Fix code quality and security issues from audit

geetfun · geetfun · commit 4c34bea33582 · 2026-01-15T07:15:20.000-05:00
- Fix worker queue race condition with try-finally block
- Replace non-null assertions with proper null checks
- Add debug logging to silent catch blocks
- Expand sensitive header filtering (add set-cookie, proxy-authorization, x-access-token, x-csrf-token, x-xsrf-token)
- Remove unused sendSessionData config option
- Fix repository URLs to Checkend/checkend-node
- Add shutdown hook race condition protection
- Add build verification and npm audit to CI
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -33,6 +33,51 @@ jobs:
       - name: Run tests
         run: npm run test
 
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Verify build output
+        run: |
+          test -f dist/index.js
+          test -f dist/index.cjs
+          test -f dist/index.d.ts
+          test -f dist/integrations/express.js
+          test -f dist/integrations/koa.js
+          test -f dist/integrations/fastify.js
+
+  security:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Audit dependencies
+        run: npm audit --audit-level=moderate
+
   lint:
     runs-on: ubuntu-latest
 
diff --git a/package.json b/package.json
@@ -6,11 +6,11 @@
   "license": "MIT",
   "repository": {
     "type": "git",
-    "url": "https://github.com/furvur/checkend-node.git"
+    "url": "https://github.com/Checkend/checkend-node.git"
   },
-  "homepage": "https://github.com/furvur/checkend-node",
+  "homepage": "https://github.com/Checkend/checkend-node",
   "bugs": {
-    "url": "https://github.com/furvur/checkend-node/issues"
+    "url": "https://github.com/Checkend/checkend-node/issues"
   },
   "keywords": [
     "error",
diff --git a/src/configuration.ts b/src/configuration.ts
@@ -82,7 +82,6 @@ export class Configuration {
   appName?: string
   revision?: string
   sendRequestData: boolean
-  sendSessionData: boolean
   sendEnvironmentData: boolean
   sendUserData: boolean
 
@@ -113,7 +112,6 @@ export class Configuration {
     this.appName = options.appName || process.env.CHECKEND_APP_NAME
     this.revision = options.revision || process.env.CHECKEND_REVISION
     this.sendRequestData = options.sendRequestData ?? true
-    this.sendSessionData = options.sendSessionData ?? true
     this.sendEnvironmentData = options.sendEnvironmentData ?? false
     this.sendUserData = options.sendUserData ?? true
   }
diff --git a/src/index.ts b/src/index.ts
@@ -139,13 +139,13 @@ export async function reset(): Promise<void> {
  * Report an error to Checkend
  */
 export function notify(error: Error, options: NotifyOptions = {}): void {
-  if (!shouldNotify()) return
+  if (!shouldNotify() || !config) return
 
   const errorClass = error.name || 'Error'
   const message = error.message || 'Unknown error'
   const code = (error as NodeJS.ErrnoException).code
 
-  if (config!.shouldIgnore(errorClass, message, code)) {
+  if (config.shouldIgnore(errorClass, message, code)) {
     log(`Ignoring error: ${errorClass}`)
     return
   }
@@ -154,18 +154,18 @@ export function notify(error: Error, options: NotifyOptions = {}): void {
 
   // Build context with optional environment data
   let contextData = { ...globalContext, ...localContext, ...options.context }
-  if (config!.sendEnvironmentData) {
+  if (config.sendEnvironmentData) {
     contextData = { ...contextData, env: sanitize({ ...process.env }) }
   }
   const mergedContext = sanitize(contextData)
 
   // Include user data based on config
-  const mergedUser = config!.sendUserData
+  const mergedUser = config.sendUserData
     ? sanitize({ ...globalUser, ...localUser, ...options.user })
     : {}
 
   // Include request data based on config
-  const mergedRequest = config!.sendRequestData
+  const mergedRequest = config.sendRequestData
     ? sanitize({ ...localRequest, ...options.request })
     : {}
 
@@ -175,10 +175,10 @@ export function notify(error: Error, options: NotifyOptions = {}): void {
     user: mergedUser,
     fingerprint: options.fingerprint,
     tags: options.tags,
-    environment: config!.environment,
-    rootPath: config!.rootPath,
-    appName: config!.appName,
-    revision: config!.revision,
+    environment: config.environment,
+    rootPath: config.rootPath,
+    appName: config.appName,
+    revision: config.revision,
   })
 
   if (!runBeforeNotifyCallbacks(notice)) {
@@ -192,24 +192,24 @@ export function notify(error: Error, options: NotifyOptions = {}): void {
  * Report an error synchronously (returns promise)
  */
 export async function notifySync(error: Error, options: NotifyOptions = {}): Promise<ApiResponse | null> {
-  if (!shouldNotify()) return null
+  if (!shouldNotify() || !config || !client) return null
 
   const { context: localContext, user: localUser, request: localRequest } = getLocalStorage()
 
