Skip to content

Security: fix eslint for DevExtreme#33631

Open
sjbur wants to merge 8 commits into
DevExpress:26_1from
sjbur:issue-4222_26_1
Open

Security: fix eslint for DevExtreme#33631
sjbur wants to merge 8 commits into
DevExpress:26_1from
sjbur:issue-4222_26_1

Conversation

@sjbur
Copy link
Copy Markdown
Contributor

@sjbur sjbur commented May 19, 2026

No description provided.

@sjbur sjbur self-assigned this May 19, 2026
@sjbur sjbur added the 26_1 label May 19, 2026
@sjbur sjbur marked this pull request as ready for review May 19, 2026 12:48
@sjbur sjbur force-pushed the issue-4222_26_1 branch from 09648e0 to e98da87 Compare May 20, 2026 11:20
@ajivanyandev ajivanyandev requested a review from Copilot May 20, 2026 12:09
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates demo utility scripts to execute external tooling in a safer/more lint-compliant way (moving away from string-based shell execution) as part of a security/eslint fix.

Changes:

  • ts-to-js-converter: switch TypeScript compilation from exec("tsc ...") to execFile(...) with argument arrays.
  • create-bundles (Angular): switch Angular build invocation from exec(...) to spawn(...) with platform-specific command/args.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
apps/demos/utils/ts-to-js-converter/converter.ts Uses execFile + argv arrays for running tsc during TS→JS conversion.
apps/demos/utils/create-bundles/Angular/bundler.ts Uses spawn + argv arrays for running npm run build-angular during Angular demo bundling.
Comments suppressed due to low confidence (1)

apps/demos/utils/create-bundles/Angular/bundler.ts:59

  • spawn can emit an error event (e.g. ENOENT when npm/cmd isn't found). In that case the close handler may never fire, so res() is never called and the batch processing hangs. Add an ngBuildProcess.on('error', ...) handler that reports the failure and resolves/rejects appropriately.
    const isWin = process.platform === 'win32';
    const [npmCmd, npmArgs] = isWin
      ? ['cmd', ['/c', 'npm.cmd', 'run', 'build-angular', '--', getProjectNameByDemo(demo)]]
      : ['npm', ['run', 'build-angular', '--', getProjectNameByDemo(demo)]];
    const ngBuildProcess = spawn(npmCmd, npmArgs);
    ngBuildProcess.stdout.on('data', (data) => {
      console.log(`stdout: ${data}`);
    });
    ngBuildProcess.stderr.on('data', (data) => {
      console.error(`stderr: ${data}`);
    });
    ngBuildProcess.on('close', (code) => {
      console.log(`child process exited with code ${code}`);
      res();
    });

Comment thread apps/demos/utils/ts-to-js-converter/converter.ts Outdated
Copilot AI review requested due to automatic review settings May 20, 2026 12:42
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

apps/demos/utils/create-bundles/Angular/bundler.ts:59

  • spawn(...) can emit an error event (e.g., if npm/cmd cannot be started). In that case, the close handler may never run and res() won’t be called, causing processDemo() to hang indefinitely. Add an ngBuildProcess.on('error', ...) handler that logs the error and calls res() (or otherwise terminates the batch).
    const ngBuildProcess = spawn(npmCmd, npmArgs);
    ngBuildProcess.stdout.on('data', (data) => {
      console.log(`stdout: ${data}`);
    });
    ngBuildProcess.stderr.on('data', (data) => {
      console.error(`stderr: ${data}`);
    });
    ngBuildProcess.on('close', (code) => {
      console.log(`child process exited with code ${code}`);
      res();
    });

Comment thread apps/demos/utils/create-bundles/Angular/bundler.ts Outdated
@sjbur
feat: copilot review
b01d7af 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Sergei Burkatskii <sergei.burkatskii@devexpress.com>
Copilot AI review requested due to automatic review settings May 20, 2026 12:48
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

apps/demos/utils/create-bundles/Angular/bundler.ts:54

  • spawn() can emit an error event (e.g., if npm/npm.cmd is not found). Right now there is no ngBuildProcess.on('error', ...) handler, which can cause an unhandled error and prevent res() from being called. Add an error handler that logs/propagates the failure and resolves/rejects appropriately.
    const isWin = process.platform === 'win32';
    const npmCmd = isWin ? 'npm.cmd' : 'npm';
    const npmArgs = ['run', 'build-angular', '--', getProjectNameByDemo(demo)];
    const ngBuildProcess = spawn(npmCmd, npmArgs);
    ngBuildProcess.stdout.on('data', (data) => {
      console.log(`stdout: ${data}`);
    });
    ngBuildProcess.stderr.on('data', (data) => {
      console.error(`stderr: ${data}`);
    });

Comment thread apps/demos/utils/create-bundles/Angular/bundler.ts
Comment on lines +48 to 51
const ngBuildProcess = spawn(npmCmd, npmArgs);
ngBuildProcess.stdout.on('data', (data) => {
console.log(`stdout: ${data}`);
});
Copy link
Copy Markdown
Contributor Author

@sjbur sjbur May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is not related to the current changes

@sjbur sjbur closed this May 20, 2026
@sjbur sjbur reopened this May 20, 2026
Copilot AI review requested due to automatic review settings May 20, 2026 16:53
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

apps/demos/utils/create-bundles/Angular/bundler.ts:58

  • The Angular build result is treated as success regardless of whether npm run build-angular fails. The close handler always calls res() and ignores non-zero exit codes, and there’s also no error handler for cases like npm not being found (which would leave the Promise unresolved). Please propagate failures (e.g., reject/throw on code !== 0 and handle the error event) so the batching script can fail fast instead of continuing with broken bundles.
    const isWin = process.platform === 'win32';
    const npmCmd = isWin ? 'npm.cmd' : 'npm';
    const npmArgs = ['run', 'build-angular', '--', getProjectNameByDemo(demo)];
    const ngBuildProcess = spawn(npmCmd, npmArgs);
    ngBuildProcess.stdout.on('data', (data) => {
      console.log(`stdout: ${data}`);
    });
    ngBuildProcess.stderr.on('data', (data) => {
      console.error(`stderr: ${data}`);
    });
    ngBuildProcess.on('close', (code) => {
      console.log(`child process exited with code ${code}`);
      res();
    });

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@sjbur sjbur

Labels

26_1 force all tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sjbur @GoodDayForSurf @web-flow