Skip to content

feat: changelog - formatted links, more git providers & copy markdown#2983

Open
WilcoSp wants to merge 302 commits into
npmx-dev:mainfrom
WilcoSp:changelog/format-link+git-providers+copy-markdown
Open

feat: changelog - formatted links, more git providers & copy markdown#2983
WilcoSp wants to merge 302 commits into
npmx-dev:mainfrom
WilcoSp:changelog/format-link+git-providers+copy-markdown

Conversation

@WilcoSp

@WilcoSp WilcoSp commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

preview

🔗 Linked issue

🧭 Context

  • Adding support for more git providers
  • Adding formatting for issues, pr/mr, commits, accounts and compare from plaintext to formatted link and unformatted link to a formatted link
  • adds button to copy the markdown from

📚 Description

  • Before only github was supported, in this pr also other git providers will be added and are included with the other 2 additions
    added providers:
    • Codeberg & Forgejo
    • Gitlab
    • tangled (does current have both issue & pr as #, will in the future change due to tangled not having shorthands yet)
      (the following aren't required for this pr, just nice to have and are here if review takes long)
    • bitbucket
    • Gitea
    • Radicle
    • Sourcehut
    • Gitee

Adding support to format links to the git providers (same repo only):

  • convert unformatted links for issues, pr/mr, commit & compare to a formatted link
  • convert plaintext issues, pr/mr, account & commit to formatted links to the git providers

Added button to allow copying the raw markdown

  • copy from release
  • copy from changelog.md

I did only use AI for some of the regular expressions

this pr continued from #2717 which continued from the pr before, that's why there are so many commits

autofix-ci Bot and others added 30 commits February 26, 2026 22:51
added scroll margin classes
ensuring to navigate to hash if present
… back

releases title's will now use slugify instead of encodeUri to fix issues with encoding

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 12

🧹 Nitpick comments (3)
server/api/changelog/releases/[provider]/[owner]/[repo]/raw/[tag].get.ts (1)

116-127: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Set User-Agent header for Forgejo and GitLab API calls.

getMarkdownFromGithub sets User-Agent: 'npmx.dev', but getMarkdownFromForgejo and getMarkdownFromGitlab don't. The detection functions in detectChangelog.ts do set this header for the same APIs. Some Forgejo/GitLab instances may reject requests without a User-Agent.

♻️ Proposed fix
 async function getMarkdownFromForgejo(
   owner: string,
   repo: string,
   tag: string,
   host: string = 'codeberg.org',
 ) {
-  const data = await $fetch(`https://${host}/api/v1/repos/${owner}/${repo}/releases/tags/${tag}`)
+  const data = await $fetch(`https://${host}/api/v1/repos/${owner}/${repo}/releases/tags/${encodeURIComponent(tag)}`, {
+    headers: {
+      'User-Agent': 'npmx.dev',
+      'accept': 'application/json',
+    },
+  })
   const release = v.parse(ForgejoReleaseSchama, data)
   return release.body
 }
 
 async function getMarkdownFromGitlab(
   owner: string,
   repo: string,
   tag: string,
   host: string = 'gitlab.com',
 ) {
   owner = decodeURIComponent(owner)
   const repoPath = encodeURIComponent(`${owner}/${repo}`)
-  const data = await $fetch(`https://${host}/api/v4/projects/${repoPath}/releases/${tag}`)
+  const data = await $fetch(`https://${host}/api/v4/projects/${repoPath}/releases/${encodeURIComponent(tag)}`, {
+    headers: {
+      'User-Agent': 'npmx.dev',
+      'accept': 'application/json',
+    },
+  })
   const release = v.parse(GitlabReleaseSchame, data)
   return release.description
 }

Also applies to: 129-143

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/api/changelog/releases/`[provider]/[owner]/[repo]/raw/[tag].get.ts
around lines 116 - 127, Update getMarkdownFromForgejo and getMarkdownFromGitlab
so their $fetch API requests include the same User-Agent header as
getMarkdownFromGithub, using the value npmx.dev. Preserve the existing request
URLs and response parsing.
server/utils/changelog/detectChangelog.ts (1)

106-114: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Add a timeout to the fetch call in checkFiles.

