Skip to content

Add back JSONParse helper#2319

Merged
witoszekdev merged 5 commits intomainfrom
add-fallback-smtp-removed-helpers
Apr 2, 2026
Merged

Add back JSONParse helper#2319
witoszekdev merged 5 commits intomainfrom
add-fallback-smtp-removed-helpers

Conversation

@witoszekdev
Copy link
Copy Markdown
Member

@witoszekdev witoszekdev commented Apr 2, 2026

  • add back JSONParse helper
  • add changeset

@witoszekdev witoszekdev requested a review from a team as a code owner April 2, 2026 15:44
@changeset-bot
Copy link
Copy Markdown

changeset-bot bot commented Apr 2, 2026
edited
Loading

🦋 Changeset detected

Latest commit: b6a3867

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@saleor/handlebars Patch
saleor-app-smtp Patch
saleor-app-products-feed Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link
Copy Markdown

vercel bot commented Apr 2, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

9 Skipped Deployments
Project Deployment Actions Updated (UTC)
saleor-app-avatax Ignored Ignored Preview, Comment Apr 2, 2026 3:54pm
saleor-app-cms Ignored Ignored Preview, Comment Apr 2, 2026 3:54pm
saleor-app-klaviyo Ignored Ignored Preview Apr 2, 2026 3:54pm
saleor-app-payment-np-atobarai Ignored Ignored Preview, Comment Apr 2, 2026 3:54pm
saleor-app-payment-stripe Ignored Ignored Preview Apr 2, 2026 3:54pm
saleor-app-products-feed Ignored Ignored Preview, Comment Apr 2, 2026 3:54pm
saleor-app-search Ignored Ignored Preview, Comment Apr 2, 2026 3:54pm
saleor-app-segment Ignored Ignored Preview, Comment Apr 2, 2026 3:54pm
saleor-app-smtp Ignored Ignored Preview, Comment Apr 2, 2026 3:54pm

Request Review

NyanKiyoshi
NyanKiyoshi previously approved these changes Apr 2, 2026
View reviewed changes
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR re-introduces the handlebars-helpers JSON parsing helper into the @saleor/handlebars allow-list and updates the helper-registration tests accordingly, alongside adding a changeset for release notes/versioning.

Changes:

  • Re-enabled the object helpers group partially by allowing JSONparse while keeping extend/merge disallowed.
  • Added a focused test asserting dangerous object helpers (extend, merge) are not registered.
  • Added a changeset entry describing the helper being re-added.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
packages/handlebars/src/register-allowed-helpers.test.ts Updates tests to reflect the object group no longer being fully removed and adds assertions for extend/merge not being registered.
packages/handlebars/src/allowed-helpers.ts Re-adds the object group with JSONparse to the allow-list while documenting why other object helpers remain removed.
.changeset/sixty-sloths-win.md Adds a changeset entry describing the helper re-addition (currently targets the wrong package and uses inconsistent helper casing).

packages/handlebars/src/allowed-helpers.ts
Comment on lines +134 to +135
// --- object (extend, merge removed – prototype pollution risk) ---
object: ["JSONparse"],
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ALLOWED_HELPERS now whitelists the object group with JSONparse, which changes behavior for downstream consumers. In apps/smtp/src/modules/smtp/services/handlebars-template-compiler.test.ts (lines 103-114) there is an explicit security regression test asserting JSONparse is not available; with this allow-list change it will become registered and that test (and the intended security posture) will break. Either keep JSONparse disallowed, or update SMTP’s threat model/tests and consider adding additional safeguards (e.g., rejecting __proto__/constructor/prototype keys) if templates can be user-controlled.

Suggested change
// --- object (extend, merge removed – prototype pollution risk) ---
object: ["JSONparse"],
// --- object: removed entirely (JSONparse disabled for security) ---

Copilot uses AI. Check for mistakes.
.changeset/sixty-sloths-win.md
@@ -0,0 +1,5 @@
---
"saleor-app-smtp": patch
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This changeset bumps saleor-app-smtp, but the code change is in @saleor/handlebars (see packages/handlebars/package.json). As written, the release will publish a version bump/changelog for the wrong package and won’t version the helper change correctly.

Suggested change
"saleor-app-smtp": patch
"@saleor/handlebars": patch

Copilot uses AI. Check for mistakes.
Copilot AI review requested due to automatic review settings April 2, 2026 15:53
@witoszekdev
Update .changeset/sixty-sloths-win.md
b6a3867 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@witoszekdev witoszekdev enabled auto-merge (squash) April 2, 2026 15:53
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 2, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 37.30%. Comparing base (a626695) to head (b6a3867).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2319   +/-   ##
=======================================
  Coverage   37.30%   37.30%           
=======================================
  Files        1018     1018           
  Lines       65972    65972           
  Branches     3400     3400           
=======================================
  Hits        24608    24608           
  Misses      40988    40988           
  Partials      376      376
Flag Coverage Δ
avatax 57.39% <ø> (ø)
cms 18.67% <ø> (ø)
domain 100.00% <ø> (ø)
dynamo-config-repository 79.29% <ø> (ø)
errors 91.66% <ø> (ø)
logger 28.81% <ø> (ø)
np-atobarai 72.61% <ø> (ø)
products-feed 5.91% <ø> (ø)
search 30.74% <ø> (ø)
segment 32.38% <ø> (ø)
shared 37.35% <ø> (ø)
smtp 35.53% <ø> (ø)
stripe 71.09% <ø> (ø)
webhook-utils 11.02% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@witoszekdev witoszekdev merged commit eedb36b into main Apr 2, 2026
52 checks passed
@witoszekdev witoszekdev deleted the add-fallback-smtp-removed-helpers branch April 2, 2026 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@NyanKiyoshi NyanKiyoshi NyanKiyoshi approved these changes

@lkostrowski lkostrowski lkostrowski approved these changes

@peelar peelar Awaiting requested review from peelar peelar is a code owner automatically assigned from saleor/js

Assignees

@witoszekdev witoszekdev

Labels

App: SMTP

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@witoszekdev @NyanKiyoshi @lkostrowski