Dead-code removal + shared core utils + unified SSRF guard (expl 0230, phase 0–1)#284
Merged
crs48 merged 8 commits intoJun 26, 2026
Conversation
…ortunities Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
CanvasV2Legacy (2380 LOC) had zero production importers — the public Canvas export resolves to CanvasV3. Its only references were a Storybook story and a navigation-shell test that exercised the legacy renderer's internals. Remove all three (3913 LOC) as dead code.
Establish a single dependency-free home for the small helpers that were re-implemented across many packages. formatBytes scales correctly to PB (fixing copies that silently capped at MB). debounce/throttle and the compact relative-time formatters are intentionally NOT consolidated here — they have divergent signatures and output formats across call sites.
…pers Replace behaviour-identical copies with the canonical @xnetjs/core helpers: - clamp(v,min,max): CanvasV3, webgl vector/raster tiles, query moderation, hub crawl (hub's undefined-accepting clamp01 and telemetry's NaN->1 clamp01 are left local — different semantics). - formatBytes: canvas memory-profile (re-exported), react quota/sync overlays, devtools formatters — the last two fix copies that silently capped at MB. - formatRelativeTime: the two identical comment-surface copies now share an internal ui helper. Scoped to packages already depending on @xnetjs/core (plus private devtools) so no publishable package gains a new dependency just for a one-liner. debounce/throttle are intentionally untouched (divergent signatures).
The hub's regex-based validateExternalUrl missed several private ranges (CGNAT 100.64/10, IPv4-mapped IPv6, NAT64, fe81::-fe8f:: link-local, the trailing-dot bypass) and false-positived on hosts like fd-startup.com — it guarded the network-facing unfurl/federation/crawl routes. Move the strict literal-host guard (ported from @xnetjs/plugins) into @xnetjs/core as the single source of truth, exposing assertPublicUrl + validateExternalUrl + a 31-case bypass-vector test. hub/utils/url.ts and plugins/actions/ssrf.ts now both delegate to it; plugins keeps its ActionSsrfError contract.
Add changeset (core minor; plugins/react patch) and a changelog fragment for the shared-helper consolidation and SSRF hardening.
Backing out the devtools->@xnetjs/core edge: it was the only new workspace dependency in this PR and a non-frozen install rewrote ~17k lines of the lockfile. devtools is private and dev-only; deduping its byte formatter can ride a later batch. All remaining migrations use packages that already depend on @xnetjs/core, so this PR needs no lockfile change.
Contributor
🖼️ UI changes in this PRInteractionsAuto-captured by CI · run. Informational — not a blocking check. |
Contributor
|
Preview removed for PR #284. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Implements the low-risk top of the leverage ladder from
exploration 0230
— the "do now" Phase 0 + Phase 1. The structural phases (schema SSoT, importer
toolkit, god-file splits, cross-app convergence) are deliberately left as
follow-up PRs, exactly as the doc recommends; this doc stays
[_].Net −3,167 LOC, no lockfile change.
What landed
1. Delete dead code (−3,913 LOC).
CanvasV2Legacy.tsx(2,380 LOC) had zeroproduction importers — the public
Canvasexport resolves toCanvasV3. Itsonly references were a Storybook story and a navigation-shell test that
exercised the legacy renderer's internals (it mocks legacy-only modules and
asserts legacy DOM contracts — it can't be repointed to V3). Removed all three.
2. Canonical
@xnetjs/coreutils + behaviour-preserving migration. Newclamp,clamp01,formatBytes(tested) replace behaviour-identical copies incanvas(×4),query,hub, andreact(×2) — all packages that alreadydepend on core, so no new dependency edges. The two
reactbyte displaysno longer silently cap at MB. The two identical comment-surface relative-time
copies now share one
uihelper.Reading the code corrected the exploration's grep-based counts: the "29
clamp" conflates three distinct functions (
clamp,clamp01, andspecialized
clampLimit/clampRatio/…);debounce/throttlehavedivergent signatures; several
formatBytescopies encode different output.So the codemod was scoped by behaviour — only truly-identical helpers and
clear bug-fixes were migrated; divergent ones were left local on purpose.
3. Unify the SSRF guard (security). The hub's regex
validateExternalUrlguarded the network-facing
unfurl/federation/crawlroutes but missedprivate ranges (CGNAT
100.64/10, IPv4-mapped IPv6, NAT64,fe81::–fe8f::link-local, the trailing-dot bypass) and false-positived on hosts like
fd-startup.com. The strict literal-host guard now lives in@xnetjs/corewitha 31-case bypass-vector test;
hubandpluginsboth delegate to it(plugins keeps its
ActionSsrfErrorcontract).Verification
coverage passes.
Deliberately deferred (separate PRs, per the doc)
Knip/jscpd CI ratchet · schema
SCHEMA_METADATA/SCHEMA_UI_METADATASSoT ·social importer toolkit · god-file splits (
CanvasV3,AiSurfaceService,sqlite-adapter) · cross-app web/electron view convergence (needs a parityaudit first) ·
scripts/lib+ package scaffold. Thedevtoolsbyte-formatterdedup was backed out here to avoid a 17k-line lockfile rewrite from the new
workspace edge.
🤖 Generated with Claude Code