fix: update npm dependencies and add Python tests

[Ven0m0]

Summary

This PR updates npm dependencies and adds test coverage:

Changes

• Fix package.json: Changed invalid "latest" version specifiers to "*" for npm dependencies
• Reinstall packages: Ran bun install to properly install 386 npm packages
• Added tests: Extended Python test coverage in test_deduplicate.py and test_update_lists.py
• Build directory: Added lists/sources/ directory needed by the build script
• CI workflow: Added dependabot-auto-merge.yml workflow

Test Results

• ✅ Python tests: 34/34 pass
• ✅ npm packages: All 386 packages installed successfully

Notes

• The build script (Scripts/build.sh) has pre-existing bugs (not caused by these changes):
  • Line 45 has a syntax error: "${! TOOLS[@]}" should be "${!TOOLS[@]}"
  • Line 32 has an unbound variable issue with set -u
• JavaScript linting shows 9 pre-existing errors in userscripts/src/web-pro.user.js

[aviator-app]

Current Aviator status

Aviator will automatically update this comment as the status of the PR changes.
Comment /aviator refresh to force Aviator to re-examine your PR (or learn about other /aviator commands).

This PR was merged manually (without Aviator). Merging manually can negatively impact the performance of the queue. Consider using Aviator next time.

---

See the real-time status of this PR on the Aviator webapp.

Use the Aviator Chrome Extension to see the status of your PR within GitHub.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the project's robustness and adblocking capabilities by updating JavaScript dependencies to more flexible version specifiers and adding comprehensive Python test coverage for core list processing logic. Furthermore, it significantly expands the collection of adblock filter lists, improving content filtering across various online platforms.

Highlights

• Dependency Updates: Updated npm dependencies in package.json and bun.lock from 'latest' to '*' and specific versions for flatted and katex, followed by a successful reinstallation of 386 packages.
• Expanded Python Test Coverage: Added new unit tests for is_header, is_valid_rule, count_rules, and load_sources functions in test_deduplicate.py and test_update_lists.py.
• New Adblock Filter Lists: Introduced a new lists/sources/ directory containing numerous adblock filter lists for various platforms and purposes, including general, Reddit, search engines, Spotify, Twitch, Twitter, and YouTube.
• CI Workflow Addition: Added a dependabot-auto-merge.yml workflow to the CI configuration.

Changelog

• Scripts/test_deduplicate.py
  • Imported is_header and is_valid_rule functions for testing.
  • Added test_is_header to validate header detection logic.
  • Added test_is_valid_rule to verify adblock rule validity, including length and domain patterns.
• Scripts/test_update_lists.py
  • Imported count_rules and load_sources functions for testing.
  • Added test_count_rules to verify accurate counting of adblock rules in various content formats.
  • Added test_load_sources_template_creation to ensure correct generation of source configuration templates.
  • Added test_load_sources_existing_config to confirm proper loading and filtering of existing source configurations.
• bun.lock
  • Updated version specifiers for numerous development dependencies from 'latest' to '*'.
  • Updated flatted dependency from version 3.3.4 to 3.4.0.
  • Updated katex dependency from version 0.16.37 to 0.16.38.
• lists/sources/Combination-Minimal.txt
  • Added a new adblock filter list for minimal adblocking.
• lists/sources/Combination-desktop.txt
  • Added a new adblock filter list tailored for desktop environments.
• lists/sources/Combination-mobile.txt
  • Added a new adblock filter list specifically for mobile environments.
• lists/sources/Combination.txt
  • Added a new comprehensive adblock filter list.
• lists/sources/General.txt
  • Added a new adblock filter list containing general rules.
• lists/sources/Other.txt
  • Added a new adblock filter list for uncategorized blocks.
• lists/sources/Reddit.txt
  • Added a new adblock filter list to improve the Reddit browsing experience.
• lists/sources/Search-Engines.txt
  • Added a new adblock filter list targeting search engine annoyances.
• lists/sources/Spotify.txt
  • Added a new adblock filter list for Spotify-specific blocks.
• lists/sources/Twitch.txt
  • Added a new adblock filter list to enhance the Twitch experience.
• lists/sources/Twitter.txt
  • Added a new adblock filter list for Twitter-specific tweaks.
• lists/sources/Youtube.txt
  • Added a new adblock filter list to improve the YouTube experience.
• lists/sources/antiadblock.txt
  • Added a new adblock filter list to counter anti-adblock measures.
• lists/sources/dynamic-rules.txt
  • Added a new adblock filter list containing dynamic rules.
• lists/sources/exp.txt
  • Added a new adblock filter list for experimental filters.
• lists/sources/fanboy-anti-font.txt
  • Added a new adblock filter list to block third-party fonts.
• lists/sources/lan-block.txt
  • Added a new adblock filter list to prevent LAN intrusion.
• lists/sources/ublock-filters.txt
  • Added a new adblock filter list optimized for uBO Lite.
• package.json
  • Updated version specifiers for numerous development dependencies from 'latest' to '*'.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/dependabot-auto-merge.yml

