From 6d23665f990e5b5d5f2dde13e925fd6d5ead4c0d Mon Sep 17 00:00:00 2001
From: Jon West <jon.c.west@outlook.com>
Date: Sat, 4 Apr 2026 21:30:17 -0600
Subject: [PATCH 1/2] Potential fix for code scanning alert no. 1: Workflow
 does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/test.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8ef6739..5e20640 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,5 +1,8 @@
 name: test
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ main ]

From 5f0644278995fccfdf16619bc78aa277cdcdce17 Mon Sep 17 00:00:00 2001
From: Jon West <jwest@everdriven.com>
Date: Sat, 4 Apr 2026 21:40:13 -0600
Subject: [PATCH 2/2] Fixing tests

---
 src/validators.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/validators.ts b/src/validators.ts
index 55b8071..4abad26 100644
--- a/src/validators.ts
+++ b/src/validators.ts
@@ -1,11 +1,11 @@
 import type { RegistryIndex, ProjectMetadata, VersionMetadata } from './types.js'
 
 export function validateRegistryIndex(data: unknown): data is RegistryIndex {
+  if (typeof data !== 'object' || data === null) return false
+  const d = data as Record<string, unknown>
   return (
-    typeof data === 'object' &&
-    data !== null &&
-    'projects' in data &&
-    Array.isArray((data as Record<string, unknown>)['projects'])
+    Array.isArray(d['projects']) &&
+    d['projects'].every((p) => typeof p === 'string')
   )
 }
 
@@ -17,6 +17,7 @@ export function validateProjectMetadata(data: unknown): data is ProjectMetadata
     typeof d['displayName'] === 'string' &&
     typeof d['description'] === 'string' &&
     Array.isArray(d['tags']) &&
+    d['tags'].every((t) => typeof t === 'string') &&
     typeof d['repo'] === 'object' && d['repo'] !== null &&
     typeof d['latestVersion'] === 'string' &&
     typeof d['license'] === 'string'
@@ -30,6 +31,7 @@ export function validateVersionMetadata(data: unknown): data is VersionMetadata
     typeof d['version'] === 'string' &&
     typeof d['date'] === 'string' &&
     Array.isArray(d['changelog']) &&
+    d['changelog'].every((c) => typeof c === 'string') &&
     typeof d['assets'] === 'object' && d['assets'] !== null &&
     typeof d['repoLinks'] === 'object' && d['repoLinks'] !== null &&
     typeof d['license'] === 'string'