PR: Security improvements and dependency cleanup Summary #4885
+565
−95
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
|
✅ All Jest tests passed! This PR is ready to merge. |
Contributor
Author
|
Hi @zealot-zew , @walterbender Thank you for the guidance and review — I learned a lot while working on and fixing this issue. Thanks again! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR improves security and cleans up dependencies without changing existing behavior.
All changes were tested and the full Jest test suite passes successfully.
What was changed
##Security fixes
1] Removed all uses of eval() and unsafe dynamic code execution.
2] Replaced them with safe lookups and explicit function calls.
3] Plugins are now treated as data, not executable code.
4] Only allow-listed plugin handlers can run.
Safe plugin handling
1] Added a safe handler registry (safeFunctionRegistry.js) and load it early.
2] Old plugin entries that contain code strings are ignored.
3] Only registered handlers are executed.
API key safety
1] Removed hardcoded API keys from the client.
2] Added a backend proxy route (/api/data) that injects API keys from environment variables.
API guardrails
1] Client sends x-mb-client: 1 header for /api/data.
2] Server checks this header and blocks requests if it’s missing.
Content Security Policy (CSP)
1] Added a CSP header to HTML responses.
2] unsafe-eval is disabled.
3] blob: is allowed for Tone.js workers.
4] cdnjs.cloudflare.com is allowed for highlight.js.
5] Inline scripts are still allowed for now to avoid breaking existing code.
Dependency cleanup
1] Upgraded jQuery from 2.1.4 to 3.7.1.
2] Removed Modernizr from runtime and updated vendor scripts.
3] Updated service worker precache list.
4] Removed invalid "node" dependency from package.json and regenerated the lockfile.
Stability fixes
1] Fixed a crash when recordingBuffer was missing.
2] Fixed a strict-mode issue in synthutils.js.
Testing
1] Jest: 70 test suites / 1549 tests passing
2] Latest test run completed successfully.