Add CodeQL Action #4315
Add CodeQL Action #4315
Conversation
I agree that there's no evident reason for it to be client side and not done at build time. If you want to move it to a build step, I'd 👍 that. |
|
TBH I was hoping someone else would make the changes since I didn't really follow them and I don't have a lot of time this period :/ |
We don't need to implement it through the client side but serve side only by generating them together. Refs: #4315.
|
This alert won't accept the input from the browser, and anyway, it will convert each word splitted by '-', so it cannot be a risk here. I ignored it and merge it. |
We're now going to get that alert on every pull request, aren't we? |
|
Not if it's ignored in the repository security tab.
…On Sat, Nov 12, 2022, 18:49 Rich Trott ***@***.***> wrote:
This alert won't accept the input from the browser, and anyway, it will
convert each word splitted by '-', so it cannot be a risk here. I ignored
it and merge it.
We're now going to get that alert on every pull request, aren't we?
—
Reply to this email directly, view it on GitHub
<#4315 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACVLNP7UEPHH5L2TBWGBP3WH7DCBANCNFSM5KNIDLRQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
About this error: https://github.com/nodejs/nodejs.org/security/code-scanning/1?query=ref%3Arefs%2Fpull%2F4315%2Fmerge, I still do not get why we need this client side. I'm pretty sure I expressed my objection in the relevant PR, but due to lack of time, I couldn't spend more time then.
Does anybody recall why we need this client side and why we don't generate the Edit on GitHub links on build time?
EDIT: I see now it was done #3971. I still don't quite get what the issue was and why we can't fix it on build time...