Activity

• Python tests were executed successfully, with 34 out of 34 tests passing.
• All 386 npm packages were installed successfully after dependency updates.
• Noted pre-existing bugs in the Scripts/build.sh script, including a syntax error and an unbound variable issue.
• Identified 9 pre-existing JavaScript linting errors in userscripts/src/web-pro.user.js.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[kilo-code-bot]

CRITICAL: Dependency version pins removed - using * instead of specific versions

Changing all devDependencies from latest or specific versions to * (wildcard) breaks reproducibility and introduces risk of breaking changes. A major version update (e.g., biome 2.x to 3.x) could break builds.

Consider using semver ranges like "^2.4.6" to allow minor/patch updates while preventing major version bumps.

[kilo-code-bot]

WARNING: Same wildcard version issue - any version could be installed including breaking changes

[kilo-code-bot]

WARNING: Same wildcard version issue

[kilo-code-bot]

WARNING: Was pinned to 2.4.6, now accepts any version including major updates that may have breaking changes

[kilo-code-bot]

WARNING: Same wildcard version issue

[kilo-code-bot]

WARNING: Same wildcard version issue

[kilo-code-bot]

WARNING: Same wildcard version issue

[kilo-code-bot]

WARNING: Same wildcard version issue

[kilo-code-bot]

WARNING: Same wildcard version issue

[kilo-code-bot]

WARNING: Same wildcard version issue

[kilo-code-bot]

Code Review Summary

Status: 1 Critical Issue Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	1
WARNING	13
SUGGESTION	0

Issue Details (click to expand)

CRITICAL

File	Line	Issue
package.json	35-48	All devDependencies changed from latest or specific versions to * (wildcard) - breaks reproducibility and allows major version bumps that may contain breaking changes

Recommended Fix:
Use semver ranges instead of wildcards:

• Keep existing pinned versions: "@biomejs/biome": "2.4.6"
• Or use caret ranges: "@biomejs/biome": "^2.4.6" to allow minor/patch updates
• Avoid * which accepts ANY version including major updates

Other Observations (not in diff)

No additional issues found in unchanged code.

Files Reviewed (6 files)

• .github/workflows/dependabot-auto-merge.yml - No issues (new workflow for auto-merging Dependabot PRs)
• Scripts/test_deduplicate.py - No issues (new tests for is_header and is_valid_rule functions)
• Scripts/test_update_lists.py - No issues (new tests for count_rules and load_sources functions)
• package.json - CRITICAL: Dependency version pins removed
• lists/sources/exp.txt - No issues (new experimental filter list)
• lists/sources/fanboy-anti-font.txt - No issues (new anti-font filter list)
• lists/sources/lan-block.txt - No issues (new LAN block filter list)
• lists/sources/ublock-filters.txt - No issues (new uBO Lite filters)

---

Summary: The primary concern is the package.json change removing version pins. All other changes (new CI workflow, new tests, new filter lists) appear sound. Using semver ranges like "^2.4.6" instead of "*" would maintain backward compatibility while still allowing patch updates.

