steven-tey/dub

I ran a production-readiness audit on my project and found the following issues. Please fix all of them: 1. I have a hardcoded Hardcoded fallback secret in apps/web/lib/api/utils.ts at line 22. Please move this to an environment variable. Create a .env.example file documenting the required variable (without the actual value), update .gitignore to exclude .env files, and replace the hardcoded value with process.env.VARIABLE_NAME. Add a startup check that exits with a clear error if the required env var is missing. 2. I have a potential XSS vulnerability in apps/web/scripts/lua-convert.ts at line 20 using unsafe DOM manipulation. Please refactor to avoid dangerouslySetInnerHTML, innerHTML, eval(), and document.write(). If HTML rendering is truly needed, use a sanitization library like DOMPurify and sanitize all content before rendering. Affected: apps/web/scripts/lua-convert.ts:20, packages/ui/src/form.tsx:64, apps/web/ui/domains/domain-configuration.tsx:125, apps/web/ui/guides/markdown.tsx:82, apps/web/ui/postbacks/postback-event-details-sheet.tsx:58, apps/web/ui/webhooks/webhook-event-details-sheet.tsx:58, packages/email/src/templates/campaign-email.tsx:76, packages/email/src/templates/broadcasts/dub-wrapped.tsx:242, apps/web/app/app.dub.co/(auth)/oauth/authorize/scopes-requested.tsx:35, apps/web/app/(ee)/partners.dub.co/(apply)/[programSlug]/(default)/layout.tsx:64. 3. I have an empty catch block in apps/web/scripts/analyze-bundle.ts at line 33 that silently swallows errors. Please add proper error handling: at minimum, log the error with console.error. Better yet, rethrow it, show a user-friendly error message, or handle the specific error case. Never silently swallow errors. Affected: apps/web/scripts/analyze-bundle.ts:33, packages/ui/src/timestamp-tooltip.tsx:19, apps/web/lib/axiom/server.ts:44, apps/web/lib/tinybird/get-click-event.ts:21, apps/web/lib/tinybird/get-lead-event.ts:28, apps/web/scripts/migrations/backfill-customer-first-sale.ts:53, apps/web/scripts/stripe/backfill-trace-id.ts:32, packages/utils/src/functions/text-fetcher.ts:14, packages/utils/src/functions/urls.ts:10, packages/utils/src/functions/urls.ts:20, packages/utils/src/functions/urls.ts:30, apps/web/lib/api/links/get-links-for-workspace.ts:61, apps/web/ui/links/link-builder/use-metatags.ts:38, apps/web/app/(ee)/api/cron/campaigns/broadcast/route.ts:125, apps/web/app/(ee)/api/cron/campaigns/broadcast/route.ts:311, apps/web/app/(ee)/api/cron/partners/ban/route.ts:180, apps/web/app/app.dub.co/(dashboard)/[slug]/(ee)/program/resources/program-help-and-support.tsx:71. 4. I have an unhandled promise chain in apps/web/ui/guides/markdown.tsx at line 75 — a .then() without a .catch(). Please add error handling to this promise chain. Either add a .catch() handler, convert to async/await with try/catch, or handle the error appropriately for the context. Affected: apps/web/ui/guides/markdown.tsx:75, apps/web/ui/modals/modal-provider.tsx:162, apps/web/ui/postbacks/postback-event-details-sheet.tsx:23, apps/web/ui/webhooks/webhook-event-details-sheet.tsx:23, packages/stripe-app/src/views/AppSettings.tsx:120, apps/web/lib/actions/partners/onboard-partner.ts:98, apps/web/lib/api/domains/claim-dot-link-domain.ts:128, apps/web/lib/api/workspaces/delete-workspace.ts:28, apps/web/lib/api/workspaces/delete-workspace.ts:58, apps/web/ui/modals/import-csv-modal/field-mapping.tsx:32, apps/web/ui/modals/import-csv-modal/select-file.tsx:23, apps/web/app/(ee)/api/admin/ban/route.ts:43. 5. My project has no input validation library. Please install zod and add schema validation for all API endpoints and form inputs. Define schemas for request bodies, query parameters, and path parameters. Return clear validation error messages so clients know exactly what to fix. 6. My .gitignore is missing important entries. Please update .gitignore to exclude: node_modules/, .env, .env.*, dist/, build/, coverage/, .DS_Store, and any IDE-specific files.