Merge branch 'main' into PFG-3633

.circleci/config.yml

@@ -7,7 +7,7 @@ aliases:
   - &environment
       docker:
         # specify the version you desire here
-        - image: cimg/node:16.20-browsers
+        - image: cimg/node:20.14.0-browsers
       resource_class: xlarge
         # Specify service dependencies here if necessary
         # CircleCI maintains a library of pre-built images
@@ -18,8 +18,6 @@ aliases:
   - &restore_dep_cache
       keys:
         - v1-dependencies-{{ checksum "package.json" }}
-        # fallback to using the latest cache if no exact match is found
-        - v1-dependencies-
 
   - &save_dep_cache
       paths:

.devcontainer/Dockerfile

@@ -1,4 +1,4 @@
-ARG VARIANT="12"
+ARG VARIANT="20"
 FROM mcr.microsoft.com/vscode/devcontainers/javascript-node:${VARIANT}
 
 RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor > /usr/share/keyrings/yarn-archive-keyring.gpg

.eslintrc.js

@@ -61,6 +61,7 @@ module.exports = {
     'no-useless-escape': 'off',
     'no-console': 'error',
     'jsdoc/check-types': 'off',
+    'jsdoc/no-defaults': 'off',
     'jsdoc/newline-after-description': 'off',
     'jsdoc/require-jsdoc': 'off',
     'jsdoc/require-param': 'off',
@@ -89,11 +90,48 @@ module.exports = {
           name: 'require',
           message: 'use import instead'
         }
+      ],
+      'prebid/no-global': [
+        'error',
+        ...['localStorage', 'sessionStorage'].map(name => ({name, message: 'use storageManager instead'})),
+        {
+          name: 'XMLHttpRequest',
+          message: 'use ajax.js instead'
+        },
+      ],
+      'prebid/no-member': [
+        'error',
+        {
+          name: 'cookie',
+          target: 'document',
+          message: 'use storageManager instead'
+        },
+        {
+          name: 'sendBeacon',
+          target: 'navigator',
+          message: 'use ajax.js instead'
+        },
+        ...['outerText', 'innerText'].map(name => ({
+          name,
+          message: 'use .textContent instead'
+        }))
       ]
     }
   })).concat([{
     // code in other packages (such as plugins/eslint) is not "seen" by babel and its parser will complain.
     files: 'plugins/*/**/*.js',
     parser: 'esprima'
+  }, {
+    files: '**BidAdapter.js',
+    rules: {
+      'no-restricted-imports': [
+        'error', {
+          patterns: [
+            '**/src/events.js',
+            '**/src/adloader.js'
+          ]
+        }
+      ]
+    }
   }])
 };

