New Features merge #2118
Closed
New Features merge #2118
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Updated package.json to include the latest version of baileys for improved functionality. Modified whatsapp.baileys.service.ts to adjust socket configuration, enhancing the stability and performance of the service.
Updated server.module.ts and monitor.service.ts to improve service initialization and monitoring logic. Modified main.ts to integrate changes. This enhances the application's performance and reliability.
Updated default values for WA_BUSINESS_TOKEN_WEBHOOK, WA_BUSINESS_URL, and WA_BUSINESS_VERSION in env.config.ts to 'evolution', 'https://graph.facebook.com', and 'v19.0' respectively. This change ensures that the application uses more appropriate defaults if environment variables are not set, improving reliability and consistency.
Updated package.json to include latest dependencies. Enhanced caching logic in cache.service.ts and rediscache.ts for better performance. Improved DTOs in chat.dto.ts, instance.dto.ts, and sendMessage.dto.ts for more robust data handling. Refined instance.controller.ts and chatwoot.service.ts to streamline API integrations. Adjusted authentication state management in use-multi-file-auth-state-db.ts, use-multi-file-auth-state-provider-files.ts, and use-multi-file-auth-state-redis-db.ts. These changes aim to optimize the system's performance and reliability.
Reordered imports in multiple files to resolve linting issues and improve code readability. This change does not impact the functionality but ensures the code adheres to the project's coding standards.
Refactored the use-multi-file-auth-state-db.ts to better handle edge cases in multi-file authentication state management. This change improves reliability and ensures more robust error handling, reducing potential issues during authentication.
Normalized event names by replacing underscores with dots and converting to lowercase. This ensures consistent naming conventions and prevents potential issues with queue bindings.
β¦service Modified whatsapp.baileys.service.ts to include handling for documentWithCaptionMessage. This change ensures that messages with documents having captions are properly processed, enhancing the service's message handling capabilities. No impact on existing functionalities.
Add -cwId- when findByName
Update package.json to use the new Baileys repository and modify the Whatsapp Baileys service to generate a pairing code. This change fixes the issue with the previous Baileys repository and improves the pairing process for Whatsapp. Changes: - Update package.json to use the new Baileys repository - Modify Whatsapp Baileys service to generate a pairing code - Fix issue with previous Baileys repository - Improve pairing process for Whatsapp
Fix global RabbitMQ queue name in `channel.service.ts` and update CHANGELOG.md. The queue name has been changed from `transformedWe` to `event`. This fix prevents queue errors and ensures correct functionality of inter-service communication.
This commit updates the changelog to reflect the release of version 1.8.2. The date of the release has been updated in the header of the changelog. No functional changes were made in this release. Modified: CHANGELOG.md
Explanation: This commit updates the package and documentation versions to v1.8.2. The package.json and swagger.yaml files were modified accordingly. These changes are mainly for maintenance purposes and do not affect the functionality of the application.
* Corretion in globall rabbitmq queue name * Improvement in the use of mongodb database for credentials * Fixed base64 in webhook for documentWithCaption * Fixed Generate pairing code
* Corretion in globall rabbitmq queue name * Improvement in the use of mongodb database for credentials * Fixed base64 in webhook for documentWithCaption * Fixed Generate pairing code
* Corretion in globall rabbitmq queue name * Improvement in the use of mongodb database for credentials * Fixed base64 in webhook for documentWithCaption * Fixed Generate pairing code
A new untracked file '.github/workflows/publish\_docker\_image\_latest.yml' was added. This workflow will handle the process of publishing the latest Docker image. This change allows for easier and more automated deployment of the Node.js project.
β¦atch-1 Update publish_docker_image_v2.yml
β¦atch-2 Update publish_docker_image_v2.yml
Reviewer's GuideThis PR refactors the WhatsApp connection flow by centralizing socket creation, enhancing configuration and message handling, overhauls multi-file auth state persistence to use both MongoDB and local file storage, normalizes AMQP queue naming, updates dependencies and imports to the new baileys package with version bumps, and adds conditional provider initialization and minor Chatwoot service improvements. Sequence diagram for WhatsApp connection flow refactorsequenceDiagram
participant S as BaileysStartupService
participant C as ConfigService
participant P as Proxy
participant W as WASocket
S->>C: get session config
S->>P: (if proxy enabled) setup proxy agent
S->>S: define auth state
S->>W: create socket with config
W-->>S: socket instance
S->>S: eventHandler()
S-->>Caller: return WASocket
Sequence diagram for multi-file auth state persistence (MongoDB + local file)sequenceDiagram
participant U as useMultiFileAuthStateDb
participant F as LocalFileSystem
participant M as MongoDB
U->>F: writeData(key != 'creds')
U->>M: writeData(key == 'creds')
U->>F: readData(key != 'creds')
U->>M: readData(key == 'creds')
U->>F: removeData(key != 'creds')
U->>M: removeData(key == 'creds')
Class diagram for BaileysStartupService refactor and socket creationclassDiagram
class BaileysStartupService {
+createClient(number?: string, mobile?: boolean): Promise<WASocket>
+connectToWhatsapp(number?: string, mobile?: boolean): Promise<WASocket>
+reloadConnection(): Promise<WASocket>
-defineAuthState()
-loadWebhook()
-loadChatwoot()
-loadSettings()
-loadWebsocket()
-loadRabbitmq()
-loadSqs()
-loadTypebot()
-loadProxy()
-loadChamaai()
+findGroup(id: GroupJid, reply: 'inner' | 'out' = 'out')
+fetchAllGroups(getParticipants: GetParticipant)
+profilePictureUrl
+get profileStatus()
+eventHandler()
+client: WASocket
+instance: Instance
+logger: Logger
+configService: ConfigService
+localProxy
+localSettings
+msgRetryCounterCache
+userDevicesCache
+endSession
+phoneNumber
+mobile
}
BaileysStartupService --|> ChannelStartupService
class ChannelStartupService {
+connectToWhatsapp()
+reloadConnection()
+findGroup()
+fetchAllGroups()
+instanceName
}
Class diagram for useMultiFileAuthStateDb persistence overhaulclassDiagram
class useMultiFileAuthStateDb {
+useMultiFileAuthStateDb(coll: string): Promise
-writeData(data, key)
-readData(key)
-removeData(key)
-fileExists(file)
-fixFileName(file)
-localFile(key)
-localFolder
-sessionId
-collection
-client
-logger
}
useMultiFileAuthStateDb --> AuthenticationState
class AuthenticationState {
+creds
+keys
}
AuthenticationState --> keys
class keys {
+get(type, ids)
+set(data)
}
Flow diagram for AMQP queue naming normalizationflowchart TD
A["event"] -->|replace _ with . and toLowerCase| B["eventName"]
B --> C["queueName = instanceName.eventName"]
C --> D["amqp.assertQueue(queueName)"]
C --> E["amqp.bindQueue(queueName, exchangeName, eventName)"]
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey there - I've reviewed your changes and found some issues that need to be addressed.
Blocking issues:
- An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
- An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
- An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
- An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
- An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. (link)
- Detected that function argument
filehas entered the fs module. An attacker could potentially control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are validated. (link) - Detected possible user input going into a
path.joinorpath.resolvefunction. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first. (link) - Detected possible user input going into a
path.joinorpath.resolvefunction. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first. (link) - Detected possible user input going into a
path.joinorpath.resolvefunction. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first. (link) - Detected that function argument
collhas entered the fs module. An attacker could potentially control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are validated. (link) - Detected that function argument
keyhas entered the fs module. An attacker could potentially control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are validated. (link) - Detected that function argument
keyhas entered the fs module. An attacker could potentially control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are validated. (link) - Detected that function argument
keyhas entered the fs module. An attacker could potentially control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are validated. (link)
Prompt for AI Agents
Please address the comments from this code review:
