fix(core): drop unused fromBase64 import — closes CodeQL alert #2#16
Merged
Conversation
The import was left over from an earlier crypto-test refactor; nothing references it. CodeQL flagged it as `js/unused-local-variable` (severity note). Removing it closes the alert; tests still pass (25/26, 1 skipped integration). The other open alert (#3, `from passman import models` in alembic/env.py) is a deliberate side-effect import that registers SQLAlchemy declarative classes with `Base.metadata` — already marked `# noqa: F401` for ruff. Dismissed via the GitHub UI as false-positive with the explanation, since CodeQL doesn't honour the noqa comment. After this commit the only known CodeQL alert is the dismissed one.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes CodeQL alert #2 (
js/unused-local-variable, severity note) —fromBase64was imported but never referenced in packages/core/tests/crypto.test.ts.Adjacent
The other open CodeQL alert was #3 (
py/unused-importonserver/alembic/env.py) forfrom passman import models. That import is intentional — it triggers SQLAlchemy declarative class registration soUser/VaultItem/Sessionattach themselves toBase.metadata, which alembic reads on the next line viatarget_metadata = Base.metadata. Removing it would break migration generation. The line already carries# noqa: F401for ruff, but CodeQL doesn't honour the noqa comment.I've dismissed alert #3 as
false positivevia the GitHub API with the explanation above. After this PR merges, the open-alerts list should be empty.Verification
npm test --workspace=@passman/core— 25 passed, 1 skipped (the 1 skipped is the network-bound integration test, same as before)🤖 Generated with Claude Code