Playwright tests were timing out on CI because the Vite dev server was
listening on `http://localhost:5173/` but `playwright.config.ts` was
configured to wait for `http://127.0.0.1:5173/`. Node 17+ resolves
`localhost` to IPv6 (`::1`), causing Playwright's strict IPv4 wait
to time out.
This commit updates `playwright.config.ts` to use `http://localhost:5173`
for both `baseURL` and the `webServer.url`.
When triggering the uninstall process from the uninstall confirmation modal,
only the package name string was passed. This caused the backend to
default the origin to 'spark', which meant APM applications were incorrectly
attempted to be uninstalled using `aptss remove` instead of `apm remove`.
This commit changes the `remove-installed` ipc payload in
`UninstallConfirmModal.vue` to an object containing both `pkgname` and
`origin`, ensuring the backend correctly routes the uninstallation
through the APM package manager with `pkexec` when needed.
- Modify `queue-install` logic to wrap `apm` commands with `superUserCmd` and `SHELL_CALLER_PATH` when origin is apm.
- Update `remove-installed` to correctly execute `apm remove -y pkgname` with required privilege elevation when origin is apm.
- Add payload parsing logic in `uninstall-installed` handler to identify origin and apply correct `apm` uninstall command dynamically.
This block of code in `src/modules/processInstall.ts` was leftover debug
code and is no longer needed. Removing it improves the maintainability
and readability of the file.
Co-authored-by: vmomenv <51269338+vmomenv@users.noreply.github.com>
Expanded the test suite for `removeDownloadItem` in `src/__tests__/unit/downloadStatus.test.ts` to include:
- Removing multiple items with the same pkgname.
- Handling non-matching and non-existent pkgnames.
- Removing from an empty list.
- Ensuring exact string matching.
- Removing items from the start, middle, and end of the list.
Introduced a `createMockDownload` helper to reduce boilerplate in tests.
Co-authored-by: vmomenv <51269338+vmomenv@users.noreply.github.com>
- Set `shell: false` in `spawn` calls in `install-manager.ts` to prevent command injection.
- Updated `AGENTS.md` to use the secure `shell: false` pattern in examples.
- Removed `package-lock.json` from `.gitignore` to support reproducible builds.
- Updated GitHub Actions workflows to use `npm install` instead of `npm ci` as a robust fallback.
Co-authored-by: vmomenv <51269338+vmomenv@users.noreply.github.com>
- Changed `shell: true` to `shell: false` in `spawn` calls within `electron/main/backend/install-manager.ts`.
- Updated `AGENTS.md` documentation to reflect the security best practice.
- Verified that the fix prevents command injection using a reproduction script.
Co-authored-by: vmomenv <51269338+vmomenv@users.noreply.github.com>
