Skip to content

fix: resolve issues 94 and 96#100

Merged
flyingsquirrel0419 merged 12 commits into
mainfrom
fix/issue-94-96-type-audit
Jun 14, 2026
Merged

fix: resolve issues 94 and 96#100
flyingsquirrel0419 merged 12 commits into
mainfrom
fix/issue-94-96-type-audit

Conversation

@flyingsquirrel0419

@flyingsquirrel0419 flyingsquirrel0419 commented Jun 14, 2026

Copy link
Copy Markdown
Owner

Description

This PR fixes the valid issues from the analysis pass:

Issue #95 was verified separately and closed as invalid/not reproducible: npm run already resolves local binaries from node_modules/.bin, so biome check . does not need npx.

Changes

  • src/internal/FetchRateLimiter.ts: removes the generic queue item mismatch and stores a run() closure so the task result type stays bound to its Promise resolver without unsafe casts.
  • package.json: restores lint and lint:fix to direct biome invocations.
  • package.json: updates tsx to ^4.22.4 and adds an esbuild override to 0.28.1.
  • package-lock.json: regenerates the lockfile with tmp@0.2.7, tsx@4.22.4, and esbuild@0.28.1.
  • CHANGELOG.md and README files: document the 3.1.1 fixes and update the test baseline to 601 passing tests.
  • tests/internal/FetchRateLimiter.test.ts: adds regression coverage for rejected queued tasks continuing to drain and defensive cleanup of corrupted pending queues.

Testing

  • npm audit — 0 vulnerabilities
  • npm run build
  • npm run lint
  • npm test — 601 passed, 24 skipped
  • npm run test:coverage — 97.13% statement coverage

Notes

GitHub may still report vulnerabilities on the default branch until this PR is merged, because the default branch lockfile still contains the old dependency graph.

Summary by CodeRabbit

Release Notes

  • Bug Fixes

    • Fixed TypeScript strict mode compatibility issue
    • Restored lint script functionality
  • Security

    • Updated dependencies and applied security override to prevent vulnerable transitive dependency
  • Tests

    • Test coverage increased to 601 passing tests (from 598)
    • Added rate limiter regression test coverage

- Fix FetchRateLimiter queue generic type mismatch (TS2322)
- Update lint/lint:fix scripts to use npx @biomejs/biome
- Bump tmp via npm audit fix (Path Traversal GHSA-ph9p-34f9-6g65)

Fixes #94, Fixes #95, Fixes #96
fix: resolve TypeScript error, lint script, and tmp vulnerability
…-lint-audit"

This reverts commit 09918da, reversing
changes made to 5774c57.
- Fix FetchRateLimiter queue generic type mismatch (TS2322)
- Update lint/lint:fix scripts to use npx @biomejs/biome
- Bump tmp via npm audit fix (Path Traversal GHSA-ph9p-34f9-6g65)

Fixes #94, Fixes #95, Fixes #96
@coderabbitai

coderabbitai Bot commented Jun 14, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@flyingsquirrel0419, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 33 minutes and 11 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e21446d9-5268-442b-af98-d183594f3e29

📥 Commits

Reviewing files that changed from the base of the PR and between 5d614ec and b6b4604.

⛔ Files ignored due to path filters (2)
  • docs-web/package-lock.json is excluded by !**/package-lock.json
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (6)
  • docs-web/content/docs/cli.mdx
  • docs-web/content/docs/getting-started.mdx
  • docs-web/content/docs/integrations.mdx
  • docs-web/content/docs/migration.mdx
  • docs-web/package.json
  • package.json
📝 Walkthrough

Walkthrough

The PR releases v3.1.1 by refactoring FetchRateLimiter's internal QueueItem type to remove its generic parameter and encapsulate execution in a run() function, fixing a strict TypeScript compilation error. Three regression tests cover drain edge cases. tsx is bumped and esbuild is pinned to 0.28.1 as a security override. Test-count badges are updated from 598 to 601 across all READMEs, and a changelog entry is added.

