Forums Bug Reports Thread

Served app.min.js is stale relative to app.js — minified bundle still contains native alert() removed by the a11y sweep

Patrick Bass · Jun 6 · 12 · 1 Locked
[Minor] [Normal Priority] [Bug Fixed] [Always Reproduces]
Oldest Newest Top
Patrick Bass 🚀 OP Jun 6, 2026 6:25pm

Area: mobieusHelp (audit p7) · Surface: Global JS bundle served on all platform surfaces (incl. mobieusHelp agent/admin pages via layouts/admin.php and base.php) · Dimension: Law 1 / native-dialog ban — served bundle staleness · Severity: minor

The native-dialog ban is correctly honored in the helpdesk PHP templates (all destructive actions use data-confirm; verified zero raw confirm/alert/prompt in templates/helpdesk). But the globally served minified JS bundle predates the native-dialog cleanup and still ships two native alert() calls. The bundle is a gitignored build artifact, so a deploy must rerun bin/build-assets.php for the fix to reach users. This is build/deploy hygiene rather than a source defect, and the specific alert() path (video upload via .wysiwyg-editor) is not reachable from a helpdesk surface — but it is live everywhere the bundle loads.

Evidence

AssetHelper::resolve() prefers the .min sibling when present: platform/src/Helpers/AssetHelper.php:56 `if (is_file($diskMin)) { return $minPath . '?v=' . filemtime($diskMin); }`. layouts/admin.php:671 and layouts/base.php:587 call `AssetHelper::js('/js/app.js')`, so the on-disk app.min.js (mtime 2026-05-22 11:27) is what's actually served. That bundle still contains native dialogs: `grep -oE "alert\('[^']*'\)" public/js/app.min.js` → `alert('File is over 100 MB. …')` and `alert('Upload failed — try again.')` (app.min.js:382,384). The SOURCE app.js has already replaced these with App.toast (app.js:7877 `App.toast('File is over 100 MB. …','error')` and :7906 `App.toast('Upload failed — try again.','error')`). The a11y fix landed in app.js commit `9551d6bc platform(a11y): native-dialog sweep …` but app.min.js was last written by unrelated commit `16c7d655 B7-55: untrack runtime-mutable platform files` and is now gitignored (`git check-ignore public/js/app.min.js` → match), so it was never rebuilt after the sweep.

Suggested fix. Rebuild and redeploy app.min.js via bin/build-assets.php so the served bundle matches the post-a11y-sweep source; add a deploy step (or CI check) that fails if app.min.js is older than app.js to prevent this staleness recurring.

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.

Patrick Bass
@mobieus

Patrick Bass 🚀 Jun 7, 2026 5:44am

Resolved — fixed and deployed. Commit 059d6bf29b6f, shipped dev-first then to all tenants on 2026-06-06.

Served bundle /home/patrick/mobieus-io/platform/public/js/app.min.js was stale (May 22, 186861 bytes) vs post-a11y-sweep source app.js (Jun 6) — source had 37 aria/a11y markers, stale min had 19. Regenerated app.min.js from app.js using the same MatthiasMullie\Minify\JS minifier bin/build-assets.php uses, writing only to the assigned file. New bundle is 195394 bytes, dated newer than source, includes the a11y changes, passes node --check (valid, not truncated), and ends with a properly-closed IIFE.

Status: fixed. Thread closed and locked.

Patrick Bass
@mobieus

Related Discussions

C64/xemu emulator error path uses native alert() (banned dialog)
Bug Reports · 1 replies · 11 views
Pending photo-tags review uses native confirm() and alert() (banned dialogs)
Bug Reports · 1 replies · 10 views
Photo album delete/share/tag flows use native confirm() and alert() (banned dialogs)
Bug Reports · 1 replies · 8 views
/admin/ai feature grid track min-width 360px overflows on <400px phones
Bug Reports · 1 replies · 13 views
[New] Monetization: No order-bump / upsell / bundle at course checkout (one product per checkout)
Feature Requests · 1 replies · 15 views

Log in or register to reply to this thread.