Security/qs

[SunDevil311]

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Description

Added

• Conditional guards to ensure artifacts, issues, and external notifications are only created when workflows run in a trusted context (non-PR runs or PRs originating from the same repository).
• Redacted, public-safe Gitleaks scan summaries in GitHub Actions step output to prevent accidental exposure of sensitive file paths or values.
• Optional installation of jq gated to trusted execution contexts to support future structured output (e.g., SARIF) while preserving fork safety.

Changed

• Updated the Gitleaks secret scanning workflow to explicitly exclude Dependabot pull requests, avoiding failures caused by unavailable organization secrets in bot-triggered PRs.
• Refined workflow trust boundaries to distinguish between forked pull requests and trusted repository contexts.
• Updated .gitignore to stop tracking generated .svelte-kit files.
• Bumped project version to v1.25.22.
• Updated dependencies:
  • stylelint-order ^7.0.0 → ^7.0.1
  • posthog-js ^1.310.1 → ^1.313.0
  • globals ^16.5.0 → ^17.0.0

Removed

• Removed Mastodon verification in src/routes/posts/+page.svelte, as it was not functioning properly. This route will remain unverified.

Security

• Hardened secret-handling logic in CI by preventing the use of organization-level secrets, write permissions, and external notifications in untrusted pull request contexts.
• Ensured Gitleaks license usage is restricted to safe execution paths, eliminating false-negative or false-positive failures caused by GitHub Actions secret scoping rules.
• Added transitive dependency override for qs to ^6.14.1, in order to address CVE-2025-15284.

Checklist

• I have read and followed the guidelines in the CONTRIBUTING document.
• I've checked for existing Pull Requests for the same update/change.
• My code follows the project’s coding style.
• My code has been linted locally before submission.
• All new and existing tests pass.

 

• I have updated the documentation accordingly.
• I have added tests to cover my changes, if applicable. (Optional, especially for new contributors)

Pull requests are part of a collaborative process — we welcome contributions and review each one carefully. For all but the smallest changes, you can expect maintainers to request improvements or clarifications.

Please check back after opening your PR and be responsive to feedback so we can get your contribution merged quickly.

Thanks for helping improve Network Pro Strategies!

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
web	Ready	Preview	Jan 1, 2026 10:54pm

[github-actions]

⚠️ Lighthouse Budget Issues Detected

• First Contentful Paint (score: 0.81)
• Largest Contentful Paint (score: 0.37)
• Speed Index (score: 0.99)
• Time to Interactive (score: 0.82)
• Avoid multiple page redirects (score: 0)
• Largest Contentful Paint element (score: 0)
• Links rely on color to be distinguishable. (score: 0)
• Serve static assets with an efficient cache policy (score: 0.5)
• Reduce unused JavaScript (score: 0)
• Remove duplicate modules in JavaScript bundles (score: 0.5)
• Avoid serving legacy JavaScript to modern browsers (score: 0.5)
• Use efficient cache lifetimes (score: 0.5)
• Duplicated JavaScript (score: 0.5)
• LCP request discovery (score: 0)
• Legacy JavaScript (score: 0.5)
• Network dependency tree (score: 0)
• Render blocking requests (score: 0.5)

View the full report in the workflow artifacts or in .lighthouseci/report.html.

[SunDevil311]

All changes look good. Merging pending successful completion of tests.

[github-actions]

⚠️ Lighthouse Budget Issues Detected

• First Contentful Paint (score: 0.97)
• Largest Contentful Paint (score: 0.83)
• Max Potential First Input Delay (score: 0.92)
• Time to Interactive (score: 0.94)
• Largest Contentful Paint element (score: 0)
• Links rely on color to be distinguishable. (score: 0)
• Serve static assets with an efficient cache policy (score: 0.5)
• Reduce unused CSS (score: 0)
• Reduce unused JavaScript (score: 0.5)
• Avoid serving legacy JavaScript to modern browsers (score: 0.5)
• Use efficient cache lifetimes (score: 0.5)
• LCP request discovery (score: 0)
• Legacy JavaScript (score: 0.5)
• Network dependency tree (score: 0)
• Render blocking requests (score: 0.5)

View the full report in the workflow artifacts or in .lighthouseci/report.html.