mirror of
https://github.com/harvard-edge/cs249r_book.git
synced 2026-05-06 09:38:33 -05:00
cb3d21c493
Three categories of code surfacing CodeQL alerts that aren't appropriate
to fix in-tree:
- book/quarto/tools/scripts/socratiQ/collaborative-widget-bridge.{js,umd.cjs}:
minified upstream socratiQ widget bundle. Alerts (XSS, prototype
pollution, tainted format string, insecure randomness, clear-text
storage) live in vendored third-party code; report upstream rather
than patch a build artifact.
- socratiq/src_shadow/**: shadow copy of socratiq client source for the
shadow-DOM rendering path, parallel to socratiq/js/. Not part of the
live web surface.
- tools/audit/**: local audit/maintenance scripts that operate on the
user's own Quarto build output. Regex HTML strip is intentional for
speed and safe given trusted input.
Default-setup CodeQL picks up .github/codeql/codeql-config.yml on next
weekly scan; pre-existing alerts on these paths still need manual
dismissal in the Security tab.