## Individual Comments
### Comment 1
<location> `src/config/env.config.ts:369-371` </location>
<code_context>
GLOBAL_EVENTS: process.env?.WEBSOCKET_GLOBAL_EVENTS === 'true',
},
WA_BUSINESS: {
- TOKEN_WEBHOOK: process.env.WA_BUSINESS_TOKEN_WEBHOOK || '',
- URL: process.env.WA_BUSINESS_URL || '',
- VERSION: process.env.WA_BUSINESS_VERSION || '',
+ TOKEN_WEBHOOK: process.env.WA_BUSINESS_TOKEN_WEBHOOK || 'evolution',
+ URL: process.env.WA_BUSINESS_URL || 'https://graph.facebook.com',
+ VERSION: process.env.WA_BUSINESS_VERSION || 'v19.0',
</code_context>
<issue_to_address>
**π¨ suggestion (security):** Default WA_BUSINESS config values may expose sensitive endpoints.
Defaulting to hardcoded values for these configuration options can lead to accidental exposure in production. It's safer to enforce explicit configuration and avoid fallback defaults for sensitive settings.
```suggestion
TOKEN_WEBHOOK: process.env.WA_BUSINESS_TOKEN_WEBHOOK,
URL: process.env.WA_BUSINESS_URL,
VERSION: process.env.WA_BUSINESS_VERSION,
```
</issue_to_address>
### Comment 2
<location> `CHANGELOG.md:5` </location>
<code_context>
+
+### Fixed
+
+* Corretion in globall rabbitmq queue name
+* Improvement in the use of mongodb database for credentials
+* Fixed base64 in webhook for documentWithCaption
</code_context>
<issue_to_address>
**issue (typo):** Correct typos: 'Corretion' should be 'Correction' and 'globall' should be 'global'.
Update the line to 'Correction in global rabbitmq queue name' to address the typos.
```suggestion
* Correction in global rabbitmq queue name
```
</issue_to_address>
### Comment 3
<location> `.github/workflows/publish_docker_image_latest.yml:21` </location>
<code_context>
uses: docker/metadata-action@v5
</code_context>
<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
*Source: opengrep*
</issue_to_address>
### Comment 4
<location> `.github/workflows/publish_docker_image_latest.yml:27` </location>
<code_context>
uses: docker/setup-qemu-action@v3
</code_context>
<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
*Source: opengrep*
</issue_to_address>
### Comment 5
<location> `.github/workflows/publish_docker_image_latest.yml:30` </location>
<code_context>
uses: docker/setup-buildx-action@v3
</code_context>
<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
*Source: opengrep*
</issue_to_address>
### Comment 6
<location> `.github/workflows/publish_docker_image_latest.yml:33` </location>
<code_context>
uses: docker/login-action@v3
</code_context>
<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
*Source: opengrep*
</issue_to_address>
### Comment 7
<location> `.github/workflows/publish_docker_image_latest.yml:40` </location>
<code_context>
uses: docker/build-push-action@v5
</code_context>
<issue_to_address>
**security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha):** An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
*Source: opengrep*
</issue_to_address>
### Comment 8
<location> `src/utils/use-multi-file-auth-state-db.ts:21` </location>
<code_context>
const stat = await fs.stat(file);
</code_context>
<issue_to_address>
**security (javascript.lang.security.audit.detect-non-literal-fs-filename):** Detected that function argument `file` has entered the fs module. An attacker could potentially control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are validated.
*Source: opengrep*
</issue_to_address>
### Comment 9
<location> `src/utils/use-multi-file-auth-state-db.ts:41` </location>
<code_context>
const localFolder = path.join(INSTANCE_DIR, sessionId);
</code_context>
<issue_to_address>
**security (javascript.lang.security.audit.path-traversal.path-join-resolve-traversal):** Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
*Source: opengrep*
</issue_to_address>
### Comment 10
<location> `src/utils/use-multi-file-auth-state-db.ts:42` </location>
<code_context>
const localFile = (key: string) => path.join(localFolder, fixFileName(key) + '.json');
</code_context>
<issue_to_address>
**security (javascript.lang.security.audit.path-traversal.path-join-resolve-traversal):** Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
*Source: opengrep*
</issue_to_address>
### Comment 11
<location> `src/utils/use-multi-file-auth-state-db.ts:42` </location>
<code_context>
const localFile = (key: string) => path.join(localFolder, fixFileName(key) + '.json');
</code_context>
<issue_to_address>
**security (javascript.lang.security.audit.path-traversal.path-join-resolve-traversal):** Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
*Source: opengrep*
</issue_to_address>
### Comment 12
<location> `src/utils/use-multi-file-auth-state-db.ts:43` </location>
<code_context>
await fs.mkdir(localFolder, { recursive: true });
</code_context>
<issue_to_address>
**security (javascript.lang.security.audit.detect-non-literal-fs-filename):** Detected that function argument `coll` has entered the fs module. An attacker could potentially control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are validated.