[gemini-code-assist]

Code Review

This pull request updates npm dependencies, adds a significant number of Python tests, and introduces new source filter lists. The changes to package.json correctly resolve dependency version specifiers, and the new Python tests in test_deduplicate.py and test_update_lists.py greatly improve test coverage. A security review identified a critical DOM-based XSS vulnerability in one of the new experimental filters (lists/sources/exp.txt). Additionally, the code review highlighted opportunities to improve code style by moving imports to the top of Python test files, and noted that several newly added filter list files have an incorrect header format, which could cause parsing issues with ad blockers.

[gemini-code-assist]

The Adblock Plus header [Adblock Plus 2.0] is a special directive that must not be commented out. By prefixing it with !, you are turning it into a regular comment, which may cause ad blockers to misinterpret the file. Please remove the leading !.

[Adblock Plus 2.0]

References

1. The style guide specifies AdGuard/uBlock Origin syntax for filter lists (line 177). The [Adblock Plus 2.0] header is a required part of this syntax and should not be treated as a regular comment (line 179). ^(link)

[gemini-code-assist]

The Adblock Plus header [Adblock Plus 2.0] is a special directive that must not be commented out. By prefixing it with !, you are turning it into a regular comment, which may cause ad blockers to misinterpret the file. Please remove the leading !.

[Adblock Plus 2.0]

References

1. The style guide specifies AdGuard/uBlock Origin syntax for filter lists (line 177). The [Adblock Plus 2.0] header is a required part of this syntax and should not be treated as a regular comment (line 179). ^(link)

[gemini-code-assist]

The Adblock Plus header [Adblock Plus 2.0] is a special directive that must not be commented out. By prefixing it with !, you are turning it into a regular comment, which may cause ad blockers to misinterpret the file. Please remove the leading !.

[Adblock Plus 2.0]

References

1. The style guide specifies AdGuard/uBlock Origin syntax for filter lists (line 177). The [Adblock Plus 2.0] header is a required part of this syntax and should not be treated as a regular comment (line 179). ^(link)

[gemini-code-assist]

The Adblock Plus header [Adblock Plus 2.0] is a special directive that must not be commented out. By prefixing it with !, you are turning it into a regular comment, which may cause ad blockers to misinterpret the file. Please remove the leading !.

[Adblock Plus 2.0]

References

1. The style guide specifies AdGuard/uBlock Origin syntax for filter lists (line 177). The [Adblock Plus 2.0] header is a required part of this syntax and should not be treated as a regular comment (line 179). ^(link)

[gemini-code-assist]

The Adblock Plus header [Adblock Plus 2.0] is a special directive that must not be commented out. By prefixing it with !, you are turning it into a regular comment, which may cause ad blockers to misinterpret the file. Please remove the leading !.

[Adblock Plus 2.0]

References

1. The style guide specifies AdGuard/uBlock Origin syntax for filter lists (line 177). The [Adblock Plus 2.0] header is a required part of this syntax and should not be treated as a regular comment (line 179). ^(link)

[gemini-code-assist]

The Adblock Plus header [Adblock Plus 2.0] is a special directive that must not be commented out. By prefixing it with !, you are turning it into a regular comment, which may cause ad blockers to misinterpret the file. Please remove the leading !.

[Adblock Plus 2.0]

References

1. The style guide specifies AdGuard/uBlock Origin syntax for filter lists (line 177). The [Adblock Plus 2.0] header is a required part of this syntax and should not be treated as a regular comment (line 179). ^(link)

[gemini-code-assist]

The Adblock Plus header [Adblock Plus 2.0] is a special directive that must not be commented out. By prefixing it with !, you are turning it into a regular comment, which may cause ad blockers to misinterpret the file. Please remove the leading !.

