feat(instructions): update security, a11y, and performance to 2025-2026 standards#1270
Merged
aaronpowell merged 15 commits intogithub:stagedfrom Apr 10, 2026
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
main, but PRs should target staged.
The main branch is auto-published from staged and should not receive direct PRs.
Please close this PR and re-open it against the staged branch.
You can change the base branch using the Edit button at the top of this PR,
or run: gh pr edit 1270 --base staged
gonzafg2
force-pushed
the
feat/update-security-a11y-performance-instructions
branch
2 times, most recently
from
a2b7f8a to
d9b0cf0
Compare
gonzafg2
force-pushed
the
feat/update-security-a11y-performance-instructions
branch
from
d9b0cf0 to
13e0c81
Compare
gonzafg2
force-pushed
the
feat/update-security-a11y-performance-instructions
branch
from
13e0c81 to
f0ce380
Compare
gonzafg2
force-pushed
the
feat/update-security-a11y-performance-instructions
branch
from
f0ce380 to
0e54fd2
Compare
gonzafg2
force-pushed
the
feat/update-security-a11y-performance-instructions
branch
from
0e54fd2 to
8a5a726
Compare
…26 standards Security: OWASP 2025 (55 anti-patterns, AI/LLM section, 6 frameworks) Accessibility: WCAG 2.2 AA (38 anti-patterns, legal context EAA/ADA, 4 frameworks) Performance: CWV (50 anti-patterns, Next.js 16, Angular 20, modern APIs)
gonzafg2
force-pushed
the
feat/update-security-a11y-performance-instructions
branch
from
8a5a726 to
5703e3b
Compare
…everity - SSRF: replace "full DNS/IP validation" with accurate wording that acknowledges TOCTOU limitation - V5: downgrade prefers-reduced-motion from IMPORTANT to SUGGESTION, remove 2.2.2 (A) reference since it's an AAA enhancement
The heading said "Weak Password Hash (MD5/SHA1)" but the detection regex and BAD example both use SHA-256. Renamed to "Fast Hash for Passwords" which better describes the actual anti-pattern.
aaronpowell
requested changes
Apr 9, 2026
Contributor
aaronpowell
left a comment
aaronpowell
left a comment
There was a problem hiding this comment.
The README needs to be updated with the change to the instructions. Run npm run build to update them.
Resolve .codespellrc conflict (added both Vertexes and nin). Run npm run build to regenerate docs/README.instructions.md.
Contributor
Author
Got it. Done! |
SC 4.1.1 Parsing is still present in the WCAG 2.2 spec but marked as obsolete (always satisfied). Changed wording from "removed" to "obsolete" for accuracy.
Contributor
Author
|
Merged Also addressed Copilot's review comment: updated the WCAG 2.2 SC 4.1.1 note from "removed" to "obsolete (always satisfied)" for accuracy — the criterion is still present in the spec but has no normative effect. CI should pass now. |
Copy-pasting the I1 SQL injection example as a single block failed with a TypeScript redeclaration error because both BAD and GOOD snippets used `const result`. Rename to `unsafeResult`/`safeResult` so the block remains copy-pasteable into a single scope.
The I3 command injection example used `execFileSync` in both BAD and GOOD paths, which (a) redeclared `const output` in the same block and (b) blocks the Node event loop in server handlers, amplifying DoS impact. Switch the GOOD/BEST paths to a promisified `execFile` call with explicit `timeout` and `maxBuffer` bounds, and rename variables to `unsafeOutput`/`safeOutput` so the snippet stays copy-pasteable. Add a trailing note recommending async child_process APIs for server code.
The AU6 heading claimed "Session Not Invalidated on Password Change" but the mitigation example showed `req.session.regenerate`, which is the canonical defense against session fixation on login rather than bulk invalidation after a credential change. Rename the anti-pattern to "Missing Session Regeneration on Login (Session Fixation)" so it matches the example, and add a trailing note pointing to the complementary practice of invalidating other active sessions for the user on password change (e.g., via a `tokenVersion` counter).
The L1 "GOOD" snippet relied on an inline `onload="this.media='all'"` handler on a `<link>` tag. Under a strict CSP that disallows `'unsafe-inline'` / `script-src-attr 'unsafe-inline'`, inline event handlers are blocked, so the stylesheet would never activate and users would hit a styling regression. Replace the pattern with build-time critical CSS extraction (Critters/Beasties/Next.js `optimizeCss`) plus a normal `<link rel="preload" as="style">` and standard `<link rel="stylesheet">`. Add a trailing note explaining why the older inline-onload trick breaks under strict CSP and how to defer non-critical CSS with an external script when deferral is truly needed.
aaronpowell
approved these changes
Apr 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Comprehensive update to 3 core instruction files, bringing them up to date with current standards (April 2026):
security-and-owaspa11yperformance-optimizationWhat changed
Security (
security-and-owasp.instructions.md)Accessibility (
a11y.instructions.md)<dialog>,inertattribute, WCAG 3.0 notePerformance (
performance-optimization.instructions.md)"use cache"), Angular 20 (zoneless, incremental hydration), React 19 (Compiler), Vue 3.6 (Vapor Mode)Anti-pattern format
Each anti-pattern has: severity, detection regex, standard reference (OWASP/WCAG/CWV), and framework-specific code fix.
Verified against