feat: add socket.dev security report link to package page

[fengmk2]

Summary

Adds a Socket.dev security badge to the package detail page sidebar, under the "资源信息" (Resource Info) section.

The badge image is loaded from Socket.dev's badge API, showing the security status at a glance. Clicking the badge navigates to the version-specific Socket.dev security report.

Changes

• LinkContent component: added packageName and packageVersion props, renders Socket.dev badge image with Tooltip
• Home slug: passes manifest.name and version to LinkContent
• Renamed LinkContnet.tsx → LinkContent.tsx (typo fix)
• Extracted Socket.dev URL bases into module-level constants
• Used encodeURIComponent for scoped package names
• Added rel="noopener noreferrer" for security

URL Format

• Badge image: https://socket.dev/api/badge/npm/package/{name}
• Link target: https://socket.dev/npm/package/{name}/overview/{version}

References

• https://socket.dev/npm/package/egg/overview/3.34.0 (example)
• Closes link to socket.dev cnpmcore#182

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
cnpmweb	Ready	Preview, Comment	Mar 1, 2026 11:33am

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the package detail page by integrating a direct link to Socket.dev security reports. This addition provides users with quick access to security information for packages, improving transparency and awareness regarding potential vulnerabilities. The changes involve updating a shared UI component to display the link and modifying the package detail page to supply the necessary package name.

Highlights

• Socket.dev Security Report Link: A new link to the Socket.dev security report has been added to the package detail page sidebar, under the '资源信息' (Resource Info) section, for improved visibility into package security.
• LinkContent Component Update: The LinkContent component now accepts a packageName prop and conditionally renders the Socket.dev link with a SafetyCertificateFilled icon.
• Home Slug Integration: The Home slug has been updated to pass the manifest.name as the packageName prop to the LinkContent component, enabling the new security report link.

Changelog

• src/components/LinkContnet.tsx
  • Imported SafetyCertificateFilled icon from @ant-design/icons.
  • Added packageName?: string; to the LinkContentProps type definition.
  • Modified the LinkContent function signature to accept packageName as a prop.
  • Introduced socketUrl variable, conditionally set based on packageName.
  • Added a new Tooltip and Link block to display the 'Socket Security Report' with the SafetyCertificateFilled icon, linking to the Socket.dev page for the package.
• src/slugs/home/index.tsx
  • Passed manifest.name as the new packageName prop to the LinkContent component.

Activity

• No human activity has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Warning

Rate limit exceeded

@fengmk2 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 28 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 8ff3d0f and 2cb979a.

📒 Files selected for processing (2)

• src/components/LinkContent.tsx
• src/slugs/home/index.tsx

📝 Walkthrough

Walkthrough

Adds optional packageName and packageVersion props to LinkContent, derives an encoded Socket.dev package URL, and conditionally renders a Socket Security badge (link + image) when packageName is provided; also wires these props where LinkContent is used in the home Resources card.

Changes

Cohort / File(s)	Summary
Socket Security Integration src/components/LinkContnet.tsx	Add optional packageName and packageVersion to LinkContentProps and function signature; compute encodedName/socketUrl and render a Socket.dev security badge (link + image) when packageName exists.
Prop Wiring in Home src/slugs/home/index.tsx	Pass manifest.name and version into LinkContent as packageName and packageVersion in the Resources Information Card.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: display package dist info (size, unpackedSize, fileCount) #114 — Changes the same LinkContent component (src/components/LinkContnet.tsx), adding related fields/UI adjustments that may need coordination.

Suggested reviewers

• elrrrrrrr

Poem

🐰 I found a socket bright and neat,
A badge that makes the package meet,
I hop to link and paste the view,
A tiny shield for packages new,
Security glows — a carrot-cheer! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding a Socket.dev security report link to the package detail page.
Linked Issues check	✅ Passed	The code changes implement the requirement from issue #182 to add a Socket.dev link using the specified URL format pattern with packageName.
Out of Scope Changes check	✅ Passed	All changes are directly related to the linked issue objective: adding Socket.dev link functionality to the package page.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/socket-dev-link

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request adds a link to the Socket.dev security report on the package details page. The changes are well-implemented, introducing a packageName prop to the LinkContent component to construct the URL and passing the package name from the Home component. I have one suggestion to improve maintainability by extracting a hardcoded URL into a constant.

[Copilot]

Pull request overview

Adds a Socket.dev security report link to the package detail page sidebar (“资源信息”), using the package name to build the report URL.

Changes:

• Pass manifest.name from the Home slug into LinkContent as packageName
• Extend LinkContent to construct a Socket.dev URL and render it with a SafetyCertificateFilled icon

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
src/slugs/home/index.tsx	Passes manifest.name into the sidebar link block so a Socket.dev URL can be generated.
src/components/LinkContnet.tsx	Adds packageName prop and renders an external Socket.dev “security report” link in the resource list.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cloudflare-workers-and-pages]

Deploying cnpmweb with    Cloudflare Pages

Latest commit:	2cb979a
Status:	✅  Deploy successful!
Preview URL:	https://9affa12a.cnpmweb.pages.dev
Branch Preview URL:	https://feat-socket-dev-link.cnpmweb.pages.dev

View logs

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/components/LinkContnet.tsx`:
- Line 39: The socketUrl construction incorrectly uses full encoding; update the
logic that builds socketUrl (using the packageName variable and the socketUrl
constant) to only encode the leading '@' for scoped packages while leaving the
'/' separator unencoded — e.g., if packageName starts with '@' replace that
leading '@' with '%40' (or otherwise specifically percent-encode only '@') and
then interpolate the resulting safePackageName into
`https://socket.dev/npm/package/${safePackageName}`, leaving non-scoped names
unchanged.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 91201f4 and 92385e1.

📒 Files selected for processing (2)

• src/components/LinkContnet.tsx
• src/slugs/home/index.tsx

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/components/LinkContnet.tsx`:
- Around line 112-120: The Socket.dev badge URL currently appends a version
fragment when packageVersion is present which is unsupported; update the JSX
that builds the badge src (where socketUrl, encodedName and packageVersion are
used inside the <Link> / <img> block) to remove the version segment so the src
is always "https://socket.dev/api/badge/npm/package/{encodedName}" (do not
include /{encodeURIComponent(packageVersion)}), leaving socketUrl, encodedName
and the <img> rendering logic intact.

---

ℹ️ Review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4f7d322 and 8ff3d0f.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• src/components/LinkContnet.tsx
• src/slugs/home/index.tsx

🚧 Files skipped from review as they are similar to previous changes (1)

• src/slugs/home/index.tsx

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (2)

src/components/LinkContent.tsx:121

• The Socket.dev badge src currently appends /${packageVersion} when a version is provided, but the PR description documents the badge API as https://socket.dev/api/badge/npm/package/{name} (no version segment). If the badge endpoint isn’t versioned, this will 404 for versioned pages—please either drop the version suffix for the badge image or update the documented URL format after confirming the versioned badge URL works.
  src/components/LinkContent.tsx:124
• Only the new Socket.dev external link includes rel="noopener noreferrer", but the other external links in this component (homepage/source/tarball) still open in a new tab with target="_blank" without rel, which leaves reverse-tabnabbing risk. Consider adding the same rel attributes to all target="_blank" links here for consistent security.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.