[Adblock Plus 2.0]

References

1. The style guide specifies AdGuard/uBlock Origin syntax for filter lists (line 177). The [Adblock Plus 2.0] header is a required part of this syntax and should not be treated as a regular comment (line 179). ^(link)

[gemini-code-assist]

The Adblock Plus header [Adblock Plus 2.0] is a special directive that must not be commented out. By prefixing it with !, you are turning it into a regular comment, which may cause ad blockers to misinterpret the file. Please remove the leading !.

[Adblock Plus 2.0]

References

1. The style guide specifies AdGuard/uBlock Origin syntax for filter lists (line 177). The [Adblock Plus 2.0] header is a required part of this syntax and should not be treated as a regular comment (line 179). ^(link)

[gemini-code-assist]

The JavaScript filter (scriptlet) added to this file contains a DOM-based Cross-Site Scripting (XSS) vulnerability. The script extracts URLs from data-amp-cur, data-amp, and data-message attributes of elements on the page and uses them as sinks for document.location.href and element.setAttribute("href", ...) without proper validation.

Specifically, in the s function, the value of data-amp-cur or data-amp is passed to the l function, which sets it as the href and uses it for redirection. If an attacker can control these attributes on a page where this script runs (e.g., via content injection), they can execute arbitrary JavaScript (e.g., by using a javascript: URL).

Remediation:
Before using the extracted URL in a sensitive sink, validate that it uses a safe protocol (e.g., http: or https:) using the existing regex a = /^https?:\/\/.+/i defined in the script.

[gemini-code-assist]

According to PEP 8 style guidelines, imports should be placed at the top of the file. The import tempfile and import json statements are defined inside this test method and also repeated in test_load_sources_existing_config. To improve code readability and maintainability, please move these imports to the top-level import section of the file.

[Copilot]

Pull request overview

This PR updates JS tooling dependencies and expands Python test coverage while adding several new adblock list source files and an auto-merge workflow for Dependabot.

Changes:

• Replace "latest" dependency specifiers with "*" and update bun.lock accordingly
• Add new filter list source files under lists/sources/ and combination include files
• Extend Python unit tests and introduce a GitHub Actions workflow to auto-merge Dependabot PRs

Reviewed changes

Copilot reviewed 22 out of 23 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
package.json	Switches devDependency version specifiers to "*"
bun.lock	Updates lockfile to match dependency spec changes and new resolved versions
lists/sources/ublock-filters.txt	Adds a new uBO Lite filter source file
lists/sources/lan-block.txt	Adds a LAN-blocking source list with preprocessor directives
lists/sources/fanboy-anti-font.txt	Adds Fanboy anti-font source list
lists/sources/exp.txt	Adds an experimental filter list source
lists/sources/dynamic-rules.txt	Adds a large dynamic rules source list
lists/sources/antiadblock.txt	Adds an anti-adblock source list
lists/sources/Youtube.txt	Adds YouTube tweak rules, including preprocessor directives
lists/sources/Twitter.txt	Adds Twitter tweak rules source list
lists/sources/Twitch.txt	Adds Twitch tweak rules source list
lists/sources/Spotify.txt	Adds Spotify blocklist source list
lists/sources/Search-Engines.txt	Adds search-engine related filters source list
lists/sources/Reddit.txt	Adds Reddit annoyance rules source list
lists/sources/Other.txt	Adds a large uncategorized rules source list
lists/sources/General.txt	Adds general rules source list
lists/sources/Combination.txt	Adds combined “full” include list
lists/sources/Combination-mobile.txt	Adds combined “mobile minimal” include list
lists/sources/Combination-desktop.txt	Adds combined “desktop minimal” include list
lists/sources/Combination-Minimal.txt	Adds combined “minimal” include list
Scripts/test_update_lists.py	Adds tests for count_rules and load_sources behaviors
Scripts/test_deduplicate.py	Adds tests for is_header and is_valid_rule
.github/workflows/dependabot-auto-merge.yml	Adds workflow to auto-merge Dependabot PRs after checks pass

Comments suppressed due to low confidence (1)

lists/sources/Other.txt:1

• Correct spelling/capitalization in comments: tranlate → translate, and Github → GitHub (including GitHub Copilot).

