentsCount: raw.comments,
         reactionCount: raw.reactions?.total_count ?? 0,
-        labels:        raw.labels
+        labels:        (raw.labels ?? [])
           .filter((l) => typeof l === 'object')
           .map((l) => ({ name: l.name ?? '', color: l.color ?? '888888' })),
         repo: {

src/components/IssueModal.tsx

@@ -46,21 +46,26 @@ export default function IssueModal({ issue, onClose, slideFrom }: IssueModalProp
           )}
 
           <div className="flex items-center gap-3 text-xs text-muted-foreground mt-1">
-            <img
+            {issue.author.avatarUrl && (
-              src={issue.author.avatarUrl}
+              <img
-              alt={issue.author.login}
+                src={issue.author.avatarUrl}
-              className="w-5 h-5 rounded-full"
+                alt={issue.author.login}
-              referrerPolicy="no-referrer"
+                className="w-5 h-5 rounded-full"
-              loading="lazy"
+                referrerPolicy="no-referrer"
-            />
+                loading="lazy"
-            <a
+              />
-              href={issue.author.url}
+            )}
-              target="_blank"
+            {issue.author.url ? (
-              rel="noopener noreferrer"
+              <a
-              className="font-medium hover:text-primary transition-colors"
+                href={issue.author.url}
-            >
+                target="_blank"
-              {issue.author.login}
+                className="font-medium hover:text-primary transition-colors"
-            </a>
+              >
+                {issue.author.login}
+              </a>
+            ) : (
+              <span className="font-medium">{issue.author.login}</span>
+            )}
             <span className="flex items-center gap-1">
               <Clock size={11} aria-hidden="true" /> {timeAgo(issue.createdAt)}
             </span>
@@ -76,6 +81,12 @@ export default function IssueModal({ issue, onClose, slideFrom }: IssueModalProp
                   skipHtml
                   allowedElements={['p', 'h1', 'h2', 'h3', 'ul', 'ol', 'li', 'code', 'pre', 'blockquote', 'a', 'strong', 'em', 'br']}
                   unwrapDisallowed
+                  components={{
+                    a: ({ href, children }) => {
+                      const safe = href && /^https?:\/\//i.test(href) ? href : '#'
+                      return <a href={safe} target="_blank" rel="noopener noreferrer">{children}</a>
+                    },
+                  }}
                 >
                   {issue.body || '_No description provided._'}
                 </ReactMarkdown>