docs: add sponsor feed to docs

[jdx]

Summary

Adds an en.dev company sponsor block to the docs footer.

Changes

• Adds EndevSponsors.vue, which fetches https://en.dev/sponsors.json client-side.
• Renders the feed's default sponsors list, which is paid company sponsors only.
• Places the sponsor block above the existing en.dev footer.

Validation

• npm install --no-package-lock --ignore-scripts in docs/
• npm run docs:build in docs/

---

Note

Low Risk
Low risk docs-theme UI change; main impact is an additional client-side fetch to https://en.dev/sponsors.json that could fail or add minor latency, but it degrades gracefully by rendering nothing.

Overview
Adds a new EndevSponsors block to the VitePress docs theme that fetches https://en.dev/sponsors.json on mount and renders a “Company sponsors” logo strip plus a “Sponsor the work” CTA when data is available.

Updates the theme Layout to render EndevSponsors above the existing EndevFooter, filtering out infrastructure entries and ignoring invalid sponsor records.

^{Reviewed by Cursor Bugbot for commit 79e977e. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds EndevSponsors.vue, which fetches https://en.dev/sponsors.json client-side on mount and renders a filtered list of company sponsor logos above the existing EndevFooter in the layout-bottom slot. The implementation is well-structured with proper error handling, SSR-safe onMounted usage, and accessible markup.

• sponsor.url from the external feed is bound directly to :href without protocol validation — Vue does not strip javascript: URLs, so a compromised sponsors.json could enable XSS on click.

Confidence Score: 4/5

Safe to merge; the javascript: href concern is low-likelihood but worth a one-line fix before shipping.

All findings are P2. The unvalidated href is a supply-chain-dependent security pattern worth addressing, but the source (en.dev) is the same org, making exploitation unlikely in practice. No logic errors or P0/P1 issues were found.

docs/.vitepress/theme/EndevSponsors.vue — URL validation in the filter and v-for key choice.

Security Review

• Unsanitized javascript: href (EndevSponsors.vue, line 17): sponsor.url from the external https://en.dev/sponsors.json feed is bound directly to :href without protocol validation. Vue does not strip javascript: from anchor bindings, so a compromised feed payload could execute arbitrary JavaScript when a user clicks a sponsor link. Adding an https?:// protocol check to the filter would close the vector.

Important Files Changed

Filename	Overview
docs/.vitepress/theme/EndevSponsors.vue	New component; fetches and renders sponsor logos from an external JSON feed. Two P2 findings: unvalidated javascript: URLs from the feed used as anchor href, and non-unique v-for key on sponsor.name.
docs/.vitepress/theme/index.ts	Adds EndevSponsors import and inserts it before EndevFooter in the layout-bottom slot array — straightforward, no issues.

_{Reviews (1): Last reviewed commit: "add sponsor feed to docs" | Re-trigger Greptile}

[greptile-apps]

Unvalidated javascript: URL from external feed

sponsor.url is fetched from https://en.dev/sponsors.json and bound directly to :href. Vue does not strip the javascript: protocol from anchor bindings, so a compromised or manipulated sponsors.json payload could deliver a javascript: URL that executes arbitrary code when a visitor clicks a sponsor logo. Adding a protocol check to the existing filter is a minimal fix.

[greptile-apps]

sponsor.name is not a reliable v-for key

Names are not guaranteed to be unique across sponsors, and Vue will warn (and may misreconcile the virtual DOM) on duplicate keys. Since sponsor.url is already validated as present by the filter and is inherently unique per sponsor, prefer using it as the key instead of sponsor.name.