Skip to content

🔧 update: enhance platform source detection and add unit tests#31

Merged
warengonzaga merged 11 commits intomainfrom
dev
Mar 3, 2026
Merged

🔧 update: enhance platform source detection and add unit tests#31
warengonzaga merged 11 commits intomainfrom
dev

Conversation

@warengonzaga
Copy link
Member

@warengonzaga warengonzaga commented Mar 3, 2026

This pull request introduces improved event deduplication logic for webhook processing and refines platform detection, along with dependency and configuration updates. The main enhancement is the addition of atomic fingerprint-based deduplication to prevent duplicate processing when webhook retries use new event IDs for the same logical event. Several logging messages are also standardized for clarity, and a new .contributerc.json configuration file is added.

Event Deduplication and Processing Improvements

  • Introduced atomic fingerprint-based deduplication using Redis SET NX to detect and prevent processing of webhook retries with new event IDs but identical event content. This is implemented via the new claimFingerprint method in RedisService and integrated into WebhookService. [1] [2] [3]
  • Added helper methods keyExists and markKey to RedisService for reusable key management, supporting both event ID and fingerprint deduplication.
  • Updated event publishing and processing flows to mark both event IDs and fingerprints as processed, ensuring robust duplicate prevention. [1] [2] [3] [4]

Platform Detection Enhancements

  • Improved platform detection logic to support both @mention and phone number formats for bot names, covering additional platforms such as WhatsApp via Twilio and Discord.

Logging and Configuration Updates

  • Standardized log messages by removing emoji prefixes for consistency and clarity throughout WebhookController and RedisService. [1] [2] [3] [4] [5] [6] [7] [8] [9]
  • Added a new configuration file .contributerc.json to define branching strategy, commit conventions, and workflow roles.
  • Updated the dependency @wgtechlabs/log-engine from version 2.2.0 to 2.3.1 in package.json and pnpm-lock.yaml. [1] [2] [3] [4]

Other Minor Changes

  • Added a new Redis config option fingerprintPrefix to support fingerprint-based deduplication.

@warengonzaga warengonzaga self-assigned this Mar 3, 2026
Copilot AI review requested due to automatic review settings March 3, 2026 08:21
@warengonzaga warengonzaga added core [Area] Core logic, business rules, and primary functionality [issues, PRs] maintainer only [Community] Reserved for maintainers — not open for external contribution [issues, PRs] enhancement [Type] New feature or improvement to existing functionality [issues, PRs] labels Mar 3, 2026
@warengonzaga warengonzaga moved this to In Review in Unthread Partnership Mar 3, 2026
@github-actions
Copy link

github-actions bot commented Mar 3, 2026
edited
Loading

🛠️ Container Build Complete - Dev Build

Build Status: ✅ Success
Flow Type: dev
Description: Development and testing

📦 Pull Image

Docker Hub: docker pull wgtechlabs/unthread-webhook-server:dev-f924b27
GHCR: docker pull ghcr.io/wgtechlabs/unthread-webhook-server:dev-f924b27

📋 Build Details

Property Value
Flow Type dev
Commit f924b27
Registry Docker Hub + GHCR

🏷️ Image Tags

wgtechlabs/unthread-webhook-server:dev-f924b27
ghcr.io/wgtechlabs/unthread-webhook-server:dev-f924b27

🔍 Testing Your Changes

  1. Pull the image using one of the commands above
  2. Run the container with your test configuration
  3. Verify the changes work as expected
  4. Report any issues in this PR

🚀 Quick Start

# Pull and run the container
Docker Hub: docker pull wgtechlabs/unthread-webhook-server:dev-f924b27
docker run <your-options> <image>

🔒 Security Scan Results

📋 Pre-Build Security Checks

Source Code Scan: 1 vulnerabilities found
Dockerfile Scan: 0 misconfigurations found

