Harden vendor URL validation and lock workflow permissions

DerekLoadout · DerekLoadout · commit dc8caf437cde · 2026-03-12T17:31:00.000+01:00
Require HTTPS-only website/social links, set workflow token permissions to read-only, and pin devalue to a patched version to remove the reported vulnerability.
diff --git a/.github/workflows/sync-vendors.yml b/.github/workflows/sync-vendors.yml
@@ -8,6 +8,9 @@ on:
       - "logos/**"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: sync-vendors-main
   cancel-in-progress: false
diff --git a/.github/workflows/validate-vendor.yml b/.github/workflows/validate-vendor.yml
@@ -8,6 +8,9 @@ on:
       - "logos/**"
       - "scripts/validate-all.mjs"
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     name: Validate schema, slug & logo
diff --git a/VENDOR_GUIDE.md b/VENDOR_GUIDE.md
@@ -94,7 +94,7 @@ Paste this example, then replace the sample details with your own shop details:
 A few notes:
 - `description` is optional, but recommended
 - leave `active` as `true`
-- for social links, use the full URL or leave the field empty: `""`
+- for website and social links, use full HTTPS URLs or leave social fields empty: `""`
 
 Valid regions:
 `Europe` · `North America` · `South America` · `Asia Pacific` · `Middle East` · `Africa` · `India`
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -10,6 +10,9 @@
   "dependencies": {
     "framer-api": "0.1.1"
   },
+  "overrides": {
+    "devalue": "^5.6.4"
+  },
   "devDependencies": {
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1"
diff --git a/vendors/_schema.json b/vendors/_schema.json
@@ -27,7 +27,8 @@
     "website": {
       "type": "string",
       "format": "uri",
-      "description": "Full URL of the vendor's website"
+      "pattern": "^https://",
+      "description": "Full HTTPS URL of the vendor's website"
     },
     "region": {
       "type": "string",
@@ -67,11 +68,12 @@
       "additionalProperties": false,
       "properties": {
         "x": {
-          "description": "Full URL to X (Twitter) profile, or empty string to omit",
+          "description": "Full HTTPS URL to X (Twitter) profile, or empty string to omit",
           "oneOf": [
             {
               "type": "string",
-              "format": "uri"
+              "format": "uri",
+              "pattern": "^https://"
             },
             {
               "type": "string",
@@ -80,11 +82,12 @@
           ]
         },
         "instagram": {
-          "description": "Full URL to Instagram profile, or empty string to omit",
+          "description": "Full HTTPS URL to Instagram profile, or empty string to omit",
           "oneOf": [
             {
               "type": "string",
-              "format": "uri"
+              "format": "uri",
+              "pattern": "^https://"
             },
             {
               "type": "string",
@@ -93,11 +96,12 @@
           ]
         },
         "youtube": {
-          "description": "Full URL to YouTube channel, or empty string to omit",
+          "description": "Full HTTPS URL to YouTube channel, or empty string to omit",
           "oneOf": [
             {
               "type": "string",
-              "format": "uri"
+              "format": "uri",
+              "pattern": "^https://"
             },
             {
               "type": "string",