*Source: opengrep*
</issue_to_address>
### Comment 13
<location> `src/utils/use-multi-file-auth-state-db.ts:50` </location>
<code_context>
await fs.writeFile(localFile(key), dataString);
</code_context>
<issue_to_address>
**security (javascript.lang.security.audit.detect-non-literal-fs-filename):** Detected that function argument `key` has entered the fs module. An attacker could potentially control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are validated.
*Source: opengrep*
</issue_to_address>
### Comment 14
<location> `src/utils/use-multi-file-auth-state-db.ts:74` </location>
<code_context>
const rawData = await fs.readFile(localFile(key), { encoding: 'utf-8' });
</code_context>
<issue_to_address>
**security (javascript.lang.security.audit.detect-non-literal-fs-filename):** Detected that function argument `key` has entered the fs module. An attacker could potentially control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are validated.
*Source: opengrep*
</issue_to_address>
### Comment 15
<location> `src/utils/use-multi-file-auth-state-db.ts:96` </location>
<code_context>
await fs.unlink(localFile(key));
</code_context>
<issue_to_address>
**security (javascript.lang.security.audit.detect-non-literal-fs-filename):** Detected that function argument `key` has entered the fs module. An attacker could potentially control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are validated.
*Source: opengrep*
</issue_to_address>
### Comment 16
<location> `src/utils/use-multi-file-auth-state-db.ts:15-16` </location>
<code_context>
const replacedColon = replacedSlash.replace(/:/g, '-');
return replacedColon;
</code_context>
<issue_to_address>
**suggestion (code-quality):** Inline variable that is immediately returned ([`inline-immediately-returned-variable`](https://docs.sourcery.ai/Reference/Rules-and-In-Line-Suggestions/TypeScript/Default-Rules/inline-immediately-returned-variable))
```suggestion
return replacedSlash.replace(/:/g, '-');
```
<br/><details><summary>Explanation</summary>Something that we often see in people's code is assigning to a result variable
and then immediately returning it.
Returning the result directly shortens the code and removes an unnecessary
variable, reducing the mental load of reading the function.
Where intermediate variables can be useful is if they then get used as a
parameter or a condition, and the name can act like a comment on what the
variable represents. In the case where you're returning it from a function, the
function name is there to tell you what the result is, so the variable name
is unnecessary.
</details>
</issue_to_address>
### Comment 17
<location> `src/utils/use-multi-file-auth-state-db.ts:70-91` </location>
<code_context>
</code_context>
<issue_to_address>
**issue (code-quality):** Avoid function declarations, favouring function assignment expressions, inside blocks. ([`avoid-function-declarations-in-blocks`](https://docs.sourcery.ai/Reference/Rules-and-In-Line-Suggestions/TypeScript/Default-Rules/avoid-function-declarations-in-blocks))
<details><summary>Explanation</summary>Function declarations may be hoisted in Javascript, but the behaviour is inconsistent between browsers.
Hoisting is generally confusing and should be avoided. Rather than using function declarations inside blocks, you
should use function expressions, which create functions in-scope.
</details>
</issue_to_address>
### Comment 18
<location> `src/utils/use-multi-file-auth-state-db.ts:76-77` </location>
<code_context>
const parsedData = JSON.parse(rawData, BufferJSON.reviver);
return parsedData;
</code_context>
<issue_to_address>
**suggestion (code-quality):** Inline variable that is immediately returned ([`inline-immediately-returned-variable`](https://docs.sourcery.ai/Reference/Rules-and-In-Line-Suggestions/TypeScript/Default-Rules/inline-immediately-returned-variable))
```suggestion
return JSON.parse(rawData, BufferJSON.reviver);
```
<br/><details><summary>Explanation</summary>Something that we often see in people's code is assigning to a result variable
and then immediately returning it.
