Replaces geist and styled-components with Tailwind #84
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| } |
There was a problem hiding this comment.
Insecure Firestore rules committed as default
The main firestore.rules file now contains development rules allowing unrestricted read/write access (allow read, write: if true). While firestore.prod.rules contains proper authentication checks and a script exists to switch between them, the default committed state is insecure. If deployed via firebase deploy without first running ./switch-rules.sh prod, the production database would be completely open to unauthorized access.
| <img | ||
| src={user.photoUrl} | ||
| alt='User avatar' | ||
| className={`rounded-full border-white ${forPrint ? 'w-15 h-15 border-4' : 'w-25 h-25 border-8'}`} |
There was a problem hiding this comment.
Non-standard Tailwind classes break emergency card styling
The emergency card uses non-standard Tailwind CSS classes that don't exist in the framework's spacing scale: w-15, h-15, w-25, h-25 (line 61) and -top-4.5 (line 86). Tailwind's spacing scale includes values like 14, 16, 20, 24 but not 15 or 25. These classes won't apply any styles, breaking the avatar sizing and blood drop positioning on the emergency card. Arbitrary values like w-[60px] or -top-[18px] are needed instead.
Additional Locations (1)
| allow read, write: if true; | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Insecure Firestore rules committed to repository by default
The firebase/firestore.rules file contains completely permissive development rules (allow read, write: if true;) that allow anyone to read and write all data without authentication. This file is referenced by firebase.json and would be deployed to production by default. While there's a script system to switch to production rules via rules:prod, the committed default state is insecure. If deployment occurs using the standard build command (or direct firebase deploy) without explicitly running rules:prod first, it would expose all user data, infusions, and feedback to unauthenticated access.
Additional Locations (1)
| return Math.random() | ||
| .toString(36) | ||
| .substring(2, 2 + length) | ||
| } |
There was a problem hiding this comment.
Insecure and potentially short unique string generation
The generateUniqueString function was rewritten to use Math.random().toString(36).substring(2, 2 + length) instead of the cryptographically secure nanoid library. This has two problems: (1) Math.random() is not cryptographically secure and is predictable, making generated API keys vulnerable to guessing attacks, and (2) the function can return strings shorter than the requested length because small random values like 0.5 produce very short base-36 representations. API keys requesting 20 characters could receive as few as 1-2 characters. This affects API key generation and emergency alert IDs.
| }, | ||
| "[json, jsonc]": { | ||
| "editor.defaultFormatter": "vscode.json-language-features" | ||
| }, |
There was a problem hiding this comment.
VSCode settings use invalid language-specific override syntax
Low Severity
The VSCode settings file uses [javascript, typescript] and [json, jsonc] as keys for language-specific overrides, but this syntax is invalid. VSCode expects individual language identifiers like [javascript] and [typescript] as separate entries. The comma-separated format won't be recognized as a language selector, so the editor.defaultFormatter setting will not be applied to these file types as intended.
| "version": "2.9.0", | ||
| "type": "module", | ||
| "packageManager": "pnpm@10.13.1", | ||
| "packageManager": "pnpm@10.28.0", |
There was a problem hiding this comment.
pnpm version mismatch between package.json and CI workflow
Medium Severity
The package.json specifies packageManager: "[email protected]" but the GitHub Actions workflow uses version: 10.13.1 in both jobs. This version mismatch means CI runs with a different pnpm version than what developers use locally, which could lead to inconsistent lockfile handling, cache issues, or different dependency resolution behavior between environments.
Big update incoming. This may take a bit, but I've been meaning to give the site a design refresh for a while.
Notable updates
Replaces GeistUI and Styled-Components with Tailwind
This one has been a long time coming. When I launched Hemolog, I wasn't focused on the UI. Building something that was functional, extensible, and simple to change later was the goal. I think I achieved that, but I've been meaning to do a design pass for a while. Unfortunately that means a rather large refactor in order to make the frontend simpler to manipulate and maintain. This PR does just that and more...
New custom components
I basically had cursor go through and migrate a bunch of the old geist components to raw jsx + tailwind. This will need some massaging but it saved me a ton of time and did the bulk of the work. Now I should have a relatively clean canvas.
Reduced page load
Reducing the 3rd party dependencies has also made the site a bit quicker. More improvements to come in this department as I'll most likely update to the most recent version of Next and React as well which should give some improvements in the stats department for free.
Note
Major UI and tooling modernization with associated infra/test updates.
tailwindcss,@tailwindcss/postcss,autoprefixer) and upgrades tonext@16/react@18recharts; drops Geist/styled-components) and scripts (rules:dev/prod,seed)setup-environmentandrun-tests, cache pnpm/Cypress, add Java 21, and wait for:3000incypress-io/github-action(.github/workflows/main.yml)cypress/e2e/*.cy.ts), updates config (cypress.config.ts)firebase/, addfirestore.dev.rules/firestore.prod.rules, tighten feedback read rule; updatefirebase.jsonbiome.jsonrules,next.config.jsheaders/images,next-env.d.tsimportWritten by Cursor Bugbot for commit b145f2c. This will update automatically on new commits. Configure here.