.github/PULL_REQUEST_TEMPLATE.md

@@ -41,7 +41,7 @@ For any user facing change, submit a link to a PR on the docs repo at https://gi
 }
 ```
 
-Be sure to test the integration with your adserver using the [Hello World](/integrationExamples/gpt/hello_world.html) sample page. -->
+Be sure to test the integration with your adserver using the [Hello World](https://github.com/prebid/Prebid.js/blob/master/integrationExamples/gpt/hello_world.html) sample page. -->
 
 
 ## Other information

.github/codeql/codeql-config.yml

@@ -2,3 +2,6 @@ paths:
   - src
   - modules
   - libraries
+queries:
+  - name: Prebid queries
+    uses: ./.github/codeql/queries

.github/codeql/queries/deviceMemory.ql

@@ -0,0 +1,14 @@
+/**
+ * @id prebid/device-memory
+ * @name Access to navigator.deviceMemory
+ * @kind problem
+ * @problem.severity warning
+ * @description Finds uses of deviceMemory
+ */
+
+import prebid
+
+from SourceNode nav
+where
+ nav = windowPropertyRead("navigator")
+select nav.getAPropertyRead("deviceMemory"), "deviceMemory is an indicator of fingerprinting"

.github/codeql/queries/hardwareConcurrency.ql

@@ -0,0 +1,14 @@
+/**
+ * @id prebid/hardware-concurrency
+ * @name Access to navigator.hardwareConcurrency
+ * @kind problem
+ * @problem.severity warning
+ * @description Finds uses of hardwareConcurrency
+ */
+
+import prebid
+
+from SourceNode nav
+where
+ nav = windowPropertyRead("navigator")
+select nav.getAPropertyRead("hardwareConcurrency"), "hardwareConcurrency is an indicator of fingerprinting"

.github/codeql/queries/prebid.qll

@@ -0,0 +1,36 @@
+import javascript
+import DataFlow
+
+SourceNode otherWindow() {
+ result = globalVarRef("top") or
+ result = globalVarRef("self") or
+ result = globalVarRef("parent") or
+ result = globalVarRef("frames").getAPropertyRead() or
+ result = DOM::documentRef().getAPropertyRead("defaultView")
+}
+
+SourceNode connectedWindow(SourceNode win) {
+  result = win.getAPropertyRead("self") or
+  result = win.getAPropertyRead("top") or
+  result = win.getAPropertyRead("parent") or
+  result = win.getAPropertyRead("frames").getAPropertyRead() or
+  result = win.getAPropertyRead("document").getAPropertyRead("defaultView")
+}
+
+SourceNode relatedWindow(SourceNode win) {
+  result = connectedWindow(win) or
+  result = relatedWindow+(connectedWindow(win))
+}
+
+SourceNode anyWindow() {
+  result = otherWindow() or
+  result = relatedWindow(otherWindow())
+}
+
+/*
+ Matches uses of property `prop` done on any window object.
+*/
+SourceNode windowPropertyRead(string prop) {
+  result = globalVarRef(prop) or
+  result = anyWindow().getAPropertyRead(prop)
+}

.github/codeql/queries/qlpack.yml

@@ -0,0 +1,8 @@
+---
+library: false
+warnOnImplicitThis: false
+name: queries
+version: 0.0.1
+dependencies:
+  codeql/javascript-all: ^1.1.1
+  codeql/javascript-queries: ^1.1.0

.github/release-drafter.yml

@@ -1,6 +1,10 @@
 
 name-template: 'Prebid $RESOLVED_VERSION Release'
 tag-template: '$RESOLVED_VERSION'
+autolabeler:
+  - label: 'maintenance'
+    title:
+      - '/^(?!.*(bug|initial|release|fix)).*$/i'
 categories:
   - title: '🚀 New Features'
     label: 'feature'

.github/workflows/jscpd.yml

@@ -0,0 +1,124 @@
+name: Check for Duplicated Code
+
+on:
+  pull_request_target:
+    branches:
+      - master
+
+jobs:
+  check-duplication:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0  # Fetch all history for all branches
+        ref: ${{ github.event.pull_request.head.sha }}
+
+    - name: Set up Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20'
+
+    - name: Install dependencies
+      run: |
+        npm install -g jscpd diff-so-fancy
+
+    - name: Create jscpd config file
+      run: |
+        echo '{
+          "threshold": 20,
+          "minTokens": 100,
+          "reporters": [
+            "json"
+          ],
+          "output": "./",
+          "pattern": "**/*.js",
+          "ignore": "**/*spec.js"        
+        }' > .jscpd.json
+
+    - name: Run jscpd on entire codebase
+      run: jscpd
+
+    - name: Fetch base and target branches
+      run: |
+        git fetch origin +refs/heads/${{ github.event.pull_request.base.ref }}:refs/remotes/origin/${{ github.event.pull_request.base.ref }}
+        git fetch origin +refs/pull/${{ github.event.pull_request.number }}/merge:refs/remotes/pull/${{ github.event.pull_request.number }}/merge
+
+    - name: Get the diff
+      run: git diff --name-only origin/${{ github.event.pull_request.base.ref }}...refs/remotes/pull/${{ github.event.pull_request.number }}/merge > changed_files.txt
+
+    - name: List generated files (debug)
+      run: ls -l
+
+    - name: Upload unfiltered jscpd report
+      if: always()
+      uses: actions/upload-artifact@v4
+      with:
+        name: unfiltered-jscpd-report
+        path: ./jscpd-report.json
+
+    - name: Filter jscpd report for changed files
+      run: |
+        if [ ! -f ./jscpd-report.json ]; then
+          echo "jscpd-report.json not found"
+          exit 1
+        fi
+        echo "Filtering jscpd report for changed files..."
+        CHANGED_FILES=$(jq -R -s -c 'split("\n")[:-1]' changed_files.txt)
+        echo "Changed files: $CHANGED_FILES"
+        jq --argjson changed_files "$CHANGED_FILES" '
+          .duplicates | map(select(
+            (.firstFile?.name as $fname | $changed_files | any(. == $fname)) or
+            (.secondFile?.name as $sname | $changed_files | any(. == $sname))
+          ))
+        ' ./jscpd-report.json > filtered-jscpd-report.json
+        cat filtered-jscpd-report.json
+
+    - name: Check if filtered jscpd report exists
+      id: check_filtered_report
+      run: |
+        if [ $(wc -l < ./filtered-jscpd-report.json) -gt 1 ]; then
+          echo "filtered_report_exists=true" >> $GITHUB_ENV
+        else
+          echo "filtered_report_exists=false" >> $GITHUB_ENV
+        fi
+
+    - name: Upload filtered jscpd report
+      if: env.filtered_report_exists == 'true'
+      uses: actions/upload-artifact@v4
+      with:
+        name: filtered-jscpd-report
+        path: ./filtered-jscpd-report.json
+
+    - name: Post GitHub comment
+      if: env.filtered_report_exists == 'true'
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const fs = require('fs');
+          const filteredReport = JSON.parse(fs.readFileSync('filtered-jscpd-report.json', 'utf8'));
+          let comment = "Whoa there, partner! 🌵🤠 We wrangled some duplicated code in your PR:\n\n";
+          function link(dup) {
+             return `https://github.com/${{ github.event.repository.full_name }}/blob/${{ github.event.pull_request.head.sha }}/${dup.name}#L${dup.start + 1}-L${dup.end - 1}`
+          }
+          filteredReport.forEach(duplication => {
+            const firstFile = duplication.firstFile;
+            const secondFile = duplication.secondFile;
+            const lines = duplication.lines;
+            comment += `- [\`${firstFile.name}\`](${link(firstFile)}) has ${lines} duplicated lines with [\`${secondFile.name}\`](${link(secondFile)})\n`;
+          });
+          comment += "\nReducing code duplication by importing common functions from a library not only makes our code cleaner but also easier to maintain. Please move the common code from both files into a library and import it in each. We hate that we have to mention this, however, commits designed to hide from this utility by renaming variables or reordering an object are poor conduct. We will not look upon them kindly! Keep up the great work! 🚀";
+          github.rest.issues.createComment({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            issue_number: context.issue.number,
+            body: comment
+          });
+
+    - name: Fail if duplications are found
+      if: env.filtered_report_exists == 'true'
+      run: |
+        echo "Duplications found, failing the check."
+        exit 1