feat(driver-versions): rebuild page as timeline with per-release reba…#684
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request replaces the static driver versions table with a dynamic Driver Versions Catalog. It introduces a Node.js script to fetch and parse release data from GitHub, a new React component to display a timeline of driver versions (Kernel, NVIDIA, Mesa, HWE), and logic to detect version bumps. Feedback focuses on three critical areas: a potential command injection vulnerability in the generated rebase commands, a logic flaw that could result in empty displays for streams without recent releases, and the lack of error logging in the fetch script's fallback mechanism.
| function rebaseCommandForTag(tag: string) { | ||
| return `sudo bootc switch --enforce-container-sigpolicy "ghcr.io/$(jq -r '.\"image-name\"' /usr/share/ublue-os/image-info.json):${tag}"`; | ||
| } |
There was a problem hiding this comment.
The tag variable is interpolated directly into a shell command string intended for user copy-paste. Since this data originates from an external source (GitHub release tags), it should be sanitized to prevent potential command injection if a malicious or malformed tag is processed. While the script filters tags by prefix, additional sanitization ensures that characters like ;, &, or $ cannot be used to execute arbitrary commands.
| const cutoff = Date.now() - HISTORY_DAYS * 24 * 60 * 60 * 1000; | ||
|
|
||
| const filtered = releases | ||
| .filter((release) => String(release?.tag_name || "").startsWith(tagPrefix)) | ||
| .filter((release) => { | ||
| const parsed = Date.parse(release?.published_at || release?.created_at || ""); | ||
| if (Number.isNaN(parsed)) return false; | ||
| return parsed >= cutoff; | ||
| }) | ||
| .sort( | ||
| (a, b) => | ||
| Date.parse(b?.published_at || b?.created_at || 0) - | ||
| Date.parse(a?.published_at || a?.created_at || 0), | ||
| ); | ||
|
|
||
| const history = filtered.map((release) => buildRowFromApiRelease(release, streamId)); | ||
|
|
||
| return { | ||
| id: streamId, | ||
| name, | ||
| subtitle, | ||
| command, | ||
| source: "github-api", | ||
| rowCount: history.length, | ||
| latest: history[0] || null, | ||
| history, | ||
| }; |
There was a problem hiding this comment.
The current filtering logic strictly excludes all releases older than HISTORY_DAYS. If a stream (especially LTS) hasn't had a release within this window, the history array will be empty, and the UI will display a "No release rows parsed" message instead of the latest available version. It is recommended to always include at least the latest release regardless of its age to ensure the page remains functional.
| fs.writeFileSync(OUTPUT_FILE, JSON.stringify(output, null, 2), "utf-8"); | ||
| console.log(`Driver versions data saved to ${OUTPUT_FILE}`); | ||
| }) | ||
| .catch(() => { |
There was a problem hiding this comment.
The .catch() block silently swallows errors from the GitHub API fetch or the data processing logic. This makes it difficult to diagnose why the live fetch failed and why the system fell back to local feeds. Logging the error is essential for maintainability and troubleshooting build failures in CI/CD environments.
…se commands Regenerate driver versions from cached data and present stable/LTS as clear backwards timelines with highly visible kernel/NVIDIA/Mesa/HWE values. Improve usability with always-visible copy controls, major/minor bump highlights, and cleaner archive-first layout for faster troubleshooting. Assisted-by: Claude Sonnet 4.6 via GitHub Copilot Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Revised introduction and overview sections for clarity and added context.
Sanitize release tags before command rendering, preserve stream sections when a stream has no recent releases, and log API fallback errors for easier diagnosis. Also remove fetch-github-images from fetch-data on this branch to match upstream baseline and keep builds green. Assisted-by: Claude Sonnet 4.6 via GitHub Copilot Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
castrojo
force-pushed
the
upstream-pr/driver-versions-timeline
branch
from
1f6270b to
8622e39
Compare
1 participant
…se commands
Regenerate driver versions from cached data and present stable/LTS as clear backwards timelines with highly visible kernel/NVIDIA/Mesa/HWE values. Improve usability with always-visible copy controls, major/minor bump highlights, and cleaner archive-first layout for faster troubleshooting.
Assisted-by: Claude Sonnet 4.6 via GitHub Copilot