From 49096914d2af7c089aa3dd48e40b4b8ad8343fd4 Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Thu, 14 May 2026 18:55:32 +0000 Subject: [PATCH] =?UTF-8?q?fix(web):=20Hotfix=20#10=20=E2=80=94=20CodeQL?= =?UTF-8?q?=20#37=20js/use-before-declaration=20on=20=5F=5FAPP=5FVERSION?= =?UTF-8?q?=5F=5F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CodeQL alert #37 (severity: warning, rule: js/use-before-declaration) fired on commit aa1c12a: web/src/components/ErrorBoundary.tsx:56 Variable '__APP_VERSION__' is used before its declaration. Root cause: Phase 9 introduced a `__APP_VERSION__` build-time define for the FE-L1 ErrorBoundary telemetry payload, and TypeScript needs an ambient declaration to know about it. The declaration sat AT LINE 59 (after the BUILD_VERSION constant at line 55 that uses it). JavaScript permits use-before-declare for `var`-scoped and `declare const` symbols, but CodeQL flags it as a readability hazard — a developer reading top-to-bottom sees the use first and may mistake it for a global lookup. Fix: Move `declare const __APP_VERSION__: string;` ABOVE the BUILD_VERSION constant. Behavior is byte-identical (the `declare` produces no runtime emit; it's pure TypeScript type-only metadata). Added a header comment block explaining why the order matters so a future refactor doesn't accidentally reintroduce the same alert. Verification: • npx tsc --noEmit — exit 0 • npx vitest run src/components/ErrorBoundary.test.tsx — 5/5 pass • npm run build — ✓ built in 3.27s (define still wires __APP_VERSION__ → package.json version at build time) • All 48 CI guards pass • origin/master tip ground-truthed via GitHub API (aa1c12a) BEFORE commit per the operating rule • No behavioral change — same emitted JS bundle, same telemetry payload shape Falsifiable proof for the next CodeQL scan: alert #37 should auto-close on the next push to master (CodeQL re-scans on push to master per .github/workflows/codeql.yml). --- web/src/components/ErrorBoundary.tsx | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/web/src/components/ErrorBoundary.tsx b/web/src/components/ErrorBoundary.tsx index 2f8334c..f8ee897 100644 --- a/web/src/components/ErrorBoundary.tsx +++ b/web/src/components/ErrorBoundary.tsx @@ -51,13 +51,18 @@ interface ErrorPayload { * Buildversion is injected by Vite at build time via define() — * falling back to 'dev' if missing means local dev doesn't fail to * compile. + * + * NOTE: the `declare const` MUST sit ABOVE its first use. JavaScript + * permits use-before-declare for `var` / function decls, but CodeQL's + * `js/use-before-declaration` rule flags it as a readability hazard + * (alert #37 on commit aa1c12a). We keep the symbol declared first. */ +declare const __APP_VERSION__: string; + const BUILD_VERSION = ( typeof __APP_VERSION__ !== 'undefined' ? __APP_VERSION__ : 'dev' ); -declare const __APP_VERSION__: string; - /** * Optional Sentry-class endpoint. When set, the boundary POSTs the * error payload as JSON. Empty / unset = no telemetry (the safe