Skip to content

chore: update review state with new findings and issue deduplication #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
BodenMcHale wants to merge 3 commits into
base: main
Choose a base branch
from
Open

chore: update review state with new findings and issue deduplication #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a6e68e2
chore: review state update 2026-05-26 (run 2)
claude May 26, 2026
0be64e5
chore: review state update 2026-05-26 (run 2 — issue #21 filed)
claude May 26, 2026
fe0836c
chore: update package-lock.json after npm install
claude May 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 47 additions & 7 deletions .claude/review-state.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"last_run": "2026-05-26T00:55:00Z",
"last_commit": "5083c52b64190381eadbb9f0c13b42e52c358a5a",
"last_run": "2026-05-26T08:12:00Z",
"last_commit": "81f8735d167b597ed7a7a88cc7f89ba0b440b07d",
"filed": [
{
"issue": 8,
Expand All @@ -14,19 +14,32 @@
"evidence_quality": 10
},
"timestamp": "2026-05-26T00:55:00Z"
},
{
"issue": 21,
"title": "[REVIEW] CSP: `'unsafe-inline'` penalized even when `'strict-dynamic'` + nonce is present — false positive flags a recommended strict CSP pattern",
"finding": "checkCSP in src/rules.ts:53-57 unconditionally deducts 5 points for 'unsafe-inline', even when 'strict-dynamic' + nonce is also present — a recommended backwards-compat pattern that is safely ignored by CSP3 browsers. Developer receives wrong advice to 'use nonces or hashes instead' when they already do.",
"score": 7.10,
"score_breakdown": {
"user_impact": 7,
"security_severity": 6,
"implementation_effort": 8,
"evidence_quality": 9
},
"timestamp": "2026-05-26T08:12:00Z"
}
],
"runner_ups": [
{
"finding": "CSP wildcard regex /(?:default-src|script-src)\\s+\\*/i only matches when '*' is the first source token; 'default-src 'self' *' is not flagged.",
"score": 6.1,
"reason_not_filed": "lower score; subsumed by broader CSP-evaluator-style follow-up to #5",
"reason_not_filed": "duplicate of open issue #16 (which also covers connect-src *, form-action *, and mid-policy wildcards)",
"timestamp": "2026-05-26T00:55:00Z"
},
{
"finding": "checkCSP does not recognize Content-Security-Policy-Report-Only header; report-only deployments are treated as if no CSP exists.",
"score": 5.9,
"reason_not_filed": "lower score; needs design discussion on whether report-only should count for points",
"reason_not_filed": "duplicate of open issue #20",
"timestamp": "2026-05-26T00:55:00Z"
},
{
Expand All @@ -38,7 +51,7 @@
{
"finding": "Referrer-Policy classifies 'no-referrer-when-downgrade' as a strong value (score 10), but it is the historical default and is widely considered weak for cross-origin URL leakage.",
"score": 4.2,
"reason_not_filed": "lower score; borderline classification call rather than a clear bug",
"reason_not_filed": "duplicate of open issue #18",
"timestamp": "2026-05-26T00:55:00Z"
},
{
Expand All @@ -50,15 +63,42 @@
{
"finding": "checkCSP does not flag missing base-uri directive, leaving <base> injection silently bypassing script-src 'self'.",
"score": 7.9,
"reason_not_filed": "duplicate of open issue #5",
"reason_not_filed": "duplicate of closed issue #5",
"timestamp": "2026-05-26T00:55:00Z"
},
{
"finding": "PR #2 merge (81f8735) introduced 4 failing tests in test/analyzer.test.ts: branch owl-alpha/add-tests-and-timeout was forked before commit 8d29a8c tightened Permissions-Policy scoring (require all 3 directives), so tests still expect old score-10-for-presence behavior.",
"score": 8.1,
"score_breakdown": {
"user_impact": 8,
"security_severity": 7,
"implementation_effort": 9,
"evidence_quality": 10
},
"reason_not_filed": "duplicate of open issue #15",
"timestamp": "2026-05-26T08:12:00Z"
},
{
"finding": "HSTS: max-age=0 (HSTS revocation/deletion directive) scores 'good' when accompanied by includeSubDomains and preload, because bonus points push total to 15+ despite finding for low max-age.",
"score": 7.0,
"reason_not_filed": "duplicate of open issue #17",
"timestamp": "2026-05-26T08:12:00Z"
},
{
"finding": "CSP: form-action directive is not checked; default-src 'self' does not restrict form submissions (form-action is a navigation directive with no default-src fallback per CSP3).",
"score": 6.8,
"reason_not_filed": "duplicate of open issue #19",
"timestamp": "2026-05-26T08:12:00Z"
}
],
"clean_areas": [
"package.json exports/main/types/bin fields are correctly configured",
"tsconfig.json strict mode is enabled",
"CI workflows (ci.yml, publish.yml, auto-tag.yml) are sound",
"X-Content-Type-Options check (rules.ts:93-104) — values correctly validated",
"X-Frame-Options check (rules.ts:73-91) — accepts DENY/SAMEORIGIN and CSP frame-ancestors fallback as expected"
"X-Frame-Options check (rules.ts:73-91) — accepts DENY/SAMEORIGIN and CSP frame-ancestors fallback as expected",
"src/index.ts — exports are correct and FetchOptions type is exported",
"src/analyzer.ts — grade thresholds match README grading scale",
"src/fetch.ts — AbortController timeout is correctly implemented"
]
}
39 changes: 0 additions & 39 deletions package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.