[dev] [Marfuen] mariano/fix-vendor-subdomain-url-filtering#2337
Conversation
extractVendorDomain only stripped the www. prefix, so a vendor website like https://app.slack.com yielded app.slack.com as the domain. This caused validateVendorUrl to reject valid URLs on the parent domain (slack.com/privacy) or sibling subdomains (trust.slack.com). Now uses tldts to extract the root registrable domain correctly. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
PR SummaryMedium Risk Overview Expands tests to cover root-domain extraction from subdomains, multi-level subdomains, and two-part TLDs, and to ensure Written by Cursor Bugbot for commit 53c9e13. This will update automatically on new commits. Configure here. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| /^https?:\/\//i.test(website) ? website : `https://${website}`, | ||
| ); | ||
| return urlObj.hostname.toLowerCase().replace(/^www\./, ''); | ||
| const domain = getDomain(urlObj.hostname); |
There was a problem hiding this comment.
Shared hosting domains get overly broad domain extraction
Low Severity
getDomain from tldts defaults to allowPrivateDomains: false, so for vendors on shared hosting platforms (e.g., myapp.github.io, myapp.netlify.app), it returns the platform domain (github.io) instead of the tenant-specific domain (myapp.github.io). This would cause isUrlFromVendorDomain to accept URLs from any tenant on that shared platform, weakening URL validation compared to the previous behavior which preserved the full hostname (minus www.).
# [3.10.0](v3.9.0...v3.10.0) (2026-03-19) ### Bug Fixes * **integrations:** filter GWS employee sync by organizational units ([#2336](#2336)) ([e3a9867](e3a9867)) * **portal:** show Company Forms section even when all tasks are completed ([#2334](#2334)) ([5661cd6](5661cd6)) * **vendors:** extract root domain from subdomain vendor websites ([#2337](#2337)) ([8c6865b](8c6865b)) * **vendors:** validate vendor research URLs belong to correct domain ([#2335](#2335)) ([37a9813](37a9813)) ### Features * **people:** add Agent Installed column and hide deactivated users by default ([#2331](#2331)) ([67041ab](67041ab))
|
🎉 This PR is included in version 3.10.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
2 participants
This is an automated pull request to merge mariano/fix-vendor-subdomain-url-filtering into dev.
It was created by the [Auto Pull Request] action.