   // Build context with optional environment data
   let contextData = { ...globalContext, ...localContext, ...options.context }
-  if (config!.sendEnvironmentData) {
+  if (config.sendEnvironmentData) {
     contextData = { ...contextData, env: sanitize({ ...process.env }) }
   }
   const mergedContext = sanitize(contextData)
 
   // Include user data based on config
-  const mergedUser = config!.sendUserData
+  const mergedUser = config.sendUserData
     ? sanitize({ ...globalUser, ...localUser, ...options.user })
     : {}
 
   // Include request data based on config
-  const mergedRequest = config!.sendRequestData
+  const mergedRequest = config.sendRequestData
     ? sanitize({ ...localRequest, ...options.request })
     : {}
 
@@ -219,17 +219,17 @@ export async function notifySync(error: Error, options: NotifyOptions = {}): Pro
     user: mergedUser,
     fingerprint: options.fingerprint,
     tags: options.tags,
-    environment: config!.environment,
-    rootPath: config!.rootPath,
-    appName: config!.appName,
-    revision: config!.revision,
+    environment: config.environment,
+    rootPath: config.rootPath,
+    appName: config.appName,
+    revision: config.revision,
   })
 
   if (!runBeforeNotifyCallbacks(notice)) {
     return null
   }
 
-  return client!.sendNotice(notice)
+  return client.sendNotice(notice)
 }
 
 // ========== Context Management ==========
@@ -344,25 +344,25 @@ function uninstallUnhandledRejectionHandler(): void {
 }
 
 function handleUncaughtException(error: Error, origin: NodeJS.UncaughtExceptionOrigin): void {
-  if (!shouldNotify()) return
+  if (!shouldNotify() || !config) return
 
   const code = (error as NodeJS.ErrnoException).code
-  if (config!.shouldIgnore(error.name, error.message, code)) {
+  if (config.shouldIgnore(error.name, error.message, code)) {
     return
   }
 
   const notice = createNotice(error, {
     context: sanitize({ ...globalContext, unhandled: true, origin }),
     tags: ['unhandled', 'uncaughtException'],
-    environment: config!.environment,
-    rootPath: config!.rootPath,
-    appName: config!.appName,
-    revision: config!.revision,
+    environment: config.environment,
+    rootPath: config.rootPath,
+    appName: config.appName,
+    revision: config.revision,
   })
 
   // Send synchronously for uncaught exceptions
-  client?.sendNotice(notice).catch(() => {
-    // Ignore errors when reporting errors
+  client?.sendNotice(notice).catch((err) => {
+    config?.logger.debug(`Failed to send uncaught exception notice: ${err instanceof Error ? err.message : err}`)
   })
 
   // Call original handler if it exists
@@ -372,7 +372,7 @@ function handleUncaughtException(error: Error, origin: NodeJS.UncaughtExceptionO
 }
 
 function handleUnhandledRejection(reason: unknown, promise: Promise<unknown>): void {
-  if (!shouldNotify()) return
+  if (!shouldNotify() || !config) return
 
   let error: Error
   if (reason instanceof Error) {
@@ -386,17 +386,17 @@ function handleUnhandledRejection(reason: unknown, promise: Promise<unknown>): v
   }
 
   const code = (error as NodeJS.ErrnoException).code
-  if (config!.shouldIgnore(error.name, error.message, code)) {
+  if (config.shouldIgnore(error.name, error.message, code)) {
     return
   }
 
   const notice = createNotice(error, {
     context: sanitize({ ...globalContext, unhandled: true, rejection: true }),
     tags: ['unhandled', 'unhandledRejection'],
-    environment: config!.environment,
-    rootPath: config!.rootPath,
-    appName: config!.appName,
-    revision: config!.revision,
+    environment: config.environment,
+    rootPath: config.rootPath,
+    appName: config.appName,
+    revision: config.revision,
   })
 
   // Queue for async sending
@@ -408,11 +408,15 @@ function handleUnhandledRejection(reason: unknown, promise: Promise<unknown>): v
   }
 }
 
+let isShuttingDown = false
+
 function installShutdownHooks(): void {
   if (shutdownHooksInstalled) return
   shutdownHooksInstalled = true
 
   const shutdown = async () => {
+    if (isShuttingDown) return
+    isShuttingDown = true
     await stop()
   }
 
@@ -441,7 +445,8 @@ function runBeforeNotifyCallbacks(notice: Notice): boolean {
         return false
       }
     } catch (e) {
-      config.logger.warn(`beforeNotify callback failed: ${e}`)
+      const errorMsg = e instanceof Error ? e.message : String(e)
+      config.logger.warn(`beforeNotify callback failed: ${errorMsg}`)
     }
   }
 
@@ -452,8 +457,8 @@ function sendNotice(notice: Notice): void {
   if (worker) {
     worker.push(notice)
   } else {
-    client?.sendNotice(notice).catch(() => {
-      // Ignore errors when reporting errors
+    client?.sendNotice(notice).catch((err) => {
+      config?.logger.debug(`Failed to send notice: ${err instanceof Error ? err.message : err}`)
     })
   }
 }
diff --git a/src/integrations/express.ts b/src/integrations/express.ts
@@ -13,9 +13,14 @@ import type { User, RequestInfo } from '../types'
 // Headers that should be filtered from request data
 const FILTERED_HEADERS = [
   'cookie',
+  'set-cookie',
   'authorization',
+  'proxy-authorization',
   'x-api-key',
   'x-auth-token',
+  'x-access-token',
+  'x-csrf-token',
+  'x-xsrf-token',
 ]
 
 // Headers to exclude entirely (not useful for debugging)
diff --git a/src/integrations/fastify.ts b/src/integrations/fastify.ts
@@ -13,9 +13,14 @@ import type { User, RequestInfo } from '../types'
 // Headers that should be filtered from request data
 const FILTERED_HEADERS = [
   'cookie',
+  'set-cookie',
   'authorization',
+  'proxy-authorization',
   'x-api-key',
   'x-auth-token',
+  'x-access-token',
+  'x-csrf-token',
+  'x-xsrf-token',
 ]
 
 // Headers to exclude entirely (not useful for debugging)
diff --git a/src/integrations/koa.ts b/src/integrations/koa.ts
@@ -13,9 +13,14 @@ import type { User, RequestInfo } from '../types'
 // Headers that should be filtered from request data
 const FILTERED_HEADERS = [
   'cookie',
+  'set-cookie',
   'authorization',
+  'proxy-authorization',
   'x-api-key',
   'x-auth-token',
+  'x-access-token',
+  'x-csrf-token',
+  'x-xsrf-token',
 ]
 
 // Headers to exclude entirely (not useful for debugging)
diff --git a/src/types.ts b/src/types.ts
@@ -154,8 +154,6 @@ export interface ConfigOptions {
   revision?: string
   /** Include request data in error reports (default: true) */
   sendRequestData?: boolean
-  /** Include session data in error reports (default: true) */
-  sendSessionData?: boolean
   /** Include environment variables in error reports (default: false) */
   sendEnvironmentData?: boolean
   /** Include user data in error reports (default: true) */
diff --git a/src/worker.ts b/src/worker.ts
@@ -104,22 +104,28 @@ export class Worker {
 
     this.processing = true
 
-    while (this.queue.length > 0) {
-      const item = this.queue.shift()!
+    try {
+      while (this.queue.length > 0) {
+        const item = this.queue.shift()!
 
-      if (item === SHUTDOWN) {
-        break
-      }
+        if (item === SHUTDOWN) {
+          break
+        }
 
-      if (typeof item === 'object' && 'type' in item && item.type === FLUSH) {
-        item.resolve()
-        continue
-      }
+        if (typeof item === 'object' && 'type' in item && item.type === FLUSH) {
+          item.resolve()
+          continue
+        }
 
-      await this.sendWithThrottle(item as NoticePayload)
+        await this.sendWithThrottle(item as NoticePayload)
+      }
+    } finally {
+      this.processing = false
+      // Retry if queue has items (e.g., added during processing)
+      if (this.queue.length > 0 && !this.shutdown) {
+        this.processQueue()
+      }
     }
-
-    this.processing = false
   }
 
   private async sendWithThrottle(payload: NoticePayload): Promise<void> {
diff --git a/test/configuration.test.ts b/test/configuration.test.ts
@@ -133,11 +133,6 @@ describe('Configuration', () => {
       const config = new Configuration({ apiKey: 'test-key', sendEnvironmentData: true })
       expect(config.sendEnvironmentData).toBe(true)
     })
-
-    it('sets sendSessionData to true by default', () => {
-      const config = new Configuration({ apiKey: 'test-key' })
-      expect(config.sendSessionData).toBe(true)
-    })
   })
 
   describe('isValid', () => {