Changes

FetchRateLimiter QueueItem refactor and regression tests

Layer / File(s) Summary
QueueItem type and drain loop refactor
src/internal/FetchRateLimiter.ts
QueueItem drops its generic parameter; the shape now holds run() and reject. queuesByBucket map type is updated. schedule() builds a run() closure capturing resolve/reject from the outer new Promise. The drain loop calls next.run().finally(...) instead of next.task().then(next.resolve, next.reject).finally(...).
Drain regression tests
tests/internal/FetchRateLimiter.test.ts
Three new tests: rejection of a first queued task does not prevent the next task from completing; corrupted/sparse pending queue entries are dropped and removed from both queuesByBucket and the pending-bucket tracking set; a bucket whose queue disappears before shift is cleaned up from all internal structures.

Dependency updates and documentation badges

Layer / File(s) Summary
package.json dependency and security overrides
package.json
tsx bumped from ^4.19.3 to ^4.22.4; overrides.esbuild remains set to 0.28.1 to avoid the vulnerable 0.27.x transitive range.
CHANGELOG entry and test-count badge updates
CHANGELOG.md, README.md, docs/i18n/README.*.md
New v3.1.1 (2026-06-14) section added with Fixed and Security items; tests-passing badge updated from 598 to 601 across the root README and all four i18n variants.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

  • flyingsquirrel0419/layercache#97: Also modifies FetchRateLimiter.ts queue-item typing and package.json lint commands, directly preceding the typing fix landed in this PR.
  • flyingsquirrel0419/layercache#7: Modifies the same queuesByBucket and bucket-tracking structures in FetchRateLimiter.ts by adding MAX_BUCKETS eviction logic.

Poem

🐇 Hop hop, the queue has a brand new run()!
No more generic tangles under strict TypeScript sun.
Three tests for draining, corrupt entries begone,
esbuild pinned safely, the badges count on—
601 green lights, the rabbit's work is done! 🌿

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'fix: resolve issues 94 and 96' directly references the TypeScript compilation error and security vulnerability fixes addressed in the PR.
Linked Issues check ✅ Passed The PR successfully addresses both linked issues: FetchRateLimiter.ts refactored to eliminate type mismatches (issue #94), and dependency updates with esbuild override resolve the tmp vulnerability (issue #96).
Out of Scope Changes check ✅ Passed All changes are directly related to resolving issues #94 and #96: TypeScript fixes, dependency updates, tests, documentation, and build script corrections.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/issue-94-96-type-audit

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
package.json (1)

3-3: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Update package version to 3.1.1.

The version field still shows 3.1.0, but the CHANGELOG, PR objectives, and all documentation reference v3.1.1 as the release version. Publishing without this update will create a version mismatch.

📦 Proposed fix
-  "version": "3.1.0",
+  "version": "3.1.1",
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 3, Update the version field in package.json from
"3.1.0" to "3.1.1" to align with the CHANGELOG, PR objectives, and
documentation. This will ensure consistency across all release artifacts and
prevent version mismatches when publishing.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@package.json`:
- Line 3: Update the version field in package.json from "3.1.0" to "3.1.1" to
align with the CHANGELOG, PR objectives, and documentation. This will ensure
consistency across all release artifacts and prevent version mismatches when
publishing.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4cc14909-a7d9-4d2e-81df-145982916ea4

📥 Commits

Reviewing files that changed from the base of the PR and between 5774c57 and 5d614ec.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (9)
  • CHANGELOG.md
  • README.md
  • docs/i18n/README.es.md
  • docs/i18n/README.ja.md
  • docs/i18n/README.ko.md
  • docs/i18n/README.zh-CN.md
  • package.json
  • src/internal/FetchRateLimiter.ts
  • tests/internal/FetchRateLimiter.test.ts

@flyingsquirrel0419 flyingsquirrel0419 merged commit e5107fe into main Jun 14, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Fix high-severity Path Traversal vulnerability in tmp dependency Fix TypeScript type error in FetchRateLimiter queue resolution

1 participant