Remove attribute data-obj from marketplace package card, add attribute data-repourl, and query package information from memory#17809
Merged
Conversation
TCOTC
changed the title
…bute data-name, and query package information from memory GHSA-x88j-wgpr-h22x
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refactors the Bazaar (marketplace) UI and related kernel download-progress plumbing to avoid embedding a JSON blob (data-obj) into package cards, instead using data-name and resolving package metadata from in-memory state. This aligns with the linked security advisory and simplifies the DOM surface area used for package interactions.
Changes:
- Kernel: adjust
downloadBazaarFileto accept apackageNamefor progress push IDs, and propagate additional online metadata into installed package entries when an update exists. - Frontend: remove
data-objusage across Bazaar rendering/event handling; adddata-name(and README side metadata) and re-resolve items frombazaar._data. - Frontend: introduce
TBazaarPackageSourceand add helpers for re-rendering/sorting/rendering Bazaar cards and syncing an open README view.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| kernel/bazaar/readme.go | Updates README file fetch to match the new downloadBazaarFile signature. |
| kernel/bazaar/install.go | Extends download helper to accept packageName and uses it for WS progress IDs. |
| kernel/bazaar/installed.go | Copies additional online metadata into installed packages when an update is available. |
| app/src/types/index.d.ts | Adds TBazaarPackageSource for distinguishing bazaar/downloaded/update origins in UI. |
| app/src/dialog/processSystem.ts | Matches download progress events against Bazaar README data-name instead of data-obj. |
| app/src/config/bazaar.ts | Major Bazaar UI refactor: removes data-obj, adds data-name, resolves items from memory, introduces sorting/render helpers, and syncs open README state. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+1111
to
+1130
| _sortPackages(packages: IBazaarItem[], sortValue: string): IBazaarItem[] { | ||
| const sorted = [...packages]; | ||
| // 更新时间降序 | ||
| if (sortValue === "0") { | ||
| return sorted.sort((a, b) => (b.updated < a.updated ? -1 : 1)); | ||
| } | ||
| // 更新时间升序 | ||
| if (sortValue === "1") { | ||
| return sorted.sort((a, b) => (b.updated < a.updated ? 1 : -1)); | ||
| } | ||
| // 下载次数降序 | ||
| if (sortValue === "2") { | ||
| return sorted.sort((a, b) => (b.downloads < a.downloads ? -1 : 1)); | ||
| } | ||
| // 下载次数升序 | ||
| if (sortValue === "3") { | ||
| return sorted.sort((a, b) => (b.downloads < a.downloads ? 1 : -1)); | ||
| } | ||
| return sorted; | ||
| }, |
Comment on lines
+668
to
+672
| } else if (nameElement.closest('[data-type="downloaded-update"]')) { | ||
| // 更新列表 | ||
| pkgSource = "update"; | ||
| if (packageName) { | ||
| for (const bazaarType of ["plugins", "themes", "icons", "templates", "widgets"] as TBazaarType[]) { |
Contributor
Author
There was a problem hiding this comment.
直接遍历一遍很快,并且 name 在所有类型的集市包中唯一,没有必要增加 data-type
| let dataObj: IObject; | ||
| if (dataElement) { | ||
| dataObj = JSON.parse(dataElement.getAttribute("data-obj")); | ||
| const nameElement = hasClosestByAttribute(target, "data-name", undefined); |
Comment on lines
+658
to
+660
| let pkgType: TBazaarType | undefined; | ||
| let pkgSource: TBazaarPackageSource | undefined; | ||
| let pkgItem: IBazaarItem; |
Member
|
Contributor
Author
01更新列表和在线列表的详情页“当前版本”始终显示的是本地包版本号,应该只在已下载的列表才是本地包版本号: video.webm |
Contributor
Author
02本地列表详情页里更新完之后没有重新渲染新的 README 内容(我手动清空了本地 README 的内容): video.webm |
Contributor
Author
03bazaarThemeMode 这个 id 不应该改为 bazaarSelect,命名太泛化了 |
TCOTC
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description / 描述
集市包卡片移除属性 data-obj、增加属性 data-name 并从内存查询包信息
修复潜在安全问题:GHSA-x88j-wgpr-h22x
修复问题:#14636 (comment)
Type of change / 变更类型
缺陷修复
代码重构
新功能
修改文案或增加新语言
Checklist / 检查清单
我对自己的代码进行了自我审查
我拥有所提交代码的完整权利,并同意其以本项目的 AGPL-3.0 许可证授权
devbranch and has no merge conflictsPR 提交到
dev分支,并且没有合并冲突