Skip to content

fix: comprehensive quality scan fixes across codebase#111

Merged
jdalton merged 1 commit intomainfrom
fix/quality-scan-fixes
Mar 26, 2026
Merged

fix: comprehensive quality scan fixes across codebase#111
jdalton merged 1 commit intomainfrom
fix/quality-scan-fixes

Conversation

@jdalton
Copy link
Copy Markdown
Collaborator

@jdalton jdalton commented Mar 26, 2026

Summary

  • Fix critical race conditions in process lock (TOCTOU via non-recursive mkdir) and HTTP request (missing response error handler)
  • Fix data corruption risk in DLX manifest (atomic writes via renameSync in all paths)
  • Fix promise-queue: clear() rejects pending tasks, onIdle() uses event-driven pattern instead of setImmediate polling
  • Fix deep prototype pollution in JSON parser via reviver
  • Bundle shared deps inline to eliminate extraneous devDependency require() calls in dist/
  • Fix 10+ additional bugs: timer leaks, cache corruption, memoization thundering herd, script path resolution, and more

Test plan

  • pnpm run fix — lint passes
  • pnpm build — build succeeds, all validations pass
  • pnpm run check — all checks pass (including no extraneous deps)
  • pnpm test — 6537 tests pass, 0 failures
  • Quality scan confirms 0 new findings across critical/logic/cache/workflow/security scans

🤖 Generated with Claude Code

@jdalton
fix: comprehensive quality scan fixes across codebase
a818cdd 
Critical fixes:
- process-lock: atomic mkdir without recursive to prevent TOCTOU race
- http-request: add res.on('error') handler to prevent hanging promises
- dlx/manifest: atomic writes via renameSync in all write paths
- promise-queue: clear() rejects pending tasks, event-driven onIdle()

Security fixes:
- json-parser: deep prototype pollution check via JSON.parse reviver
- esbuild-config: bundle shared deps inline (no extraneous devDeps in dist)

Bug fixes:
- abort: use AbortSignal.timeout() to prevent timer leaks
- cache-with-ttl: guard JSON.parse for corrupted cache entries
- isolation: wrap JSON.parse with file-path context in error
- memoization: fix expired entry cleanup, implement clearAllCaches,
  prevent thundering herd in memoizeAsync, fix memoizeWeak undefined
- ansi: fix ST pattern to correctly separate BEL|ESC\|0x9C
- argv/parse: remove ambiguous short-flag inference from hasFlag
- progress: guard division by zero when total=0
- promise-queue: maxQueueLength check uses !== undefined
- promises: pRetry captures latest error instead of first
- github: remove double JSON.stringify/parse in cacheFetchGhsa
- ipc: unref waitForIpc timer to prevent blocking exit

Script fixes:
- fix/commonjs-exports, fix/path-aliases, test/filter: fix parent
  directory traversal (off-by-one in __dirname resolution)
- test/main: deduplicate NODE_OPTIONS in runIsolatedTests
- test/cover: clean exit on build failure
- validate/no-extraneous-deps: add .catch() on main()
- orchestrator: use logger instead of console.log
- esbuild-config: remove console from drop list, add node18 comment
@jdalton jdalton merged commit 3127769 into main Mar 26, 2026
5 checks passed
@jdalton jdalton deleted the fix/quality-scan-fixes branch March 26, 2026 16:06
@jdalton jdalton mentioned this pull request Mar 26, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdalton