Summary
The dashboard now vendors `marked.esm.js` and `purify.es.js` for the browser to load directly while `package.json` lists matching `marked` and `isomorphic-dompurify` deps for unit tests. The two copies must stay byte-aligned, but only `vendor/README.md`'s human-followed "To bump" ritual currently enforces it. A future bump that touches only one side would make the test pass against one version while the browser serves a different one — silently.
Data Points
- task-61aee08e (markdown renderer migration): Pin `marked@^18.0.2` + `isomorphic-dompurify@^3.10.0` in `package.json`; vendored `templates/dashboard/vendor/marked.esm.js` (41,998 bytes) + `purify.es.js` (68,843 bytes) byte-identical to the npm copies. The vendor README documents the bump ritual. No CI lint enforces it. Flagged as a candidate follow-up. (from coder, 2026-04-28)
Raw Excerpts
Original feedback
Vendoring + npm dep alignment: the test imports the npm copy while the browser loads the vendored copy. The `vendor/README.md` "To bump" rule is the only thing keeping the two in sync — if a future bump touches only one side, the test still passes against stale npm state while the browser serves a different version. A one-line CI check (e.g., `lint:vendor-sync` that compares `node_modules/marked/lib/marked.esm.js` to `templates/dashboard/vendor/marked.esm.js` byte-for-byte) would make this drift impossible to land silently. Out of scope for this task; flagged as a candidate follow-up.
— task-61aee08e--workflow-feedback-coder.md
Suggested Action
- Add `scripts/lint-vendor-sync.ts` that walks a vendor manifest (path → npm source) and asserts byte equality. Wire it as `lint:vendor-sync` in `package.json`.
- Manifest entries to seed:
- `templates/dashboard/vendor/marked.esm.js` ↔ `node_modules/marked/lib/marked.esm.js`
- `templates/dashboard/vendor/purify.es.js` ↔ `node_modules/dompurify/dist/purify.es.mjs`
- Run the lint as part of the standard verification pipeline (alongside `lint`, `lint:cli-readme`, `lint:no-mock-module`).
- Optional: emit the helpful "to bump, run `cp ` and rerun this lint" message on failure.
Filed by ludics-feedback-digest
Summary
The dashboard now vendors `marked.esm.js` and `purify.es.js` for the browser to load directly while `package.json` lists matching `marked` and `isomorphic-dompurify` deps for unit tests. The two copies must stay byte-aligned, but only `vendor/README.md`'s human-followed "To bump" ritual currently enforces it. A future bump that touches only one side would make the test pass against one version while the browser serves a different one — silently.
Data Points
Raw Excerpts
Original feedback
Suggested Action
Filed by ludics-feedback-digest