The global fetch has no timeout, so a slow or unresponsive provider will hang the request indefinitely. While .catch(() => false) handles errors, a hung connection never triggers the catch. Consider using AbortController or switching to $fetch with a timeout option.

♻️ Proposed fix using AbortSignal.timeout
     const exists = await fetch(resolveURL(baseUrl.raw, dir ?? '', fileName), {
       headers: {
         // GitHub API requires User-Agent
         'User-Agent': 'npmx.dev',
       },
       method: ref.provider != 'tangled' ? 'HEAD' : 'GET', // we just need to know if it exists or not, tangled doesn't support HEAD
+      signal: AbortSignal.timeout(5000),
     })
       .then(r => r.ok)
       .catch(() => false)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@server/utils/changelog/detectChangelog.ts` around lines 106 - 114, Update the
fetch call in checkFiles to enforce a finite timeout, using AbortSignal.timeout
or an equivalent AbortController signal, while preserving the existing URL,
headers, method selection, and false-on-error behavior.
app/components/Changelog/Markdown.vue (1)

24-26: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Non-obvious guard could use a brief comment.

typeof data.value == 'string' isn't self-explanatory — presumably guarding against the union response type this endpoint can return (object vs raw string) depending on the raw query used elsewhere in this file. A short comment would help future readers.

As per coding guidelines, "Add comments only to explain complex logic or non-obvious implementations."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@app/components/Changelog/Markdown.vue` around lines 24 - 26, Add a brief
explanatory comment immediately above the typeof data.value == 'string' guard in
the watchEffect callback, clarifying that the endpoint may return either a
parsed object or raw string depending on the raw query. Keep the existing guard
and behavior unchanged.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@app/components/Button/CopyMd.vue`:
- Around line 15-36: Update prefetchMarkdown and the fetch condition inside
copyMarkdown so status === 'error' retries fetchMarkdown before copying,
preventing stale or empty markdown after transient failures. Preserve the
existing idle/pending behavior and ensure copying proceeds only with the
refreshed result or surfaces the fetch failure.

In `@app/components/Changelog/Releases.vue`:
- Around line 11-21: Pass the existing host value from Releases.vue into each
ChangelogCard, then update ChangelogCard’s raw release useLazyFetch query to
include host alongside the existing parameters. Ensure the raw endpoint receives
the self-hosted host instead of falling back to its default.

In `@server/api/changelog/md/`[provider]/[owner]/[repo]/[...path].get.ts:
- Around line 19-20: The changelog fetch path must not pass arbitrary host
values from the host query parameter into server-side requests. Update the
validation and fetch flow around the parsed host, including the logic at lines
32-46, to reuse a shared outbound-host validator that validates URL structure,
resolved addresses, and every redirect, or enforce the established host
allowlist before fetching and returning raw content.
- Around line 93-101: Add a `tangled` case to the `getRepoInfo()` provider
switch and dispatch to the existing `createTangledInfo` function with the
appropriate repository parameters, so Tangled repositories return their info
instead of falling through as undefined. Preserve the existing dispatch behavior
for GitHub, Forgejo/Codeberg, and GitLab.

In `@server/api/changelog/releases/`[provider]/[owner]/[repo].get.ts:
- Around line 37-41: Add a `tangled` branch to the provider switch alongside the
existing Forgejo and GitLab cases, routing through a dedicated
`getReleasesFromTangled` fetcher with the appropriate owner, repository, and
host values. Ensure the endpoint’s provider-specific release retrieval and
rendering path covers Tangled requests consistently with the advertised support.
- Around line 23-24: Validate the optional host from the query before it reaches
the Forgejo and GitLab $fetch URL construction, allowing only approved public
destinations or an explicit host allowlist. Apply the same protection to every
provider request and validate each redirect target to block private, loopback,
link-local, reserved, and DNS-rebinding addresses; reject invalid hosts before
fetching.

