Apply patches: Update pnpm-lock.yaml and fix security vulnerabilities in Trustpilot integration

Author: Afstkla

components/trustpilot/actions/fetch-product-review-by-id/fetch-product-review-by-id.mjs

@@ -3,8 +3,9 @@ import trustpilot from "../../app/trustpilot.app.ts";
 export default {
   key: "trustpilot-fetch-product-review-by-id",
   name: "Fetch Product Review by ID",
-  description: "Fetch a specific product review by its ID. [See the documentation](https://developers.trustpilot.com/product-reviews-api#get-private-product-review)",
+  description: "Retrieves detailed information about a specific product review on Trustpilot. Use this action to get comprehensive data about a single product review, including customer feedback, star rating, review text, and metadata. Perfect for analyzing individual customer experiences, responding to specific feedback, or integrating review data into your customer service workflows. [See the documentation](https://developers.trustpilot.com/product-reviews-api#get-private-product-review)",
   version: "0.0.1",
+  publishedAt: "2025-07-18T00:00:00.000Z",
   type: "action",
   props: {
     trustpilot,
@@ -24,7 +25,7 @@ export default {
       });
 
       $.export("$summary", `Successfully fetched product review ${reviewId}`);
-      
+
       return {
         review,
         metadata: {
@@ -36,4 +37,4 @@ export default {
       throw new Error(`Failed to fetch product review: ${error.message}`);
     }
   },
-};
+};

components/trustpilot/actions/fetch-product-reviews/fetch-product-reviews.mjs

@@ -3,8 +3,9 @@ import trustpilot from "../../app/trustpilot.app.ts";
 export default {
   key: "trustpilot-fetch-product-reviews",
   name: "Fetch Product Reviews",
-  description: "Fetch product reviews for a business unit. [See the documentation](https://developers.trustpilot.com/product-reviews-api#get-private-product-reviews)",
+  description: "Retrieves a list of product reviews for a specific business unit on Trustpilot. This action enables you to fetch multiple product reviews with powerful filtering options including star ratings, language, tags, and sorting preferences. Ideal for monitoring product feedback trends, generating reports, analyzing customer sentiment across your product catalog, or building review dashboards. Supports pagination for handling large review volumes. [See the documentation](https://developers.trustpilot.com/product-reviews-api#get-private-product-reviews)",
   version: "0.0.1",
+  publishedAt: "2025-07-18T00:00:00.000Z",
   type: "action",
   props: {
     trustpilot,
@@ -83,10 +84,12 @@ export default {
         offset,
       });
 
-      const { reviews, pagination } = result;
+      const {
+        reviews, pagination,
+      } = result;
 
       $.export("$summary", `Successfully fetched ${reviews.length} product review(s) for business unit ${businessUnitId}`);
-      
+
       return {
         reviews,
         pagination,
@@ -106,4 +109,4 @@ export default {
       throw new Error(`Failed to fetch product reviews: ${error.message}`);
     }
   },
-};
+};

components/trustpilot/actions/fetch-service-review-by-id/fetch-service-review-by-id.mjs

@@ -3,8 +3,9 @@ import trustpilot from "../../app/trustpilot.app.ts";
 export default {
   key: "trustpilot-fetch-service-review-by-id",
   name: "Fetch Service Review by ID",
-  description: "Fetch a specific service review by its ID. [See the documentation](https://developers.trustpilot.com/business-units-api#get-business-unit-review)",
+  description: "Retrieves detailed information about a specific service review for your business on Trustpilot. Use this action to access comprehensive data about an individual service review, including the customer's rating, review content, date, and any responses. Essential for customer service teams to analyze specific feedback, track review history, or integrate individual review data into CRM systems and support tickets. [See the documentation](https://developers.trustpilot.com/business-units-api#get-business-unit-review)",
   version: "0.0.1",
+  publishedAt: "2025-07-18T00:00:00.000Z",
   type: "action",
   props: {
     trustpilot,
@@ -34,7 +35,7 @@ export default {
       });
 
       $.export("$summary", `Successfully fetched service review ${reviewId} for business unit ${businessUnitId}`);
-      
+
       return {
         review,
         metadata: {
@@ -47,4 +48,4 @@ export default {
       throw new Error(`Failed to fetch service review: ${error.message}`);
     }
   },
-};
+};

components/trustpilot/actions/fetch-service-reviews/fetch-service-reviews.mjs

@@ -3,9 +3,10 @@ import trustpilot from "../../app/trustpilot.app.ts";
 export default {
   key: "trustpilot-fetch-service-reviews",
   name: "Fetch Service Reviews",
-  description: "Fetch service reviews for a business unit. [See the documentation](https://developers.trustpilot.com/business-units-api#get-business-unit-reviews)",
+  description: "Fetches service reviews for a specific business unit from Trustpilot with support for filtering by star rating, tags, language, and more. [See the documentation](https://developers.trustpilot.com/business-units-api#get-business-unit-reviews)",
   version: "0.0.1",
   type: "action",
+  publishedAt: "2025-07-18T00:00:00.000Z",
   props: {
     trustpilot,
     businessUnitId: {
@@ -83,10 +84,12 @@ export default {
         offset,
       });
 
