Replaces geist and styled-components with Tailwind#84
Replaces geist and styled-components with Tailwind#84michaelwschultz wants to merge 22 commits intomainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| } |
There was a problem hiding this comment.
Insecure Firestore rules committed as default
The main firestore.rules file now contains development rules allowing unrestricted read/write access (allow read, write: if true). While firestore.prod.rules contains proper authentication checks and a script exists to switch between them, the default committed state is insecure. If deployed via firebase deploy without first running ./switch-rules.sh prod, the production database would be completely open to unauthorized access.
| allow read, write: if true; | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Insecure Firestore rules committed to repository by default
The firebase/firestore.rules file contains completely permissive development rules (allow read, write: if true;) that allow anyone to read and write all data without authentication. This file is referenced by firebase.json and would be deployed to production by default. While there's a script system to switch to production rules via rules:prod, the committed default state is insecure. If deployment occurs using the standard build command (or direct firebase deploy) without explicitly running rules:prod first, it would expose all user data, infusions, and feedback to unauthenticated access.
Additional Locations (1)
There was a problem hiding this comment.
Need to make sure we never commit this default state.
| return Math.random() | ||
| .toString(36) | ||
| .substring(2, 2 + length) | ||
| } |
There was a problem hiding this comment.
Insecure and potentially short unique string generation
The generateUniqueString function was rewritten to use Math.random().toString(36).substring(2, 2 + length) instead of the cryptographically secure nanoid library. This has two problems: (1) Math.random() is not cryptographically secure and is predictable, making generated API keys vulnerable to guessing attacks, and (2) the function can return strings shorter than the requested length because small random values like 0.5 produce very short base-36 representations. API keys requesting 20 characters could receive as few as 1-2 characters. This affects API key generation and emergency alert IDs.
| }, | ||
| "[json, jsonc]": { | ||
| "editor.defaultFormatter": "vscode.json-language-features" | ||
| }, |
There was a problem hiding this comment.
VSCode settings use invalid language-specific override syntax
Low Severity
The VSCode settings file uses [javascript, typescript] and [json, jsonc] as keys for language-specific overrides, but this syntax is invalid. VSCode expects individual language identifiers like [javascript] and [typescript] as separate entries. The comma-separated format won't be recognized as a language selector, so the editor.defaultFormatter setting will not be applied to these file types as intended.
| "version": "2.9.0", | ||
| "type": "module", | ||
| "packageManager": "pnpm@10.13.1", | ||
| "packageManager": "pnpm@10.28.0", |
There was a problem hiding this comment.
pnpm version mismatch between package.json and CI workflow
Medium Severity
The package.json specifies packageManager: "pnpm@10.28.0" but the GitHub Actions workflow uses version: 10.13.1 in both jobs. This version mismatch means CI runs with a different pnpm version than what developers use locally, which could lead to inconsistent lockfile handling, cache issues, or different dependency resolution behavior between environments.
Additional Locations (2)
|
|
||
| - name: Install pnpm | ||
| uses: pnpm/action-setup@v2 | ||
| uses: pnpm/action-setup@v4 |
There was a problem hiding this comment.
pnpm version mismatch between CI and package.json
Medium Severity
The package.json was updated to use pnpm@10.28.0 but the GitHub Actions workflow still specifies version: 10.13.1 in both the setup-environment and run-tests jobs. This version mismatch between local development and CI could cause different dependency resolution behavior, lockfile format incompatibilities, or feature differences between environments.
Additional Locations (1)
1 participant
Big update incoming. This may take a bit, but I've been meaning to give the site a design refresh for a while.
Notable updates
Replaces GeistUI and Styled-Components with Tailwind
This one has been a long time coming. When I launched Hemolog, I wasn't focused on the UI. Building something that was functional, extensible, and simple to change later was the goal. I think I achieved that, but I've been meaning to do a design pass for a while. Unfortunately that means a rather large refactor in order to make the frontend simpler to manipulate and maintain. This PR does just that and more...
New custom components
I basically had cursor go through and migrate a bunch of the old geist components to raw jsx + tailwind. This will need some massaging but it saved me a ton of time and did the bulk of the work. Now I should have a relatively clean canvas.
Reduced page load
Reducing the 3rd party dependencies has also made the site a bit quicker. More improvements to come in this department as I'll most likely update to the most recent version of Next and React as well which should give some improvements in the stats department for free.
Note
Major stack and UI migration with broad tooling updates.
.cursorrules, Biome config, VSCode settings; updatepackage.jsonscripts (rules switch, seed) and versionsfirebase/with dev/prod rule sets; updatefirebase.jsonpathsWritten by Cursor Bugbot for commit 647e05e. This will update automatically on new commits. Configure here.