refactor: remove dead code, unused exports and redundant dependencies

- drop dotenv (Node 24 process.loadEnvFile) and dompurify (only used by dead code)
- delete unused ui components/hooks (card, progress, checkbox, use-confirm, use-prompt)
- delete dead sanitizeHtml/sanitizeCss, url-security helpers, patch-resume tool,
  schema/page, createResumePatches, patch-proposal preview builder, fonts fallback helpers
- inline single-caller wrappers (flags service, auth getSession, pdf renderer passthrough)
- deduplicate template color helpers into shared/color-helpers
- unexport 50+ internal-only symbols, remove dead export-map entries
- replace hand-rolled unique()/useIsMobile with Set spread and usehooks-ts
This commit is contained in:
Amruth Pillai
2026-07-03 20:03:50 +02:00
parent 2a80e6a1df
commit a4999c04af
107 changed files with 1222 additions and 3894 deletions
+1 -77
View File
@@ -1,11 +1,5 @@
import { describe, expect, it } from "vitest";
import {
isAllowedExternalUrl,
isAllowedOAuthRedirectUri,
isPrivateOrLoopbackHost,
parseAllowedHostList,
parseUrl,
} from "./url-security.node";
import { isAllowedOAuthRedirectUri, isPrivateOrLoopbackHost, parseUrl } from "./url-security.node";
describe("isPrivateOrLoopbackHost", () => {
it.each([
@@ -248,76 +242,6 @@ describe("parseUrl", () => {
});
});
describe("parseAllowedHostList", () => {
it("returns empty Set for undefined", () => {
expect(parseAllowedHostList()).toEqual(new Set());
});
it("returns empty Set for empty string", () => {
expect(parseAllowedHostList("")).toEqual(new Set());
});
it("parses single host", () => {
expect(parseAllowedHostList("example.com")).toEqual(new Set(["example.com"]));
});
it("parses comma-separated list", () => {
expect(parseAllowedHostList("example.com,api.example.com")).toEqual(new Set(["example.com", "api.example.com"]));
});
it("trims whitespace around entries", () => {
expect(parseAllowedHostList(" a.com , b.com ")).toEqual(new Set(["a.com", "b.com"]));
});
it("lowercases entries", () => {
expect(parseAllowedHostList("Example.COM")).toEqual(new Set(["example.com"]));
});
it("filters out empty entries", () => {
expect(parseAllowedHostList("a.com,,b.com,")).toEqual(new Set(["a.com", "b.com"]));
});
});
describe("isAllowedExternalUrl", () => {
const allowed = new Set(["api.example.com", "https://full.example.com"]);
it("returns false for malformed URLs", () => {
expect(isAllowedExternalUrl("not a url", allowed)).toBe(false);
});
it("returns false for non-https protocols", () => {
expect(isAllowedExternalUrl("http://api.example.com", allowed)).toBe(false);
expect(isAllowedExternalUrl("ftp://api.example.com", allowed)).toBe(false);
});
it("returns false when URL contains credentials", () => {
expect(isAllowedExternalUrl("https://user:pass@api.example.com", allowed)).toBe(false);
expect(isAllowedExternalUrl("https://user@api.example.com", allowed)).toBe(false);
});
it("returns false for private/loopback hosts", () => {
expect(isAllowedExternalUrl("https://localhost", allowed)).toBe(false);
expect(isAllowedExternalUrl("https://127.0.0.1", allowed)).toBe(false);
expect(isAllowedExternalUrl("https://192.168.1.1", allowed)).toBe(false);
});
it("matches by hostname", () => {
expect(isAllowedExternalUrl("https://api.example.com/path", allowed)).toBe(true);
});
it("matches by full origin", () => {
expect(isAllowedExternalUrl("https://full.example.com/x", allowed)).toBe(true);
});
it("rejects non-listed hostnames", () => {
expect(isAllowedExternalUrl("https://evil.com", allowed)).toBe(false);
});
it("matches case-insensitively in hostname", () => {
expect(isAllowedExternalUrl("https://API.EXAMPLE.COM", allowed)).toBe(true);
});
});
describe("isAllowedOAuthRedirectUri", () => {
const trustedOrigins = ["https://app.example.com"];