-      const { reviews, pagination } = result;
+      const {
+        reviews, pagination,
+      } = result;
 
       $.export("$summary", `Successfully fetched ${reviews.length} service review(s) for business unit ${businessUnitId}`);
-      
+
       return {
         reviews,
         pagination,
@@ -106,4 +109,4 @@ export default {
       throw new Error(`Failed to fetch service reviews: ${error.message}`);
     }
   },
-};
+};

components/trustpilot/actions/reply-to-product-review/reply-to-product-review.mjs

@@ -3,8 +3,9 @@ import trustpilot from "../../app/trustpilot.app.ts";
 export default {
   key: "trustpilot-reply-to-product-review",
   name: "Reply to Product Review",
-  description: "Reply to a product review on behalf of your business. [See the documentation](https://developers.trustpilot.com/product-reviews-api#reply-to-product-review)",
+  description: "Posts a public reply to a product review on Trustpilot on behalf of your business. This action allows you to respond to customer feedback, address concerns, thank customers for positive reviews, or provide additional information about products. Replies help demonstrate your commitment to customer satisfaction and can improve your overall reputation. Note that replies are publicly visible and cannot be edited once posted. [See the documentation](https://developers.trustpilot.com/product-reviews-api#reply-to-product-review)",
   version: "0.0.1",
+  publishedAt: "2025-07-18T00:00:00.000Z",
   type: "action",
   props: {
     trustpilot,
@@ -37,7 +38,7 @@ export default {
       });
 
       $.export("$summary", `Successfully replied to product review ${reviewId}`);
-      
+
       return {
         success: true,
         reply: result,
@@ -51,4 +52,4 @@ export default {
       throw new Error(`Failed to reply to product review: ${error.message}`);
     }
   },
-};
+};

components/trustpilot/actions/reply-to-service-review/reply-to-service-review.mjs

@@ -3,8 +3,9 @@ import trustpilot from "../../app/trustpilot.app.ts";
 export default {
   key: "trustpilot-reply-to-service-review",
   name: "Reply to Service Review",
-  description: "Reply to a service review on behalf of your business. [See the documentation](https://developers.trustpilot.com/business-units-api#reply-to-review)",
+  description: "Posts a public reply to a service review on Trustpilot on behalf of your business. This action enables you to engage with customers who have reviewed your services, allowing you to address complaints, clarify misunderstandings, express gratitude for positive feedback, or provide updates on how you're improving based on their input. Professional responses to reviews can significantly impact your business reputation and show potential customers that you value feedback. Remember that all replies are permanent and publicly visible. [See the documentation](https://developers.trustpilot.com/business-units-api#reply-to-review)",
   version: "0.0.1",
+  publishedAt: "2025-07-18T00:00:00.000Z",
   type: "action",
   props: {
     trustpilot,
@@ -45,7 +46,7 @@ export default {
       });
 
       $.export("$summary", `Successfully replied to service review ${reviewId}`);
-      
+
       return {
         success: true,
         reply: result,
@@ -60,4 +61,4 @@ export default {
       throw new Error(`Failed to reply to service review: ${error.message}`);
     }
   },
-};
+};

components/trustpilot/app/trustpilot.app.ts

@@ -1,5 +1,6 @@
 import { defineApp } from "@pipedream/types";
 import { axios } from "@pipedream/platform";
+import crypto from "crypto";
 import { 
   BASE_URL, 
   ENDPOINTS, 
@@ -20,6 +21,7 @@ import {
   formatQueryParams,
   parseApiError,
   sleep,
+  sanitizeInput,
 } from "../common/utils.mjs";
 
 export default defineApp({
@@ -305,11 +307,20 @@ export default defineApp({
         throw new Error("Reply message is required");
       }
 
+      // Sanitize and validate message length (Trustpilot limit is 5000 characters)
+      const sanitizedMessage = sanitizeInput(message, 5000);
+      if (sanitizedMessage.length === 0) {
+        throw new Error("Reply message cannot be empty after sanitization");
+      }
+      if (message.length > 5000) {
+        console.warn("Reply message was truncated to 5000 characters");
+      }
+
       const endpoint = buildUrl(ENDPOINTS.REPLY_TO_SERVICE_REVIEW, { businessUnitId, reviewId });
       const response = await this._makeRequest({
         endpoint,
         method: "POST",
-        data: { message },
+        data: { message: sanitizedMessage },
       });
       return response;
     },
@@ -377,11 +388,20 @@ export default defineApp({
         throw new Error("Reply message is required");
       }
 
+      // Sanitize and validate message length (Trustpilot limit is 5000 characters)
+      const sanitizedMessage = sanitizeInput(message, 5000);
+      if (sanitizedMessage.length === 0) {
+        throw new Error("Reply message cannot be empty after sanitization");
+      }
+      if (message.length > 5000) {
+        console.warn("Reply message was truncated to 5000 characters");
+      }
+
       const endpoint = buildUrl(ENDPOINTS.REPLY_TO_PRODUCT_REVIEW, { reviewId });
       const response = await this._makeRequest({
         endpoint,
         method: "POST",
-        data: { message },
+        data: { message: sanitizedMessage },
       });
       return response;
     },
@@ -437,11 +457,20 @@ export default defineApp({
         throw new Error("Reply message is required");
       }
 
+      // Sanitize and validate message length (Trustpilot limit is 5000 characters)
+      const sanitizedMessage = sanitizeInput(message, 5000);
+      if (sanitizedMessage.length === 0) {
+        throw new Error("Reply message cannot be empty after sanitization");
+      }
+      if (message.length > 5000) {
+        console.warn("Reply message was truncated to 5000 characters");
+      }
+
       const endpoint = buildUrl(ENDPOINTS.REPLY_TO_CONVERSATION, { conversationId });
       const response = await this._makeRequest({
         endpoint,
         method: "POST",
-        data: { message },
+        data: { message: sanitizedMessage },
       });
       return response;
     },
@@ -497,14 +526,25 @@ export default defineApp({
     },
 
     validateWebhookSignature(payload, signature, secret) {
-      // TODO: Implement webhook signature validation when Trustpilot provides it
-      return true;
-    },
+      // Trustpilot uses HMAC-SHA256 for webhook signature validation
+      // The signature is sent in the x-trustpilot-signature header
+      if (!signature || !secret) {
+        return false;
+      }
 
-    // Legacy method for debugging
-    authKeys() {
-      console.log("Auth keys:", Object.keys(this.$auth || {}));
-      return Object.keys(this.$auth || {});
+      const payloadString = typeof payload === 'string' ? payload : JSON.stringify(payload);
+      
+      const expectedSignature = crypto
+        .createHmac('sha256', secret)
+        .update(payloadString)
+        .digest('hex');
+      
+      // Constant time comparison to prevent timing attacks
+      return crypto.timingSafeEqual(
+        Buffer.from(signature),
+        Buffer.from(expectedSignature)
+      );
     },
+
   },
 });

components/trustpilot/common/constants.mjs

@@ -13,30 +13,34 @@ export const ENDPOINTS = {
   // Business Units
   BUSINESS_UNITS: "/business-units",
   BUSINESS_UNIT_BY_ID: "/business-units/{businessUnitId}",
-  
+
   // Public Reviews
   PUBLIC_REVIEWS: "/business-units/{businessUnitId}/reviews",
   PUBLIC_REVIEW_BY_ID: "/business-units/{businessUnitId}/reviews/{reviewId}",
-  
+
   // Private Reviews (Service)
   PRIVATE_SERVICE_REVIEWS: "/private/business-units/{businessUnitId}/reviews",
   PRIVATE_SERVICE_REVIEW_BY_ID: "/private/business-units/{businessUnitId}/reviews/{reviewId}",
   REPLY_TO_SERVICE_REVIEW: "/private/business-units/{businessUnitId}/reviews/{reviewId}/reply",
-  
+
   // Private Reviews (Product)
   PRIVATE_PRODUCT_REVIEWS: "/private/product-reviews/business-units/{businessUnitId}/reviews",
   PRIVATE_PRODUCT_REVIEW_BY_ID: "/private/product-reviews/{reviewId}",
   REPLY_TO_PRODUCT_REVIEW: "/private/product-reviews/{reviewId}/reply",
-  
+
   // Conversations
   CONVERSATIONS: "/private/conversations",
   CONVERSATION_BY_ID: "/private/conversations/{conversationId}",
   REPLY_TO_CONVERSATION: "/private/conversations/{conversationId}/reply",
-  
+
   // Invitations
   EMAIL_INVITATIONS: "/private/business-units/{businessUnitId}/email-invitations",
-  
-  // Webhooks (deprecated for polling)
+
+  // Webhooks
+  // Note: This integration uses polling sources instead of webhooks for better reliability
+  // and simpler implementation. Webhook signature validation is implemented in the app
+  // using HMAC-SHA256 with the x-trustpilot-signature header for future webhook sources.
+  // These endpoints and validation methods are ready for webhook implementation if needed.
   WEBHOOKS: "/private/webhooks",
   WEBHOOK_BY_ID: "/private/webhooks/{webhookId}",
 };
@@ -60,7 +64,13 @@ export const SORT_OPTIONS = {
   UPDATED_AT_DESC: "updatedat.desc",
 };
 
-export const RATING_SCALE = [1, 2, 3, 4, 5];
+export const RATING_SCALE = [
+  1,
+  2,
+  3,
+  4,
+  5,
+];
 
 export const DEFAULT_LIMIT = 20;
 export const MAX_LIMIT = 100;
@@ -92,7 +102,7 @@ export const POLLING_CONFIG = {
 export const SOURCE_TYPES = {
   NEW_REVIEWS: "new_reviews",
   UPDATED_REVIEWS: "updated_reviews",
-  NEW_REPLIES: "new_replies", 
+  NEW_REPLIES: "new_replies",
   NEW_CONVERSATIONS: "new_conversations",
   UPDATED_CONVERSATIONS: "updated_conversations",
-};
+};