In `@server/api/changelog/releases/`[provider]/[owner]/[repo]/raw/[tag].get.ts:
- Line 75: URL-encode the decoded tag route parameter in the upstream API URL
construction for all three provider functions. Update each URL template using
tag to apply encodeURIComponent(tag), while leaving owner, repo, and the
surrounding request behavior unchanged.
- Around line 17-18: Validate the user-controlled host from rawQuery before
constructing any upstream URL. Add or reuse a validateHost(provider, host) guard
that permits only approved Git hosting providers (or otherwise enforces valid
public hostnames and rejects private, loopback, and link-local ranges), then
invoke it in the raw release flow before the provider-specific API calls; apply
the same protection to the corresponding releases endpoint and every listed host
usage.

In `@server/utils/changelog/detectChangelog.ts`:
- Around line 243-248: Update ROOT_ONLY_REGEX and both directory-filter
conditions in checkLatestForgejoRelease and checkLatestGitlabRelease so
extracted root-level paths such as changelog.md match without a leading slash,
while nested paths still require the configured directory prefix.

In `@server/utils/changelog/markdown.ts`:
- Line 239: Update accountRegex and the corresponding matching logic at the
referenced usage to exclude @ segments from email addresses and package-version
suffixes such as package@latest, while preserving valid standalone account
mentions. Ensure both account-matching paths use the same corrected boundary
behavior.
- Line 100: Update the textFilter configuration to prevent
createResolveGitTextToLinks from emitting unsafe raw anchor markup from
request-derived host, owner, or repo values; build links before sanitization or
HTML-escape both generated URLs and labels before insertion. Add a regression
test covering quote-containing repository components and verify the resulting
href and text cannot inject markup.

In `@shared/utils/constants.ts`:
- Line 48: Update the ERROR_CHANGELOG_NOT_FOUND constant’s user-facing message
to use “was found” instead of “had been found,” preserving the rest of the
wording.

---

Nitpick comments:
In `@app/components/Changelog/Markdown.vue`:
- Around line 24-26: Add a brief explanatory comment immediately above the
typeof data.value == 'string' guard in the watchEffect callback, clarifying that
the endpoint may return either a parsed object or raw string depending on the
raw query. Keep the existing guard and behavior unchanged.

In `@server/api/changelog/releases/`[provider]/[owner]/[repo]/raw/[tag].get.ts:
- Around line 116-127: Update getMarkdownFromForgejo and getMarkdownFromGitlab
so their $fetch API requests include the same User-Agent header as
getMarkdownFromGithub, using the value npmx.dev. Preserve the existing request
URLs and response parsing.

In `@server/utils/changelog/detectChangelog.ts`:
- Around line 106-114: Update the fetch call in checkFiles to enforce a finite
timeout, using AbortSignal.timeout or an equivalent AbortController signal,
while preserving the existing URL, headers, method selection, and false-on-error
behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3e14fb36-dfc4-4096-947f-8c8738e998bf

📥 Commits

Reviewing files that changed from the base of the PR and between 6a5befd and 4d504b1.

📒 Files selected for processing (24)
  • app/components/Button/CopyMd.vue
  • app/components/Changelog/Card.vue
  • app/components/Changelog/Markdown.vue
  • app/components/Changelog/Releases.vue
  • app/pages/package-changelog/[[org]]/[name].vue
  • app/pages/package/[[org]]/[name].vue
  • i18n/locales/en.json
  • i18n/locales/nl.json
  • i18n/schema.json
  • nuxt.config.ts
  • server/api/changelog/info/[name]/v/[version].get.ts
  • server/api/changelog/md/[provider]/[owner]/[repo]/[...path].get.ts
  • server/api/changelog/releases/[provider]/[owner]/[repo].get.ts
  • server/api/changelog/releases/[provider]/[owner]/[repo]/raw/[tag].get.ts
  • server/utils/changelog/baseFileUrl.ts
  • server/utils/changelog/detectChangelog.ts
  • server/utils/changelog/markdown.ts
  • server/utils/changelog/mdRepoInfo.ts
  • server/utils/mdKit.ts
  • shared/schemas/changelog/release.ts
  • shared/types/changelog.ts
  • shared/utils/constants.ts
  • test/nuxt/a11y.spec.ts
  • test/unit/server/utils/changelog/markdown.spec.ts

