fix: make security and DX improvements, cast ids to strings; add static example

[codfish]

Summary by CodeRabbit

• New Features

  • Added a new Static example service for serving custom static files and a custom static index page.

• Documentation

  • Clarified IDs must be strings; expanded STATIC option and examples; added DEPENDENCIES security caution.

• Bug Fixes

  • Validation to prevent unsafe static paths; converted example/fixture IDs to string types.

• Chores

  • Docker image/run improvements and updated container ignore list.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3343852b-a2a8-4f88-aef7-8802fd90251c

📥 Commits

Reviewing files that changed from the base of the PR and between a42dd84 and a39fcfc.

📒 Files selected for processing (1)

• server.js

---

📝 Walkthrough

Walkthrough

Adds corepack and tini to the Docker setup, updates .dockerignore, introduces a new static docker-compose service and static example files, converts numeric IDs to strings across examples, adds STATIC path validation and dependency-install handling in server.js, and adjusts tsconfig and README documentation.

Changes

Cohort / File(s)	Summary
Docker config & ignore ​.dockerignore, Dockerfile	Added ignore entries; set COREPACK_HOME, enabled corepack, installed tini, adjusted image build to install corepack deps and run as non-root with tini as ENTRYPOINT.
Compose: static service docker-compose.yml	Added new top-level static service (build: ., volumes mapping server/middleware/db/public, port 9993, env PORT/VIRTUAL_HOST).
Examples — data & static site examples/static/db.json, examples/static/public/index.html, examples/.../db.json	Added static example data and HTML index; converted IDs to strings in several example JSON db files.
Examples — JS data db.js, examples/deps/db.js	Switched programmatic IDs to strings/UUIDs (UUID in root db.js; stringified numeric ids in examples/deps).
Server logic server.js	Changed DEPENDENCIES handling to pass array to pnpm add; validated STATIC path (rejects '..' or leading '/'), logs and exits on invalid input; appends valid STATIC to staticDirs.
TypeScript config tsconfig.json	Updated exclude globs to use /** patterns and removed the @/* path alias mapping.
Documentation README.md	Expanded notes on string IDs, STATIC option, added CAUTION for DEPENDENCIES, added Static example and Docker Compose usage, minor copy edits.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat!: upgrade to json-server v1 (beta.12), maintain js/ts file support  #131 — overlaps on Dockerfile, server.js, docker-compose.yml and example DB changes (corepack/pnpm and STATIC handling).

Poem

🐰
Strings in pockets, hopping light,
Tini guards the container night,
Static doors now checked and keyed,
UUIDs dance — no numbers bleed,
I nibble docs and cheer this flight. 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: security improvements (DEPENDENCIES warning, path validation), DX improvements (Docker optimizations, corepack), ID casting to strings, and a new static example.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/address-issues

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🚀 PR build published. Run docker run -p 3000:3000 codfish/json-server@sha256:05bd83ab2b82645bd245e272635df1858de125a11acb0516021952fcc514c756

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docker-compose.yml`:
- Around line 71-76: The new Docker service mounts example assets to /app/public
but doesn't tell server.js to serve them; add an environment variable
STATIC=public to the service's environment block (alongside PORT and
VIRTUAL_HOST) so server.js knows to serve the /app/public directory; update the
service's environment section to include STATIC: public to ensure server.js
serves static files from /app/public.

In `@server.js`:
- Around line 70-76: The current validation on the STATIC variable only checks
for '..' and still allows absolute paths; update the check around the staticPath
variable (before pushing into staticDirs) to also reject absolute paths (use
Node's path.isAbsolute(staticPath) or check for leading '/' and Windows
drive-letter patterns) and log a clear error message then exit if the path is
absolute or contains '..'; ensure the same processLogger/console.error and
process.exit(1) behavior is used so staticDirs.push(staticPath) only runs for
safe, non-absolute, non-traversal paths.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 61b0eb53-286e-4580-a594-e66192916e03

📥 Commits

Reviewing files that changed from the base of the PR and between 74d1f44 and a42dd84.

⛔ Files ignored due to path filters (1)

• examples/static/public/image.png is excluded by !**/*.png

📒 Files selected for processing (12)

• .dockerignore
• Dockerfile
• README.md
• db.js
• docker-compose.yml
• examples/deps/db.js
• examples/json/db.json
• examples/middlewares/db.json
• examples/static/db.json
• examples/static/public/index.html
• server.js
• tsconfig.json