! [Adblock Plus 2.0]

[Copilot]

listCommitStatusesForRef()returns commit statuses with astatefield (e.g.,success, failure, pending), not a conclusion field. As written, every commit status will be treated as “failed” (undefined !== 'success'), and “pending” detection won’t work. Fix by branching logic: evaluate checks.check_runsusingstatus/conclusion, and evaluate commit statuses using state(and treatpending/error/failureappropriately). Also,status: 'completed'` means you never see in-progress check runs, so the “wait” loop will not actually wait for checks to complete.

[Copilot]

This job is configured to trigger on pull_request_review and workflow_dispatch, but the job-level if restricts execution to github.event_name == 'pull_request' only. That makes the review-trigger and manual-dispatch paths no-ops. Update the condition to allow the intended events (and use the correct payload path for each event type) so the workflow can run when a review is submitted or when manually triggered.

Suggested change

	# Only run for Dependabot PRs
	if: |
	github.event_name == 'pull_request' &&
	github.event.pull_request.user.login == 'dependabot[bot]'
	# Only run for Dependabot PRs and intended events
	if: |
	(github.event_name == 'pull_request' &&
	github.event.pull_request.user.login == 'dependabot[bot]') ||
	(github.event_name == 'pull_request_review' &&
	github.event.pull_request.user.login == 'dependabot[bot]') ||
	github.event_name == 'workflow_dispatch'

[Copilot]

Filter list preprocessor directives are recognized when the line starts with !#.... The !!#... lines are comments and will not be processed as directives, leaving !#else / !#endif potentially unmatched and causing preprocess/compile failures (or incorrect conditional behavior). Replace !!#... with !#... or remove the dangling !#else/!#endif block so directives are properly balanced.

Suggested change

	!!#endif
	!!#if cap_html_filtering
	!#endif
	!#if cap_html_filtering

[Copilot]

The preprocessor directives appear unbalanced/contradictory: an !#endif is immediately followed by !#if !cap_ipaddress and then another !#if cap_ipaddress without an intervening !#else or corresponding closing directives later in the file. This can break preprocessing or lead to unintended rule inclusion. Adjust the conditional structure so !#if/!#else/!#endif blocks are correctly nested and balanced.

[Copilot]

Using "*" for all devDependencies removes meaningful version constraints and can lead to non-reproducible installs if the lockfile is not honored (or if tooling reads package.json directly). Prefer pinning versions (exact or caret/range) and letting Dependabot update them, or keep explicit dist-tags where appropriate, so dependency intent is clear and upgrades are controlled.

Suggested change

	"@adguard/aglint": "*",
	"@adguard/dead-domains-linter": "*",
	"@adguard/hostlist-compiler": "*",
	"@biomejs/biome": "*",
	"@eslint/js": "*",
	"@microsoft/eslint-formatter-sarif": "*",
	"@types/bun": "*",
	"esbuild": "*",
	"eslint": "*",
	"globals": "*",
	"markdownlint-cli2": "*",
	"oxfmt": "*",
	"oxlint": "*",
	"terser": "*"
	"@adguard/aglint": "^1.0.0",
	"@adguard/dead-domains-linter": "^1.0.0",
	"@adguard/hostlist-compiler": "^1.0.0",
	"@biomejs/biome": "^1.0.0",
	"@eslint/js": "^1.0.0",
	"@microsoft/eslint-formatter-sarif": "^1.0.0",
	"@types/bun": "^1.0.0",
	"esbuild": "^1.0.0",
	"eslint": "^1.0.0",
	"globals": "^1.0.0",
	"markdownlint-cli2": "^1.0.0",
	"oxfmt": "^1.0.0",
	"oxlint": "^1.0.0",
	"terser": "^1.0.0"

[Copilot]

Correct spelling/capitalization in comments: tranlate → translate, and Github → GitHub (including GitHub Copilot).