Skip to content

fix: replace GitHub API with npm registry for version resolution#5

Merged
fengmk2 merged 5 commits intomainfrom
remove-github-api
Apr 16, 2026
Merged

fix: replace GitHub API with npm registry for version resolution#5
fengmk2 merged 5 commits intomainfrom
remove-github-api

Conversation

@fengmk2
Copy link
Copy Markdown
Member

@fengmk2 fengmk2 commented Apr 16, 2026

Summary

  • Removed all GitHub API code (fetchGitHub, fetchRelease, parseRelease, GitHubRelease interface, GITHUB_TOKEN env var)
  • Version resolution now uses npm registry only — specific tags resolve instantly with zero network calls via deterministic URL construction; latest version resolved via npm dist-tags
  • Simplified getRelease() caching: specific tags bypass cache entirely, latest path retains KV cache with stale fallback for npm outages

Fixes the GitHub API error: 403 Forbidden for default tag v0.1.18 production error caused by rate limiting.

Test plan

  • vp test — 23 tests pass
  • vp check — no lint/type/format errors
  • Deploy and verify https://setup.viteplus.dev/ renders download page with correct version
  • Verify ?tag=v0.1.18 and ?arch=x64 query params work
  • Remove GITHUB_TOKEN secret from Cloudflare Workers environment after deploy

🤖 Generated with Claude Code

@fengmk2 fengmk2 self-assigned this Apr 16, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 16, 2026

✅ Staging deployment successful!

Preview: https://vp-setup-staging.void.app/

@fengmk2
fix: replace GitHub API with npm registry for version resolution
28b8f38 
The GitHub API was hitting 403 Forbidden errors due to rate limiting.
Since download URLs are deterministic (constructable from tag alone),
the GitHub API is unnecessary. Now specific tags resolve instantly
with zero network calls, and the latest version is resolved via the
npm registry dist-tags.
@fengmk2 fengmk2 force-pushed the remove-github-api branch from 5d67208 to 28b8f38 Compare April 16, 2026 02:19
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 16, 2026

✅ Staging deployment successful!

Preview: https://vp-setup-staging.void.app/

@fengmk2
fix: update staging deploy PR comment instead of creating duplicates
8183f1b 
Include commit SHA in the comment body and reuse the existing comment
on subsequent deploys instead of flooding the PR with new ones.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 16, 2026
edited
Loading

✅ Staging deployment successful!

Preview: https://vp-setup-staging.void.app/
Commit: 182ec95

fengmk2 added 3 commits April 16, 2026 10:34
@fengmk2
fix: address security and resilience review findings
aaf3c1b 
- Fix reflected XSS: replace innerHTML with DOM APIs in ARM64 link swap
- Verify GitHub asset exists (HEAD probe) before caching npm-resolved
  version, preventing broken redirects during npm/GitHub sync windows
- Make KV cache writes best-effort so transient KV errors don't fail
  otherwise valid requests
- Use github.paginate for staging deploy PR comment lookup to handle
  PRs with many comments
@fengmk2
refactor: remove unnecessary HEAD probe for asset verification
0d98741
@fengmk2
test: add escapeHtml tests covering XSS vectors
39f2f3a 
Verify that HTML special characters and malicious tag payloads like
attribute-breaking injections are properly escaped.
@fengmk2 fengmk2 merged commit 612772e into main Apr 16, 2026
2 checks passed
@fengmk2 fengmk2 deleted the remove-github-api branch April 16, 2026 02:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@fengmk2 fengmk2

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fengmk2