🐳 Container Image Vulnerabilities

Severity Count
🟠 High 43
Total 43
📋 View Vulnerability Details

Node.js

  • 🟠 CVE-2025-64756 (HIGH) - glob
    • glob: glob: Command Injection Vulnerability via Malicious Filenames
    • Fixed in: 11.1.0, 10.5.0
  • 🟠 CVE-2025-64756 (HIGH) - glob
    • glob: glob: Command Injection Vulnerability via Malicious Filenames
    • Fixed in: 11.1.0, 10.5.0
  • 🟠 CVE-2025-64756 (HIGH) - glob
    • glob: glob: Command Injection Vulnerability via Malicious Filenames
    • Fixed in: 11.1.0, 10.5.0
  • 🟠 CVE-2026-26996 (HIGH) - minimatch
    • minimatch: minimatch: Denial of Service via specially crafted glob patterns
    • Fixed in: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
  • 🟠 CVE-2026-26996 (HIGH) - minimatch
    • minimatch: minimatch: Denial of Service via specially crafted glob patterns
    • Fixed in: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
  • 🟠 CVE-2026-26996 (HIGH) - minimatch
    • minimatch: minimatch: Denial of Service via specially crafted glob patterns
    • Fixed in: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
  • 🟠 CVE-2026-27903 (HIGH) - minimatch
    • minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
    • Fixed in: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
  • 🟠 CVE-2026-27903 (HIGH) - minimatch
    • minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
    • Fixed in: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
  • 🟠 CVE-2026-27903 (HIGH) - minimatch
    • minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
    • Fixed in: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
  • 🟠 CVE-2026-27904 (HIGH) - minimatch
    • minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
    • Fixed in: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
  • 🟠 CVE-2026-27904 (HIGH) - minimatch
    • minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
    • Fixed in: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
  • 🟠 CVE-2026-27904 (HIGH) - minimatch
    • minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
    • Fixed in: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
  • 🟠 CVE-2025-69262 (HIGH) - pnpm
    • pnpm: pnpm: Remote code execution via command injection in tokenHelper environment variable substitution
    • Fixed in: 10.27.0
  • 🟠 CVE-2025-69263 (HIGH) - pnpm
    • pnpm: pnpm Lockfile Integrity Bypass
    • Fixed in: 10.26.0
  • 🟠 CVE-2025-15284 (HIGH) - qs
    • qs: qs: Denial of Service via improper input validation in array parsing
    • Fixed in: 6.14.1
  • 🟠 CVE-2026-23745 (HIGH) - tar
    • node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
    • Fixed in: 7.5.3
  • 🟠 CVE-2026-23745 (HIGH) - tar
    • node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
    • Fixed in: 7.5.3
  • 🟠 CVE-2026-23745 (HIGH) - tar
    • node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
    • Fixed in: 7.5.3
  • 🟠 CVE-2026-23950 (HIGH) - tar
    • node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
    • Fixed in: 7.5.4
  • 🟠 CVE-2026-23950 (HIGH) - tar
    • node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
    • Fixed in: 7.5.4

... and 23 more vulnerabilities

📊 Detailed Security Reports

View detailed vulnerability reports in the GitHub Security tab.

🤖 Powered by Container Build Flow Action v1.2.0
💻 with ❤️ by Waren Gonzaga under WG Technology Labs, and Him 🙏

Copilot AI reviewed Mar 3, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves webhook idempotency and platform source detection, adds unit test coverage for the updated behavior, and includes small logging/config/dependency updates.

Changes:

  • Add Redis fingerprint-based deduplication (SET NX) alongside eventId deduplication in webhook processing.
  • Enhance platform detection to treat @mention and phone-number botName formats as the target platform.
  • Add Vitest unit tests for platform detection and deduplication flow; update @wgtechlabs/log-engine version and add .contributerc.json.

Reviewed changes

Copilot reviewed 7 out of 9 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
src/services/webhookService.ts Adds fingerprint generation + claim, logs fingerprint, and expands botName pattern detection.
src/services/webhookService.test.ts New unit tests covering validation, platform detection patterns, and dedup claim ordering.
src/services/redisService.ts Refactors eventId key helpers and adds claimFingerprint() using Redis SET NX.
src/controllers/webhookController.ts Standardizes log messages (removes emoji prefixes).
src/config/redis.ts Adds fingerprintPrefix to Redis event tracking config.
package.json Bumps @wgtechlabs/log-engine to 2.3.1.
pnpm-lock.yaml Lockfile updates for @wgtechlabs/log-engine 2.3.1.
.gitignore Adds .contributerc.json to ignores.
.contributerc.json Adds Clean Commit / branching workflow configuration.
Files not reviewed (1)
  • pnpm-lock.yaml: Language not supported

@warengonzaga warengonzaga merged commit 7d37269 into main Mar 3, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@warengonzaga warengonzaga

Labels

core [Area] Core logic, business rules, and primary functionality [issues, PRs] enhancement [Type] New feature or improvement to existing functionality [issues, PRs] maintainer only [Community] Reserved for maintainers — not open for external contribution [issues, PRs]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@warengonzaga