Comment thread app/components/Button/CopyMd.vue
Comment thread app/components/Changelog/Releases.vue
Comment thread server/api/changelog/md/[provider]/[owner]/[repo]/[...path].get.ts Outdated
Comment thread server/api/changelog/md/[provider]/[owner]/[repo]/[...path].get.ts
Comment thread server/api/changelog/releases/[provider]/[owner]/[repo].get.ts Outdated
Comment thread server/api/changelog/releases/[provider]/[owner]/[repo]/raw/[tag].get.ts Outdated
Comment thread server/utils/changelog/detectChangelog.ts
Comment thread server/utils/changelog/markdown.ts
Comment thread server/utils/changelog/markdown.ts
Comment thread shared/utils/constants.ts
WilcoSp added 3 commits July 11, 2026 14:28
given changelogCard now also host
added tests to ensure that email & package@version isn't formatted to a git link
…ithub.com:WilcoSp/npmx.dev into changelog/format-link+git-providers+copy-markdown

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
shared/utils/git-providers.ts (1)

291-291: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Type NEED_HOST as ProviderId[].

Currently inferred as string[], so invalid or misspelt provider IDs would not be caught at compile time.

As per coding guidelines: "Ensure you write strictly type-safe code".

♻️ Proposed change
-export const NEED_HOST = ['gitlab', 'gitea', 'forgejo', 'radicle']
+export const NEED_HOST: ProviderId[] = ['gitlab', 'gitea', 'forgejo', 'radicle']
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@shared/utils/git-providers.ts` at line 291, Type the NEED_HOST constant
explicitly as ProviderId[] so its provider entries are compile-time validated.
Preserve the existing provider values and locate the change at the NEED_HOST
declaration.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@shared/utils/git-providers.ts`:
- Around line 305-311: Update the provider parsing logic around the discarded
NEED_HOST.includes(provider.id) expression to retain its boolean result, then
use that result when assigning host in the returned object. Ensure host is
populated only for providers listed in NEED_HOST and remains undefined for all
others.

---

Nitpick comments:
In `@shared/utils/git-providers.ts`:
- Line 291: Type the NEED_HOST constant explicitly as ProviderId[] so its
provider entries are compile-time validated. Preserve the existing provider
values and locate the change at the NEED_HOST declaration.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 13f42098-7fdb-46aa-aa4c-f442d909cdaa

📥 Commits

Reviewing files that changed from the base of the PR and between 4d504b1 and 535dbdd.

📒 Files selected for processing (9)
  • app/components/Changelog/Card.vue
  • app/components/Changelog/Releases.vue
  • server/api/changelog/md/[provider]/[owner]/[repo]/[...path].get.ts
  • server/api/changelog/releases/[provider]/[owner]/[repo].get.ts
  • server/api/changelog/releases/[provider]/[owner]/[repo]/raw/[tag].get.ts
  • server/utils/changelog/validateHost.ts
  • shared/utils/constants.ts
  • shared/utils/git-providers.ts
  • test/unit/server/utils/changelog/markdown.spec.ts
🚧 Files skipped from review as they are similar to previous changes (6)
  • app/components/Changelog/Releases.vue
  • app/components/Changelog/Card.vue
  • server/api/changelog/releases/[provider]/[owner]/[repo]/raw/[tag].get.ts
  • server/api/changelog/md/[provider]/[owner]/[repo]/[...path].get.ts
  • server/api/changelog/releases/[provider]/[owner]/[repo].get.ts
  • test/unit/server/utils/changelog/markdown.spec.ts

