You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: NEXT_STEPS.md
+12-5Lines changed: 12 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -26,18 +26,22 @@ Status summary (most important facts)
26
26
27
27
Goal: remove remaining risk vectors (native dialogs, innerHTML hotspots) and add small tests.
28
28
29
-
-[ ] Replace any remaining native `alert()` / `confirm()` / `prompt()` with `showAlert()`/`showConfirm()`/`showPrompt()` (files: `event-handlers.js`, `cdi-shacl-loader.js`, `unified-add-component.js`).
29
+
-[x] Replace any remaining native `alert()` / `confirm()` / `prompt()` with `showAlert()`/`showConfirm()`/`showPrompt()` (files: `event-handlers.js`, `cdi-shacl-loader.js`, `unified-add-component.js`).
30
+
Note: **done in `src/`** — all application code now uses the modal helpers. Vendor / previewer bundles still contain legacy native dialogs (see `dataverse-previewers/*`) and should be audited separately.
30
31
Owner: frontend / test author — Est: 30–90 min
31
-
-[ ] Harden DOM insertions: audit and replace `.html()`/`innerHTML` that interpolate variables with `escapeHtml()` or safe DOM APIs. Produce a short report of hotspots and apply fixes.
32
+
-[x] Harden DOM insertions: audit and replace `.html()`/`innerHTML` that interpolate variables with `escapeHtml()` or safe DOM APIs. Produce a short report of hotspots and apply fixes.
33
+
Note: Most `src/` rendering code now uses `document.createTextNode`, `quickEl` and `escapeHtml()` where appropriate. The remaining risky hotspots are primarily in vendor/previewer bundles (`dataverse-previewers/**`, minified libs) and must be handled separately (audit/report + sanitize).
32
34
Owner: frontend — Est: 60–180 min
33
-
-[ ] Add focused unit or e2e tests that exercise the most sensitive paths (modal flows + server-provided string paths).
35
+
-[x] Add focused unit or e2e tests that exercise the most sensitive paths (modal flows + server-provided string paths).
36
+
Note: Modal tests were added (see `tests/e2e/standalone/modal-a11y.spec.ts`) and some targeted tests for document creation and namespaces are enabled. More targeted tests for server-provided strings and vendor paths are recommended.
34
37
Owner: test owner — Est: 30–60 min
35
38
36
39
### Priority B — Test stability & Dataverse verification (HIGH) — 2–6 hrs
37
40
38
41
Goal: make e2e deterministic, triage failing tests and re-enable Dataverse suites once local harness is available.
39
42
40
43
-[ ] Triage the remaining failing e2e tests (now reduced after recent fixes) and fix any outstanding infra issues (selectors / waits / expectations).
44
+
Status: Most infra flakes have been addressed (document creation, dataverse suites re-enabled). A handful of test-only failures remain (selectors/timeouts) and are tracked separately — these are test-infrastructure fixes (not app regressions).
41
45
Owner: test engineer — Est: 2–4 hrs
42
46
-[ ] Run Dataverse integration tests against a local test instance and re-enable skipped Dataverse tests.
43
47
Owner: integrator — Est: 1–2 hrs (plus test environment)
@@ -55,9 +59,10 @@ Goal: ensure modals and keyboard flows are robust and aria-friendly across brows
-[] Convert toolbar offset into a CSS variable (`--toolbar-scroll-offset`) and apply to `.node-card` / `.search-highlight` (tiny cosmetic fix).
62
+
-[x] Convert toolbar offset into a CSS variable (`--toolbar-scroll-offset`) and apply to `.node-card` / `.search-highlight` (tiny cosmetic fix).
59
63
Owner: frontend — Est: 15–30 min
60
-
-[ ] Replace stray `console.log` in `src/index.js` with project logger (`logInfo()`), remove leftover debug prints.
64
+
-[x] Replace stray `console.log` in `src/index.js` with project logger (`logInfo()`), remove leftover debug prints.
65
+
Note: `src/index.js` no longer uses console.log. There is still a DEBUG-level console call in `src/jsonld-editor/state.js` (intended for debug builds). Consider replacing with `logDebug()` for consistency and zero-console policy in production.
61
66
Owner: maintainer — Est: 10–30 min
62
67
-[ ] Final README / CHANGELOG / release notes and GitHub Pages smoke test.
63
68
Owner: release mgr — Est: 30–60 min
@@ -94,6 +99,8 @@ If you want me to begin, say which option you prefer. I can start with (1) secur
94
99
95
100
If you want I can start with Option 1 now and create a small PR with changes + tests (CI-green). If you'd rather triage the failing e2e tests first, I can do that instead.
96
101
102
+
Note on the E2E coverage experiment: earlier attempts to produce merged Jest + Playwright coverage by instrumenting the bundle were reverted because the approach made CI flaky and caused coverage job failures. The instrumented coverage work is still valuable — but it needs a safer rollout (build-only on main or with increased timeouts/retries) rather than enabling it on all PRs by default.
0 commit comments