Returning the result directly shortens the code and removes an unnecessary
variable, reducing the mental load of reading the function.
Where intermediate variables can be useful is if they then get used as a
parameter or a condition, and the name can act like a comment on what the
variable represents. In the case where you're returning it from a function, the
function name is there to tell you what the result is, so the variable name
is unnecessary.
</details>
</issue_to_address>
### Comment 19
<location> `src/utils/use-multi-file-auth-state-db.ts:93-105` </location>
<code_context>
</code_context>
<issue_to_address>
**issue (code-quality):** Avoid function declarations, favouring function assignment expressions, inside blocks. ([`avoid-function-declarations-in-blocks`](https://docs.sourcery.ai/Reference/Rules-and-In-Line-Suggestions/TypeScript/Default-Rules/avoid-function-declarations-in-blocks))
<details><summary>Explanation</summary>Function declarations may be hoisted in Javascript, but the behaviour is inconsistent between browsers.
Hoisting is generally confusing and should be avoided. Rather than using function declarations inside blocks, you
should use function expressions, which create functions in-scope.
</details>
</issue_to_address>Help me be more useful! Please click π or π on each comment and I'll use the feedback to improve your reviews.
src/config/env.config.ts
Outdated
Comment on lines
-369
to
-371
| TOKEN_WEBHOOK: process.env.WA_BUSINESS_TOKEN_WEBHOOK || '', | ||
| URL: process.env.WA_BUSINESS_URL || '', | ||
| VERSION: process.env.WA_BUSINESS_VERSION || '', |
There was a problem hiding this comment.
π¨ suggestion (security): Default WA_BUSINESS config values may expose sensitive endpoints.
Defaulting to hardcoded values for these configuration options can lead to accidental exposure in production. It's safer to enforce explicit configuration and avoid fallback defaults for sensitive settings.
Suggested change
| TOKEN_WEBHOOK: process.env.WA_BUSINESS_TOKEN_WEBHOOK || '', | |
| URL: process.env.WA_BUSINESS_URL || '', | |
| VERSION: process.env.WA_BUSINESS_VERSION || '', | |
| TOKEN_WEBHOOK: process.env.WA_BUSINESS_TOKEN_WEBHOOK, | |
| URL: process.env.WA_BUSINESS_URL, | |
| VERSION: process.env.WA_BUSINESS_VERSION, |
|
|
||
| ### Fixed | ||
|
|
||
| * Corretion in globall rabbitmq queue name |
There was a problem hiding this comment.
issue (typo): Correct typos: 'Corretion' should be 'Correction' and 'globall' should be 'global'.
Update the line to 'Correction in global rabbitmq queue name' to address the typos.
Suggested change
| * Corretion in globall rabbitmq queue name | |
| * Correction in global rabbitmq queue name |
|
|
||
| - name: Docker meta | ||
| id: meta | ||
| uses: docker/metadata-action@v5 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
| tags: latest | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
| uses: docker/setup-qemu-action@v3 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
|
|
||
| - name: Build and push | ||
| id: docker_build | ||
| uses: docker/build-push-action@v5 |
There was a problem hiding this comment.
security (yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha): An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.
Source: opengrep
Comment on lines
+15
to
+16
| const replacedColon = replacedSlash.replace(/:/g, '-'); | ||
| return replacedColon; |
There was a problem hiding this comment.
suggestion (code-quality): Inline variable that is immediately returned (inline-immediately-returned-variable)
Suggested change
| const replacedColon = replacedSlash.replace(/:/g, '-'); | |
| return replacedColon; | |
| return replacedSlash.replace(/:/g, '-'); | |
Explanation
Something that we often see in people's code is assigning to a result variableand then immediately returning it.
Returning the result directly shortens the code and removes an unnecessary
variable, reducing the mental load of reading the function.
