fix: address security and resilience review findings

- Fix reflected XSS: replace innerHTML with DOM APIs in ARM64 link swap
- Verify GitHub asset exists (HEAD probe) before caching npm-resolved
  version, preventing broken redirects during npm/GitHub sync windows
- Make KV cache writes best-effort so transient KV errors don't fail
  otherwise valid requests
- Use github.paginate for staging deploy PR comment lookup to handle
  PRs with many comments

Author: fengmk2

.github/workflows/ci.yml

@@ -46,7 +46,7 @@ jobs:
           script: |
             const marker = '<!-- staging-deploy -->';
             const body = `${marker}\n✅ Staging deployment successful!\n\nPreview: https://vp-setup-staging.void.app/\nCommit: ${context.sha}`;
-            const { data: comments } = await github.rest.issues.listComments({
+            const comments = await github.paginate(github.rest.issues.listComments, {
               owner: context.repo.owner,
               repo: context.repo.repo,
               issue_number: context.issue.number,

routes/index.ts

@@ -76,10 +76,23 @@ async function getRelease(tag: string | undefined): Promise<CachedRelease | null
   const version = await fetchNpmDistTagVersion(DEFAULT_DIST_TAG);
   if (version) {
     const release = buildReleaseFromTag(`v${version}`);
-    await Promise.all([
-      kv.put(LATEST_CACHE_KEY, release, { ttl: LATEST_CACHE_TTL }),
-      kv.put(LATEST_STALE_KEY, release, { ttl: LATEST_CACHE_TTL + 3600 }),
-    ]);
+    // Verify asset exists before caching — npm may publish before GitHub release assets are ready
+    try {
+      const probe = await fetch(release.assets.x64!, { method: "HEAD", redirect: "manual" });
+      if (probe.status === 404) {
+        return kv.get<CachedRelease>(LATEST_STALE_KEY);
+      }
+    } catch {
+      // Network error checking asset — still serve the release, cache writes are best-effort below
+    }
+    try {
+      await Promise.all([
+        kv.put(LATEST_CACHE_KEY, release, { ttl: LATEST_CACHE_TTL }),
+        kv.put(LATEST_STALE_KEY, release, { ttl: LATEST_CACHE_TTL + 3600 }),
+      ]);
+    } catch (err) {
+      console.error("KV write failed:", err);
+    }
     return release;
   }
 
@@ -207,7 +220,12 @@ async function setupDownloadLink() {
   mainBtn.textContent = "Download for Windows (ARM64)";
 
   if (altEl && x64Url) {
-    altEl.innerHTML = 'Also available: <a href="' + x64Url + '" download>Windows x64</a>';
+    var link = document.createElement("a");
+    link.href = x64Url;
+    link.download = "";
+    link.textContent = "Windows x64";
+    altEl.textContent = "Also available: ";
+    altEl.appendChild(link);
   }
 }