apraka16/vibeaudit

I ran a production-readiness audit on my project and found the following issues. Please fix all of them: 1. I have a potential XSS vulnerability in src/templates/remediation.ts at line 20 using unsafe DOM manipulation. Please refactor to avoid dangerouslySetInnerHTML, innerHTML, eval(), and document.write(). If HTML rendering is truly needed, use a sanitization library like DOMPurify and sanitize all content before rendering. Affected: src/templates/remediation.ts:20, src/checkers/security/xss-vectors.ts:8, src/checkers/security/xss-vectors.ts:34, tests/fixtures/sample-express-app/server.js:15, tests/unit/checkers/xss-vectors.test.ts:5, tests/unit/checkers/xss-vectors.test.ts:12, tests/unit/checkers/xss-vectors.test.ts:19, tests/unit/checkers/xss-vectors.test.ts:26, tests/unit/checkers/xss-vectors.test.ts:32, tests/unit/checkers/xss-vectors.test.ts:40, tests/unit/checkers/xss-vectors.test.ts:47, tests/unit/checkers/xss-vectors.test.ts:54, tests/unit/checkers/xss-vectors.test.ts:61, tests/unit/checkers/xss-vectors.test.ts:68, tests/unit/checkers/xss-vectors.test.ts:74, tests/unit/checkers/xss-vectors.test.ts:83, tests/unit/checkers/xss-vectors.test.ts:90, tests/unit/checkers/xss-vectors.test.ts:96, tests/unit/checkers/xss-vectors.test.ts:105, tests/unit/checkers/xss-vectors.test.ts:113 and 2 more. 2. I have a sensitive route in tests/fixtures/sample-express-app/server.js at line 9 that appears to lack authentication/authorization middleware. Please add authentication middleware to protect this route. Verify that only authorized users can access it. Affected: tests/fixtures/sample-express-app/server.js:9, tests/fixtures/sample-express-app/server.js:30, tests/fixtures/sample-firebase-express-app/src/server.ts:11. 3. I have an empty catch block in src/detector.ts at line 42 that silently swallows errors. Please add proper error handling: at minimum, log the error with console.error. Better yet, rethrow it, show a user-friendly error message, or handle the specific error case. Never silently swallow errors. Affected: src/detector.ts:42, worker/src/clone.ts:37, src/checkers/firebase/missing-security-rules.ts:13, src/checkers/firebase/missing-security-rules.ts:25, tests/fixtures/sample-express-app/server.js:21, tests/unit/checkers/empty-catch.test.ts:5, tests/unit/checkers/empty-catch.test.ts:19, tests/unit/checkers/empty-catch.test.ts:31, tests/unit/checkers/empty-catch.test.ts:37, tests/unit/checkers/empty-catch.test.ts:45, tests/unit/checkers/empty-catch.test.ts:52, tests/unit/checkers/empty-catch.test.ts:58, tests/unit/checkers/empty-catch.test.ts:106, tests/unit/checkers/empty-catch.test.ts:112, web/src/components/audit-processing.tsx:41. 4. I have an unhandled promise chain in tests/fixtures/sample-express-app/server.js at line 35 — a .then() without a .catch(). Please add error handling to this promise chain. Either add a .catch() handler, convert to async/await with try/catch, or handle the error appropriately for the context. 5. My project has no input validation library. Please install zod and add schema validation for all API endpoints and form inputs. Define schemas for request bodies, query parameters, and path parameters. Return clear validation error messages so clients know exactly what to fix. 6. My project is missing a .gitignore file. Please create one that excludes: node_modules/, .env, .env.*, dist/, build/, coverage/, .DS_Store, *.log, and IDE-specific files (.idea/, .vscode/). 7. My Supabase database table "audits" does not have Row Level Security (RLS) enabled. Without RLS, any user with the anon key can read and write all data in this table. Please enable RLS on every table and create policies that check auth.uid() to restrict access to the authenticated user's own data. Affected: audits, daily_picks. 8. My Supabase service role key is exposed in client-side code (tests/unit/checkers/firebase-service-account-exposed.test.ts:102). The service role key bypasses all RLS policies and grants full database access. Rotate this key immediately in the Supabase dashboard, then move it to a server-only environment variable. Never use the service role key on the client — use the anon key with proper RLS policies instead. Affected: tests/unit/checkers/firebase-service-account-exposed.test.ts:102, tests/unit/checkers/supabase-service-key-exposed.test.ts:8, tests/unit/checkers/supabase-service-key-exposed.test.ts:10, tests/unit/checkers/supabase-service-key-exposed.test.ts:17, tests/unit/checkers/supabase-service-key-exposed.test.ts:19, tests/unit/checkers/supabase-service-key-exposed.test.ts:25, tests/unit/checkers/supabase-service-key-exposed.test.ts:27, tests/unit/checkers/supabase-service-key-exposed.test.ts:33, tests/unit/checkers/supabase-service-key-exposed.test.ts:35, tests/unit/checkers/supabase-service-key-exposed.test.ts:60, tests/unit/checkers/supabase-service-key-exposed.test.ts:76, tests/fixtures/sample-supabase-app/src/lib/supabase.ts:11. 9. I have a hardcoded Supabase URL or anon key in tests/unit/checkers/supabase-hardcoded-url-key.test.ts at line 10. While anon keys are not secret, hardcoding them prevents key rotation and makes environment-specific deploys harder. Please move Supabase URLs and keys to environment variables (e.g. VITE_SUPABASE_URL, VITE_SUPABASE_ANON_KEY). Affected: tests/unit/checkers/supabase-hardcoded-url-key.test.ts:10, tests/unit/checkers/supabase-hardcoded-url-key.test.ts:19, tests/unit/checkers/supabase-hardcoded-url-key.test.ts:55, tests/unit/checkers/supabase-hardcoded-url-key.test.ts:63, tests/unit/checkers/supabase-hardcoded-url-key.test.ts:71, tests/fixtures/sample-supabase-app/src/lib/supabase.ts:3, tests/fixtures/sample-supabase-app/src/lib/supabase.ts:4.