Merge pull request #18 from prebid/master

Sync with master

.eslintrc.js

@@ -84,27 +84,52 @@ module.exports = {
     files: key + '/**/*.js',
     rules: {
       'prebid/validate-imports': ['error', allowedModules[key]],
-      'prebid/no-innerText': ['error', allowedModules[key]],
       'no-restricted-globals': [
         'error',
         {
           name: 'require',
           message: 'use import instead'
         }
+      ],
+      'prebid/no-global': [
+        'error',
+        ...['localStorage', 'sessionStorage'].map(name => ({name, message: 'use storageManager instead'})),
+        {
+          name: 'XMLHttpRequest',
+          message: 'use ajax.js instead'
+        },
+      ],
+      'prebid/no-member': [
+        'error',
+        {
+          name: 'cookie',
+          target: 'document',
+          message: 'use storageManager instead'
+        },
+        {
+          name: 'sendBeacon',
+          target: 'navigator',
+          message: 'use ajax.js instead'
+        },
+        ...['outerText', 'innerText'].map(name => ({
+          name,
+          message: 'use .textContent instead'
+        }))
       ]
     }
   })).concat([{
     // code in other packages (such as plugins/eslint) is not "seen" by babel and its parser will complain.
     files: 'plugins/*/**/*.js',
     parser: 'esprima'
-  },
-  {
+  }, {
     files: '**BidAdapter.js',
     rules: {
       'no-restricted-imports': [
         'error', {
-          patterns: ["**/src/events.js",
-          "**/src/adloader.js"]
+          patterns: [
+            '**/src/events.js',
+            '**/src/adloader.js'
+          ]
         }
       ]
     }

.github/PULL_REQUEST_TEMPLATE.md

@@ -41,7 +41,7 @@ For any user facing change, submit a link to a PR on the docs repo at https://gi
 }
 ```
 
-Be sure to test the integration with your adserver using the [Hello World](/integrationExamples/gpt/hello_world.html) sample page. -->
+Be sure to test the integration with your adserver using the [Hello World](https://github.com/prebid/Prebid.js/blob/master/integrationExamples/gpt/hello_world.html) sample page. -->
 
 
 ## Other information

.github/codeql/codeql-config.yml

@@ -2,3 +2,6 @@ paths:
   - src
   - modules
   - libraries
+queries:
+  - name: Prebid queries
+    uses: ./.github/codeql/queries

.github/codeql/queries/deviceMemory.ql

@@ -0,0 +1,14 @@
+/**
+ * @id prebid/device-memory
+ * @name Access to navigator.deviceMemory
+ * @kind problem
+ * @problem.severity warning
+ * @description Finds uses of deviceMemory
+ */
+
+import prebid
+
+from SourceNode nav
+where
+ nav = windowPropertyRead("navigator")
+select nav.getAPropertyRead("deviceMemory"), "deviceMemory is an indicator of fingerprinting"

.github/codeql/queries/hardwareConcurrency.ql

@@ -0,0 +1,14 @@
+/**
+ * @id prebid/hardware-concurrency
+ * @name Access to navigator.hardwareConcurrency
+ * @kind problem
+ * @problem.severity warning
+ * @description Finds uses of hardwareConcurrency
+ */
+
+import prebid
+
+from SourceNode nav
+where
+ nav = windowPropertyRead("navigator")
+select nav.getAPropertyRead("hardwareConcurrency"), "hardwareConcurrency is an indicator of fingerprinting"

.github/codeql/queries/prebid.qll

@@ -0,0 +1,36 @@
+import javascript
+import DataFlow
+
+SourceNode otherWindow() {
+ result = globalVarRef("top") or
+ result = globalVarRef("self") or
+ result = globalVarRef("parent") or
+ result = globalVarRef("frames").getAPropertyRead() or
+ result = DOM::documentRef().getAPropertyRead("defaultView")
+}
+
+SourceNode connectedWindow(SourceNode win) {
+  result = win.getAPropertyRead("self") or
+  result = win.getAPropertyRead("top") or
+  result = win.getAPropertyRead("parent") or
+  result = win.getAPropertyRead("frames").getAPropertyRead() or
+  result = win.getAPropertyRead("document").getAPropertyRead("defaultView")
+}
+
+SourceNode relatedWindow(SourceNode win) {
+  result = connectedWindow(win) or
+  result = relatedWindow+(connectedWindow(win))
+}
+
+SourceNode anyWindow() {
+  result = otherWindow() or
+  result = relatedWindow(otherWindow())
+}
+
+/*
+ Matches uses of property `prop` done on any window object.
+*/
+SourceNode windowPropertyRead(string prop) {
+  result = globalVarRef(prop) or
+  result = anyWindow().getAPropertyRead(prop)
+}

.github/codeql/queries/qlpack.yml

@@ -0,0 +1,8 @@
+---
+library: false
+warnOnImplicitThis: false
+name: queries
+version: 0.0.1
+dependencies:
+  codeql/javascript-all: ^1.1.1
+  codeql/javascript-queries: ^1.1.0

.github/release-drafter.yml

@@ -1,6 +1,10 @@
 
 name-template: 'Prebid $RESOLVED_VERSION Release'
 tag-template: '$RESOLVED_VERSION'
+autolabeler:
+  - label: 'maintenance'
+    title:
+      - '/^(?!.*(bug|initial|release|fix)).*$/i'
 categories:
   - title: '🚀 New Features'
     label: 'feature'

.github/workflows/jscpd.yml

@@ -29,7 +29,7 @@ jobs:
       run: |
         echo '{
           "threshold": 20,
-          "minTokens": 50,
+          "minTokens": 100,
           "reporters": [
             "json"
           ],
@@ -101,15 +101,15 @@ jobs:
           const filteredReport = JSON.parse(fs.readFileSync('filtered-jscpd-report.json', 'utf8'));
           let comment = "Whoa there, partner! 🌵🤠 We wrangled some duplicated code in your PR:\n\n";
           function link(dup) {
-             return `https://github.com/${{ github.event.repository.full_name }}/blob/${{ github.event.pull_request.head.sha }}/${dup.name}#L${dup.start}-L${dup.end - 1}`
+             return `https://github.com/${{ github.event.repository.full_name }}/blob/${{ github.event.pull_request.head.sha }}/${dup.name}#L${dup.start + 1}-L${dup.end - 1}`
           }
           filteredReport.forEach(duplication => {
             const firstFile = duplication.firstFile;
             const secondFile = duplication.secondFile;
             const lines = duplication.lines;
             comment += `- [\`${firstFile.name}\`](${link(firstFile)}) has ${lines} duplicated lines with [\`${secondFile.name}\`](${link(secondFile)})\n`;
           });
-          comment += "\nReducing code duplication by importing common functions from a library not only makes our code cleaner but also easier to maintain. Please move the common code from both files into a library and import it in each. Keep up the great work! 🚀";
+          comment += "\nReducing code duplication by importing common functions from a library not only makes our code cleaner but also easier to maintain. Please move the common code from both files into a library and import it in each. We hate that we have to mention this, however, commits designed to hide from this utility by renaming variables or reordering an object are poor conduct. We will not look upon them kindly! Keep up the great work! 🚀";
           github.rest.issues.createComment({
             owner: context.repo.owner,
             repo: context.repo.repo,

.github/workflows/linter.yml

@@ -0,0 +1,110 @@
+name: Check for linter warnings / exceptions
+
+on:
+  pull_request_target:
+    branches:
+      - master
+
+jobs:
+  check-linter:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.base.sha }}
+
+      - name: Fetch base and target branches
+        run: |
+          git fetch origin +refs/heads/${{ github.event.pull_request.base.ref }}:refs/remotes/origin/${{ github.event.pull_request.base.ref }}
+          git fetch origin +refs/pull/${{ github.event.pull_request.number }}/merge:refs/remotes/pull/${{ github.event.pull_request.number }}/merge
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Get the diff
+        run: git diff --name-only origin/${{ github.event.pull_request.base.ref }}...refs/remotes/pull/${{ github.event.pull_request.number }}/merge | grep '^\(modules\|src\|libraries\|creative\)/.*\.js$' > __changed_files.txt || true
+
+      - name: Run linter on base branch
+        run: npx eslint --no-inline-config --format json $(cat __changed_files.txt | xargs stat --printf '%n\n' 2> /dev/null) > __base.json || true
+
+      - name: Check out PR
+        run: git checkout ${{ github.event.pull_request.head.sha }}
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run linter on PR
+        run: npx eslint --no-inline-config --format json $(cat __changed_files.txt | xargs stat --printf '%n\n' 2> /dev/null) > __pr.json || true
+
+      - name: Compare them and post comment if necessary
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const fs = require('fs');
+            const path = require('path');
+            const process = require('process');
+            
+            function parse(fn) {
+              return JSON.parse(fs.readFileSync(fn)).reduce((memo, data) => {
+                const file = path.relative(process.cwd(), data.filePath);
+                if (!memo.hasOwnProperty(file)) { memo[file] = { errors: 0, warnings: 0} }
+                data.messages.forEach(({severity}) => {
+                  memo[file][severity > 1 ? 'errors' : 'warnings']++;
+                });
+                return memo;
+              }, {})
+            }
+            
+            function mkDiff(old, new_) {
+              const files = Object.fromEntries(
+                Object.entries(new_)
+                  .map(([file, {errors, warnings}]) => {
+                    const {errors: oldErrors, warnings: oldWarnings} = old[file] || {};
+                    return [file, {errors: Math.max(0, errors - (oldErrors ?? 0)), warnings: Math.max(0, warnings - (oldWarnings ?? 0))}]
+                  })
+                  .filter(([_, {errors, warnings}]) => errors > 0 || warnings > 0)
+              )
+              return Object.values(files).reduce((memo, {warnings, errors}) => {
+                memo.errors += errors;
+                memo.warnings += warnings;
+                return memo;
+              }, {errors: 0, warnings: 0, files})
+            }
+            
+            function mkComment({errors, warnings, files}) {
+              function pl(noun, number) {
+                return noun + (number === 1 ? '' : 's')
+              }
+              if (errors === 0 && warnings === 0) return;
+              const summary = [];
+              if (errors) summary.push(`**${errors}** linter ${pl('error', errors)}`)
+              if (warnings) summary.push(`**${warnings}** linter ${pl('warning', warnings)}`)
+              let cm = `Tread carefully! This PR adds ${summary.join(' and ')} (possibly disabled through directives):\n\n`;
+              Object.entries(files).forEach(([file, {errors, warnings}]) => {
+                const summary = [];
+                if (errors) summary.push(`+${errors} ${pl('error', errors)}`);
+                if (warnings) summary.push(`+${warnings} ${pl('warning', warnings)}`)
+                cm += ` * \`${file}\` (${summary.join(', ')})\n`
+              })
+              return cm;
+            }
+            
+            const [base, pr] = ['__base.json', '__pr.json'].map(parse);
+            const comment = mkComment(mkDiff(base, pr));
+            
+            if (comment) {
+              github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                body: comment
+              });
+            }