Comment thread shared/utils/git-providers.ts Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/unit/server/utils/changelog/validateHost.spec.ts`:
- Line 52: Correct the describe block title in the host validation tests by
changing “know host” to “known host”; leave the test behavior unchanged.
- Line 46: Correct the typo in the test description for the “require radicle to
have a host” case by changing “shoud” to “should.”
- Around line 179-182: Correct the test description in the radicle host
validation test so it states that gitea.com should be rejected or disallowed.
Keep the existing createSchema('radicle') setup and toBeFalsy assertion
unchanged.
- Around line 19-27: Update the second test description in the changelog host
validation tests to say it allows tangled without a host, while leaving its
createSchema('tangled') setup and assertions unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 700712cc-2f91-4022-a66a-ee0ede851d79

📥 Commits

Reviewing files that changed from the base of the PR and between c7b9443 and 9533791.

📒 Files selected for processing (5)
  • server/utils/changelog/detectChangelog.ts
  • server/utils/changelog/markdown.ts
  • server/utils/changelog/validateHost.ts
  • shared/utils/constants.ts
  • test/unit/server/utils/changelog/validateHost.spec.ts
🚧 Files skipped from review as they are similar to previous changes (4)
  • server/utils/changelog/validateHost.ts
  • shared/utils/constants.ts
  • server/utils/changelog/detectChangelog.ts
  • server/utils/changelog/markdown.ts

Comment thread test/unit/server/utils/changelog/validateHost.spec.ts
Comment thread test/unit/server/utils/changelog/validateHost.spec.ts Outdated
Comment thread test/unit/server/utils/changelog/validateHost.spec.ts Outdated
Comment thread test/unit/server/utils/changelog/validateHost.spec.ts Outdated
@WilcoSp

WilcoSp commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

@coderabbitai is there anything left that should be addressed in this pr?

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
gh pr view 2983 --repo npmx-dev/npmx.dev --json reviews,comments -q '.reviews[] | {author: .author.login, body: .body, state: .state}' | head -200
echo "---REVIEW COMMENTS---"
gh api repos/npmx-dev/npmx.dev/pulls/2983/comments --paginate | jq -r '.[] | select(.user.login=="coderabbitai") | "ID:\(.id) PATH:\(.path) LINE:\(.line) BODY:\(.body[0:200])"'

Length of output: 23556


🏁 Script executed:

#!/bin/bash
gh api graphql -f query='
query {
  repository(owner: "npmx-dev", name: "npmx.dev") {
    pullRequest(number: 2983) {
      reviewThreads(first: 100) {
        nodes {
          isResolved
          isOutdated
          path
          line
          comments(first: 1) {
            nodes {
              author { login }
              body
            }
          }
        }
      }
    }
  }
}' --jq '.data.repository.pullRequest.reviewThreads.nodes[] | select(.comments.nodes[0].author.login=="coderabbitai") | {path, line, isResolved, isOutdated, body: .comments.nodes[0].body[0:150]}'

Length of output: 5640


All review threads from CodeRabbit are resolved. Nothing outstanding remains from my automated review.

@WilcoSp all the review threads I opened on this PR are marked resolved — that covers the SSRF fixes for host params, the Tangled dispatch additions, the ROOT_ONLY_REGEX fix, account-mention regex fix, and the various typo/wording fixes. I don't see any unresolved actionable comments from me at this point.

A couple of earlier nitpicks (non-blocking, lower priority) that I don't have a resolved/unresolved thread confirmation for, in case you want to double check they were addressed:

  • Missing User-Agent header on the Forgejo/GitLab $fetch calls in server/api/changelog/releases/[provider]/[owner]/[repo]/raw/[tag].get.ts.
  • No timeout on the fetch call in checkFiles (server/utils/changelog/detectChangelog.ts).
  • Typing NEED_HOST as ProviderId[] in shared/utils/git-providers.ts.

If those are already handled, feel free to ignore this. Otherwise, this PR looks ready from my side.

@WilcoSp WilcoSp mentioned this pull request Jul 15, 2026
3 tasks
@WilcoSp

WilcoSp commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

I've just done the last bits that needed to be addressed, so for right now I do think this pr is complete and really ready for review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants