gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 14:51:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(web): Hotfix #10 — CodeQL #37 js/use-before-declaration on __APP_VERSION__

Browse Source 
CodeQL alert #37 (severity: warning, rule: js/use-before-declaration)
fired on commit aa1c12a:

  web/src/components/ErrorBoundary.tsx:56
    Variable '__APP_VERSION__' is used before its declaration.

Root cause:
  Phase 9 introduced a `__APP_VERSION__` build-time define for the
  FE-L1 ErrorBoundary telemetry payload, and TypeScript needs an
  ambient declaration to know about it. The declaration sat AT
  LINE 59 (after the BUILD_VERSION constant at line 55 that uses
  it). JavaScript permits use-before-declare for `var`-scoped and
  `declare const` symbols, but CodeQL flags it as a readability
  hazard — a developer reading top-to-bottom sees the use first
  and may mistake it for a global lookup.

Fix:
  Move `declare const __APP_VERSION__: string;` ABOVE the
  BUILD_VERSION constant. Behavior is byte-identical (the
  `declare` produces no runtime emit; it's pure TypeScript
  type-only metadata). Added a header comment block explaining
  why the order matters so a future refactor doesn't accidentally
  reintroduce the same alert.

Verification:
  • npx tsc --noEmit — exit 0
  • npx vitest run src/components/ErrorBoundary.test.tsx — 5/5 pass
  • npm run build — ✓ built in 3.27s (define still wires __APP_VERSION__ → package.json version at build time)
  • All 48 CI guards pass
  • origin/master tip ground-truthed via GitHub API (aa1c12a) BEFORE commit per the operating rule
  • No behavioral change — same emitted JS bundle, same telemetry payload shape

Falsifiable proof for the next CodeQL scan: alert #37 should
auto-close on the next push to master (CodeQL re-scans on push to
master per .github/workflows/codeql.yml).
This commit is contained in:
shankar0123
2026-05-14 18:55:32 +00:00
parent aa1c12ae2d
commit 49096914d2
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/src/components/ErrorBoundary.tsx
+7 -2
View File
@@ -51,13 +51,18 @@ interface ErrorPayload {
* Buildversion is injected by Vite at build time via define() — * Buildversion is injected by Vite at build time via define() —
* falling back to 'dev' if missing means local dev doesn't fail to * falling back to 'dev' if missing means local dev doesn't fail to
* compile. * compile.
*
* NOTE: the `declare const` MUST sit ABOVE its first use. JavaScript
* permits use-before-declare for `var` / function decls, but CodeQL's
* `js/use-before-declaration` rule flags it as a readability hazard
* (alert #37 on commit aa1c12a). We keep the symbol declared first.
*/ */
declare const __APP_VERSION__: string;
const BUILD_VERSION = ( const BUILD_VERSION = (
typeof __APP_VERSION__ !== 'undefined' ? __APP_VERSION__ : 'dev' typeof __APP_VERSION__ !== 'undefined' ? __APP_VERSION__ : 'dev'
); );
declare const __APP_VERSION__: string;
/** /**
* Optional Sentry-class endpoint. When set, the boundary POSTs the * Optional Sentry-class endpoint. When set, the boundary POSTs the
* error payload as JSON. Empty / unset = no telemetry (the safe * error payload as JSON. Empty / unset = no telemetry (the safe