Skip to content

Remove eval() security risk by extracting getMajorVersion to shared module #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mdaashir merged 3 commits into from
Jan 15, 2026
Merged

Remove eval() security risk by extracting getMajorVersion to shared module #6

mdaashir merged 3 commits into from
Jan 15, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 15, 2026
edited
Loading

Addresses security feedback on using eval() in functional tests to extract and test the getMajorVersion function from extension.js.

Changes

  • Created scripts/utils.js: Shared module exporting getMajorVersion function
  • Updated extension.js: Import getMajorVersion from utils instead of inline definition
  • Updated scripts/functional-tests.js: Direct import replaces regex extraction + eval pattern

Before

// functional-tests.js
const content = fs.readFileSync(EXTENSION_JS, 'utf8');
const funcMatch = content.match(/const getMajorVersion = \(version\) => {[^}]+}/s);
cachedGetMajorVersion = eval(`(${funcMatch[0].replace('const getMajorVersion = ', '')})`);

After

// scripts/utils.js
function getMajorVersion(version) {
  if (!version) return null;
  const match = version.match(/^[~^>=<]*(\d+)/);
  return match ? parseInt(match[1], 10) : null;
}
module.exports = { getMajorVersion };

// extension.js & functional-tests.js
const { getMajorVersion } = require('./scripts/utils');

Eliminates eval() while maintaining identical functionality. All 31 functional tests pass.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Jan 15, 2026
Merged
Copilot AI and others added 2 commits January 15, 2026 04:17
@mdaashir
refactor: replace eval() with shared utils module for getMajorVersion
c8ffd44 
Co-authored-by: mdaashir <85205726+mdaashir@users.noreply.github.com>
@mdaashir
docs: improve utility module description for better reusability
66b66d5 
Co-authored-by: mdaashir <85205726+mdaashir@users.noreply.github.com>
Copilot AI changed the title [WIP] Add changes to address feedback on production enhancements Remove eval() security risk by extracting getMajorVersion to shared module Jan 15, 2026
Copilot AI requested a review from mdaashir January 15, 2026 04:20
@mdaashir mdaashir marked this pull request as ready for review January 15, 2026 05:41
Copilot AI review requested due to automatic review settings January 15, 2026 05:41
Copilot AI reviewed Jan 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes a security vulnerability by eliminating the use of eval() in functional tests. The getMajorVersion utility function is extracted from extension.js into a new shared module scripts/utils.js, which is then imported by both the main extension and the functional tests.

Changes:

  • Created a new shared utility module scripts/utils.js with the getMajorVersion function
  • Updated extension.js to import getMajorVersion from the shared module instead of defining it inline
  • Updated scripts/functional-tests.js to import getMajorVersion directly instead of using regex extraction and eval()

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
scripts/utils.js New shared utility module exporting getMajorVersion for extracting major version numbers from semver strings
scripts/functional-tests.js Removed eval() security risk by importing getMajorVersion directly; eliminated helper function that extracted code via regex
extension.js Refactored to import getMajorVersion from shared utils module instead of inline definition

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@mdaashir mdaashir merged commit 3a88ad1 into feature/production-enhancements-v2.3 Jan 15, 2026
6 checks passed
@mdaashir mdaashir deleted the copilot/sub-pr-1 branch January 15, 2026 05:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@mdaashir mdaashir mdaashir approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mdaashir mdaashir

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mdaashir