Where intermediate variables can be useful is if they then get used as a
parameter or a condition, and the name can act like a comment on what the
variable represents. In the case where you're returning it from a function, the
function name is there to tell you what the result is, so the variable name
is unnecessary.
Comment on lines
+70
to
+91
| async function readData(key: string): Promise<any> { | ||
| try { | ||
| await client.connect(); | ||
| let data = (await collection.findOne({ _id: key })) as any; | ||
| if (data?.content_array) { | ||
| data = data.content_array; | ||
| if (key != 'creds') { | ||
| if (!(await fileExists(localFile(key)))) return null; | ||
| const rawData = await fs.readFile(localFile(key), { encoding: 'utf-8' }); | ||
|
|
||
| const parsedData = JSON.parse(rawData, BufferJSON.reviver); | ||
| return parsedData; | ||
| } else { | ||
| await client.connect(); | ||
| let data = (await collection.findOne({ _id: key })) as any; | ||
| if (data?.content_array) { | ||
| data = data.content_array; | ||
| } | ||
| const creds = JSON.stringify(data); | ||
| return JSON.parse(creds, BufferJSON.reviver); | ||
| } | ||
| const creds = JSON.stringify(data); | ||
| return JSON.parse(creds, BufferJSON.reviver); | ||
| } catch (error) { | ||
| logger.error(error); | ||
| return null; | ||
| } | ||
| }; | ||
| } |
There was a problem hiding this comment.
issue (code-quality): Avoid function declarations, favouring function assignment expressions, inside blocks. (avoid-function-declarations-in-blocks)
Explanation
Function declarations may be hoisted in Javascript, but the behaviour is inconsistent between browsers. Hoisting is generally confusing and should be avoided. Rather than using function declarations inside blocks, you should use function expressions, which create functions in-scope.
Comment on lines
+76
to
+77
| const parsedData = JSON.parse(rawData, BufferJSON.reviver); | ||
| return parsedData; |
There was a problem hiding this comment.
suggestion (code-quality): Inline variable that is immediately returned (inline-immediately-returned-variable)
Suggested change
| const parsedData = JSON.parse(rawData, BufferJSON.reviver); | |
| return parsedData; | |
| return JSON.parse(rawData, BufferJSON.reviver); | |
Explanation
Something that we often see in people's code is assigning to a result variableand then immediately returning it.
Returning the result directly shortens the code and removes an unnecessary
variable, reducing the mental load of reading the function.
Where intermediate variables can be useful is if they then get used as a
parameter or a condition, and the name can act like a comment on what the
variable represents. In the case where you're returning it from a function, the
function name is there to tell you what the result is, so the variable name
is unnecessary.
Comment on lines
+93
to
+105
| async function removeData(key: string): Promise<any> { | ||
| try { | ||
| await client.connect(); | ||
| return await collection.deleteOne({ _id: key }); | ||
| if (key != 'creds') { | ||
| await fs.unlink(localFile(key)); | ||
| } else { | ||
| await client.connect(); | ||
| return await collection.deleteOne({ _id: key }); | ||
| } | ||
| } catch (error) { | ||
| logger.error(error); | ||
| return; | ||
| } | ||
| }; | ||
| } |
There was a problem hiding this comment.
issue (code-quality): Avoid function declarations, favouring function assignment expressions, inside blocks. (avoid-function-declarations-in-blocks)
Explanation
Function declarations may be hoisted in Javascript, but the behaviour is inconsistent between browsers. Hoisting is generally confusing and should be avoided. Rather than using function declarations inside blocks, you should use function expressions, which create functions in-scope.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
π Description
π Related Issue
Closes #(issue_number)
π§ͺ Type of Change
π§ͺ Testing
πΈ Screenshots (if applicable)
β Checklist
π Additional Notes
Summary by Sourcery
Refactor WhatsApp service initialization and authentication storage, migrate to the baileys package, normalize RabbitMQ event publishing, tighten configuration defaults, fix various webhook and status-fetching bugs, and add CI for Docker image publishing.
New Features:
Bug Fixes:
Enhancements:
Build:
Documentation: