vercel-labs/fix-react2shell-next:main

.github/copilot-instructions.md

@@ -0,0 +1,48 @@
+<!-- Copilot instructions for fix-react2shell-next -->
+# fix-react2shell-next — Copilot Instructions
+
+Purpose: help AI coding agents be productive quickly when editing or extending this CLI security tool.
+
+- Quick entry points:
+  - CLI runner: `bin/cli.js` (calls `run()` in `lib/index.js`).
+  - Core logic: `lib/index.js` — contains scanning, detection, patching, and install logic.
+  - Documentation & examples: `README.md` (usage and examples).
+
+- Big picture / architecture:
+  - Single-purpose CLI that recursively scans `package.json` files, detects vulnerable `next` and React RSC packages, writes patched versions, and refreshes lockfiles.
+  - Monorepo aware: detects workspaces (`pnpm-workspace.yaml` or `package.json.workspaces`) and prefers running installs at monorepo root.
+  - Package-manager integration: calls `pnpm`, `npm`, `yarn`, `bun` via `child_process.spawnSync` (10s timeouts).
+
+- Critical code patterns to preserve or follow:
+  - Vulnerability detection uses `isNextVersionVulnerable()` and `isReactRscVersionVulnerable()` — change these only with tests and matching advisory data.
+  - `findAllPackageJsons()` skips directories in `SKIP_DIRS` — update that set if adding new build folders.
+  - When applying fixes, the code pins exact versions (no `^`) and writes JSON with 2-space formatting.
+  - CLI supports `--fix`, `--dry-run`, and `--json` flags; maintain the JSON output shape for automation consumers.
+
+- Developer workflows / commands:
+  - Local run: `node bin/cli.js` (or `npx fix-react2shell-next`).
+  - Dry-run: `node bin/cli.js --dry-run`.
+  - CI / non-interactive: `node bin/cli.js --fix --json`.
+  - Release flow: uses `changeset` scripts defined in `package.json` (`pnpm` recommended per `packageManager` field).
+
+- Project-specific conventions:
+  - Prefer synchronous, simple CLI behavior (uses `spawnSync` and immediate stdout/stderr handling).
+  - Timeouts and fallbacks for package-manager queries are intentional — avoid long-running async replacements without preserving timeouts.
+  - JSON machine-output is the contract for automation (`--json` prints an object with `vulnerable`, `count`, `files`).
+
+- Integration points & tests to simulate:
+  - To emulate package manager responses, create a temporary folder with a lockfile (`pnpm-lock.yaml`, `yarn.lock`, etc.) so `detectPackageManager()` returns expected value.
+  - `getInstalledVersionFromPackageManager()` parses CLI output for each PM; when modifying, preserve parsing logic or add robust unit tests.
+
+- Quick inspection pointers (files to open first):
+  - `.github/copilot-instructions.md` (this file)
+  - `lib/index.js` — core functions: `run()`, `findAllPackageJsons()`, `analyzePackageJson()`, `applyFixes()` and version helpers like `getNextPatchedVersion()`.
+  - `bin/cli.js` — entry shim.
+  - `README.md` — expected CLI behavior and examples.
+
+- When making changes, be conservative:
+  - Preserve CLI flags and JSON contract.
+  - Keep `SKIP_DIRS` behavior and workspace detection intact unless explicitly expanding supported workspace types.
+  - Add unit tests (or reproducible examples) when changing version-parsing or package-manager parsing logic.
+
+- If anything here is unclear or you want the instructions in Arabic or expanded with concrete code snippets/tests, tell me which sections to expand.

.github/workflows/datadog-synthetics.yml

@@ -0,0 +1,38 @@
+# This workflow will trigger Datadog Synthetic tests within your Datadog organisation
+# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# To get started:
+
+# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/.
+# 2. Start using the action within your workflow
+
+name: Run Datadog Synthetic tests
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    # Run Synthetic tests within your GitHub workflow.
+    # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci
+    - name: Run Datadog Synthetic tests
+      uses: DataDog/synthetics-ci-github-action@87b505388a22005bb8013481e3f73a367b9a53eb # v1.4.0
+      with:
+        api_key: ${{secrets.DD_API_KEY}}
+        app_key: ${{secrets.DD_APP_KEY}}
+        test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy
+
+

.vscode/launch.json

@@ -0,0 +1,26 @@
+{
+    // استخدم IntelliSense لمعرفة الخصائص الممكنة.
+    // مرر الماوس لرؤية أوصاف الخصائص الموجودة.
+    // لمزيد من المعلومات، يرجى زيارة: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+    allowedModels
+
+
+    .01ff8ae71b4419903b65c60fb2dc9d34cf8bb6e06d03bde112ef38f7a34d6904c424ba66bea5cdcf12890230bf39f9580473140ed9c946fef328b6e5238a345a
+
+    .01ff8ae71b4419903b65c60fb2dc9d34cf8bb6e06d03bde112ef38f7a34d6904c424ba66bea5cdcf12890230bf39f9580473140ed9c946fef328b6e5238a345a
+
+
+
+        {
+            "type": "node",
+            "request": "launch",
+            "name": "إطلاق البرنامج",
+            "skipFiles": [
+                "<node_internals>/**"
+            ],
+            "program": "${file}"
+        }
+    ]
+}