The test name HTML escaping only handles < but not > or &. While > and & are less critical in this context since the content is inside an HTML element (not an attribute), it's still best practice to escape all HTML special characters to prevent potential XSS issues. Consider using the same comprehensive escaping pattern suggested for line 233.

Fixed in dbd1a42. Extracted to scripts/generate-test-results-html.cjs with a shared escapeHtml() function that escapes all five HTML special characters (&, <, >, ", ') for both test names and suite names.

The copy command uses cp -r builds/coverage/* which will fail if the builds/coverage directory exists but is empty, because the shell glob won't match anything. This could cause the entire command chain to fail if set -e is enabled in the shell. Consider using one of these more robust approaches:

1. Copy the entire directory: [ -d builds/coverage ] && cp -r builds/coverage docs/ || echo '...'
2. Use find for more control: [ -d builds/coverage ] && find builds/coverage -mindepth 1 -exec cp -r {} docs/coverage/ \; || echo '...'
3. Add explicit empty check: [ -d builds/coverage ] && [ -n "$(ls -A builds/coverage 2>/dev/null)" ] && cp -r builds/coverage/* docs/coverage/ || echo '...'

Fixed in dbd1a42. Added [ -n "$(ls -A ... 2>/dev/null)" ] checks to guard against empty directories causing glob failures.

The inline Node.js script doesn't have explicit error handling. If JSON parsing fails or file operations fail, the error will be printed to stderr but the shell will continue executing (the script won't exit non-zero). Consider wrapping the script in a try-catch or explicitly checking for errors:

node -e "
  try {
    const fs = require('fs');
    const data = JSON.parse(fs.readFileSync('docs/test-results/vitest-results.json', 'utf8'));
    // ... rest of script
  } catch (error) {
    console.error('Failed to generate unit test results HTML:', error.message);
    process.exit(1);
  }
" || echo "⚠️ Failed to generate unit test results HTML"

This ensures the workflow is aware if HTML generation fails.

Fixed in dbd1a42. Extracted to scripts/generate-test-results-html.cjs with try-catch that calls process.exit(1) on failure. The workflow step uses || echo "⚠️ ..." as a fallback.

The inline Node.js scripts for HTML generation (221-241 for unit tests, 244-258 for E2E tests) are becoming quite large and complex. Consider extracting these to separate script files (e.g., scripts/generate-test-html.js and scripts/generate-e2e-html.js) for better maintainability, testability, and reusability. This would also make error handling, formatting, and future enhancements easier to manage.

Benefits:

• Easier to test the HTML generation logic
• Better syntax highlighting and IDE support
• Simpler to add features (e.g., more sophisticated parsing, better formatting)
• Can be reused in other contexts (e.g., local development)
• Clearer separation of concerns in the workflow file

Fixed in dbd1a42. Extracted to scripts/generate-e2e-results-html.cjs with proper error handling, comprehensive HTML escaping, and clean template literal formatting.

The directory builds/test-results/ is hardcoded in the JSON reporter configuration. Since the reporters configuration is an array that can include multiple reporters, if someone adds a second JSON reporter in the future, there could be conflicts. Consider using a more descriptive filename or documenting that this path is coupled with the release workflow.

Alternatively, consider making this configurable via an environment variable:

['json', { outputFile: process.env.VITEST_JSON_OUTPUT || 'builds/test-results/vitest-results.json' }]

This would allow for easier testing and flexibility in different environments.

Fixed in dbd1a42. Now reads process.env.VITEST_JSON_OUTPUT || 'builds/test-results/vitest-results.json'.

The regex pattern /.*[\\/\\\\]/ is incorrect and will not match directory separators properly. The intent is to match either forward slash or backslash, but the pattern should be /.*[\/\\]/ instead. The current pattern [\\/\\\\] creates a character class containing backslash, forward slash, and two additional backslashes, which is redundant and confusing.

This should be: r.name.replace(/.*[\/\\]/, '') or the more portable: r.name.replace(/.*[\\/]/, '')

Fixed in dbd1a42. Simplified to r.name.replace(/.*[\\/]/, '') in the extracted script.

The duration calculation will produce NaN if any test result is missing endTime or startTime properties. Consider adding validation and a fallback:

const duration = ((data.testResults || []).reduce((a, r) => a + ((r.endTime || 0) - (r.startTime || 0)), 0) / 1000).toFixed(2);

Or better yet, filter out invalid entries before reducing:
const duration = ((data.testResults || []).filter(r => r.endTime && r.startTime).reduce((a, r) => a + (r.endTime - r.startTime), 0) / 1000).toFixed(2);

Fixed in dbd1a42. Now filters with typeof r.endTime === 'number' && typeof r.startTime === 'number' before reducing.

The test name HTML escaping only handles < but not other dangerous characters like >, &, ", and '. For complete XSS prevention in HTML content, all HTML special characters should be escaped. Consider using:

t.fullName.replace(/[&<>"']/g, m => ({ '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;' }[m]))

Or at minimum add escaping for > and &:
t.fullName.replace(/[&<>]/g, m => ({ '&': '&amp;', '<': '&lt;', '>': '&gt;' }[m]))

Fixed in dbd1a42. The extracted escapeHtml() function handles all five characters: & → &, < → <, > → >, " → ", ' → '.

The tee command with PIPESTATUS correctly captures the exit code of the npm run e2e command before the pipe. However, there's a subtle issue: if the xvfb-run command itself fails (before npm run e2e even starts), the exit code won't be captured properly. Consider wrapping the entire xvfb-run command to ensure exit codes are preserved:

set -o pipefail
xvfb-run --auto-servernum --server-args="-screen 0 1280x720x24 -ac +extension GLX +extension RANDR +render -nolisten tcp" npm run e2e 2>&1 | tee builds/cypress/e2e-output.log
TEST_EXIT_CODE=$?
exit ${TEST_EXIT_CODE}

Or more concisely with the existing approach, explicitly check if xvfb-run succeeded:

if ! xvfb-run ... npm run e2e 2>&1 | tee builds/cypress/e2e-output.log; then
  TEST_EXIT_CODE=${PIPESTATUS[0]}
  exit ${TEST_EXIT_CODE:-1}
fi

Fixed in dbd1a42. Now uses set -o pipefail with $? capture after the pipeline, ensuring failures from both xvfb-run and npm run e2e are properly propagated.

Same issue as the unit test HTML generation - the inline Node.js script lacks explicit error handling. If JSON parsing or file operations fail, the error won't properly propagate to the workflow. Consider adding try-catch error handling similar to the suggestion for the unit test HTML generation script.

Fixed in dbd1a42. Extracted to scripts/generate-e2e-results-html.cjs with try-catch and process.exit(1) on failure.

The single quote is escaped as ''' but the canonical implementation in scripts/html-utils.js uses ''' (3-digit form). While both are valid HTML entities, this creates an inconsistency with the established pattern used throughout the codebase. Consider importing and using the escapeHtml function from scripts/html-utils.js instead of reimplementing it, which would ensure consistency and reduce duplication.

The single quote is escaped as ''' but the canonical implementation in scripts/html-utils.js uses ''' (3-digit form). While both are valid HTML entities, this creates an inconsistency with the established pattern used throughout the codebase. Consider importing and using the escapeHtml function from scripts/html-utils.js instead of reimplementing it, which would ensure consistency and reduce duplication.