Fix lint-staged configuration and add security tests

- Remove references to non-existent lint:fix:oxlint script
- Add comprehensive security tests for JSON parsing edge cases

Author: jdalton

package.json

@@ -126,8 +126,7 @@
   ],
   "lint-staged": {
     "*.{cjs,js,json,md,mjs,mts,ts}": [
-      "pnpm run lint:fix:oxlint",
-      "pnpm run lint:fix:biome -- --no-errors-on-unmatched --files-ignore-unknown=true --colors=off"
+      "pnpm run fix"
     ]
   },
   "pnpm": {

test/package-url-json-security.test.mts

@@ -23,12 +23,12 @@ describe('PackageURL.fromJSON security features', () => {
     })
 
     it('should throw error for JSON exceeding 1MB limit', () => {
-      // Create a large JSON string that exceeds 1MB
+      // Create a large JSON string that exceeds 1MB.
       const largeQualifiers: Record<string, string> = {}
       const qualifierKey = 'q'
       const qualifierValue = 'x'.repeat(1000)
 
-      // Add enough qualifiers to exceed 1MB
+      // Add enough qualifiers to exceed 1MB.
       for (let i = 0; i < 1100; i++) {
         largeQualifiers[`${qualifierKey}${i}`] = qualifierValue
       }
@@ -45,28 +45,30 @@ describe('PackageURL.fromJSON security features', () => {
     })
 
     it('should handle JSON exactly at 1MB limit', () => {
-      // Create a JSON string that's exactly 1MB
+      // Create a JSON string that's exactly 1MB.
       const targetSize = 1024 * 1024
       const baseJson = { type: 'npm', name: 'test', namespace: '' }
       const baseSize = JSON.stringify(baseJson).length
-      const paddingSize = targetSize - baseSize - 2 // Account for quotes
+      // Account for quotes.
+      const paddingSize = targetSize - baseSize - 2
 
       if (paddingSize > 0) {
         baseJson.namespace = 'x'.repeat(paddingSize)
         const exactJson = JSON.stringify(baseJson)
 
-        // Should work at exactly the limit
+        // Should work at exactly the limit.
         const result = PackageURL.fromJSON(exactJson)
         expect(result).toBeInstanceOf(PackageURL)
       }
     })
 
     it('should reject JSON just over 1MB limit', () => {
-      // Create a JSON string that's just over 1MB
+      // Create a JSON string that's just over 1MB.
       const targetSize = 1024 * 1024
       const baseJson = { type: 'npm', name: 'test', namespace: '' }
       const baseSize = JSON.stringify(baseJson).length
-      const paddingSize = targetSize - baseSize - 1 // One byte over
+      // One byte over.
+      const paddingSize = targetSize - baseSize - 1
 
       if (paddingSize > 0) {
         baseJson.namespace = 'x'.repeat(paddingSize)
@@ -149,8 +151,8 @@ describe('PackageURL.fromJSON security features', () => {
         },
       })
 
-      // Note: This might not be caught depending on implementation depth
-      // But we should at least not crash
+      // Note: This might not be caught depending on implementation depth,
+      // but we should at least not crash.
       expect(() => PackageURL.fromJSON(maliciousJson)).not.toThrow(TypeError)
     })
   })
@@ -269,7 +271,7 @@ describe('PackageURL.fromJSON security features', () => {
       expect(() => PackageURL.fromJSON(largeJson)).toThrow()
 
       const duration = performance.now() - start
-      // Should fail fast (under 100ms) by checking size before parsing
+      // Should fail fast (under 100ms) by checking size before parsing.
       expect(duration).toBeLessThan(100)
     })