Skip to content

fix: resolve TypeScript error and audit vulnerabilities#98

Closed
flyingsquirrel0419 wants to merge 9 commits into
mainfrom
fix/type-error-lint-audit-v2
Closed

fix: resolve TypeScript error and audit vulnerabilities#98
flyingsquirrel0419 wants to merge 9 commits into
mainfrom
fix/type-error-lint-audit-v2

Conversation

@flyingsquirrel0419

@flyingsquirrel0419 flyingsquirrel0419 commented Jun 13, 2026

Copy link
Copy Markdown
Owner

Description

This PR fixes the valid issues from the analysis pass:

Issue #95 was verified separately and closed as invalid/not reproducible: npm run already resolves local binaries from node_modules/.bin, so biome check . does not need npx.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • Security/dependency maintenance

Changes

  • src/internal/FetchRateLimiter.ts: Removed the generic from QueueItem; cast resolve and task when enqueuing to satisfy Promise types
  • package.json: Restored lint and lint:fix to direct biome invocations
  • package.json: Updated tsx to ^4.22.4
  • package.json: Added an esbuild override to 0.28.1 so transitive dev tooling no longer resolves the vulnerable 0.27.x line
  • package-lock.json: Regenerated the lockfile with tmp@0.2.7, tsx@4.22.4, and esbuild@0.28.1

Testing

  • npm audit — 0 vulnerabilities
  • npm run build
  • npm run lint
  • npm test — 598 passed, 24 skipped

Notes

GitHub may still report vulnerabilities on the default branch until this PR is merged, because the default branch lockfile still contains the old dependency graph.

Summary by CodeRabbit

  • Bug Fixes

    • Improved reliability and strict typing around the fetch rate limiter’s internal queue processing, including continued draining behavior after task failures and safer handling of missing/corrupted queued entries.
  • Tests

    • Added coverage for edge cases in rate limiter drain logic (rejections, sparse queue entries, and disappearing bucket entries).
  • Chores

    • Added a new 3.1.1 changelog entry under Unreleased.
    • Updated development tooling and refreshed lockfile security patches; pinned esbuild to 0.28.1 and restored Biome-based lint scripts.

- Fix FetchRateLimiter queue generic type mismatch (TS2322)
- Update lint/lint:fix scripts to use npx @biomejs/biome
- Bump tmp via npm audit fix (Path Traversal GHSA-ph9p-34f9-6g65)

Fixes #94, Fixes #95, Fixes #96
fix: resolve TypeScript error, lint script, and tmp vulnerability
…-lint-audit"

This reverts commit 09918da, reversing
changes made to 5774c57.
- Fix FetchRateLimiter queue generic type mismatch (TS2322)
- Update lint/lint:fix scripts to use npx @biomejs/biome
- Bump tmp via npm audit fix (Path Traversal GHSA-ph9p-34f9-6g65)

Fixes #94, Fixes #95, Fixes #96
@coderabbitai

coderabbitai Bot commented Jun 13, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@flyingsquirrel0419, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 56 minutes and 1 second. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c5bda332-7e7f-4f70-9f85-bdc9bb4b70e0

📥 Commits

Reviewing files that changed from the base of the PR and between 8542d29 and 5d614ec.

📒 Files selected for processing (6)
  • CHANGELOG.md
  • README.md
  • docs/i18n/README.es.md
  • docs/i18n/README.ja.md
  • docs/i18n/README.ko.md
  • docs/i18n/README.zh-CN.md
📝 Walkthrough

Walkthrough

The QueueItem interface in FetchRateLimiter transitions from a generic type that stored callbacks to a non-generic executor pattern where a run: () => Promise<void> function captures the original task and resolve callback, executing them in sequence. The queuesByBucket storage type is updated accordingly. The drain method shifts from directly invoking task().then(resolve, reject) to invoking run() with cleanup logic in a finally block. Three new test cases cover queue rejection handling, sparse pending entries, and missing queue entries during drain. tsx is bumped to ^4.22.4 and esbuild is pinned to 0.28.1 via an overrides block. A [3.1.1] changelog entry documents all changes.

Changes

3.1.1 Release Fixes

Layer / File(s) Summary
FetchRateLimiter queue item refactoring
src/internal/FetchRateLimiter.ts
QueueItem<T> becomes non-generic QueueItem with a run: () => Promise<void> executor that captures the original task and resolve callback; the executor executes the task, forwards the result to resolve, and routes errors to reject. The queuesByBucket type is updated to store Array<QueueItem>, and drain shifts from .then(next.resolve, next.reject) to invoking run() with cleanup logic in a finally block.
Queue edge case tests
tests/internal/FetchRateLimiter.test.ts
Three new test cases validate refactored queue behavior: rejecting task entries continue draining remaining queued work, sparse pending queue entries are cleaned up during drain, and buckets with missing queue entries are removed from pending tracking.
Dependency updates and changelog
package.json, CHANGELOG.md
tsx devDependency bumped to ^4.22.4; an overrides block added to pin esbuild to 0.28.1; a [3.1.1] changelog section added documenting the FetchRateLimiter typing fix, biome script restoration, and security dependency updates.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

  • flyingsquirrel0419/layercache#97: Both PRs modify src/internal/FetchRateLimiter.ts by de-genericizing the internal QueueItem/queue item typing, though this PR further refactors the queue execution to use an executor pattern instead of direct callback invocation.

Poem

🐇 Hoppity hop, the queue types are right,
Generic no more — now run holds tight!
unknown callbacks wrapped up so neat,
esbuild pinned safe, the security's sweet!
The changelog hops with each fix that we've made,
This TypeScript bunny sure knows how to grade! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'fix: resolve TypeScript error and audit vulnerabilities' accurately summarizes the main changes: fixing a TypeScript compilation error in FetchRateLimiter and addressing npm audit security vulnerabilities.
Linked Issues check ✅ Passed The PR successfully addresses both linked issues: Issue #94 is resolved by refactoring FetchRateLimiter's QueueItem to remove the generic type parameter and using type casts, and Issue #96 is resolved by updating tsx to 4.22.4 and adding an esbuild override to prevent vulnerable versions.
Out of Scope Changes check ✅ Passed All changes align with stated objectives: CHANGELOG.md and test additions document the fixes, package.json dependency updates address vulnerabilities, and FetchRateLimiter refactoring resolves the TypeScript error without runtime impact.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)

✅ Unit Test PR creation complete.

  • Create PR with unit tests
  • Commit unit tests in branch fix/type-error-lint-audit-v2

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@flyingsquirrel0419 flyingsquirrel0419 changed the title fix: resolve TypeScript error, lint script, and tmp vulnerability fix: resolve TypeScript error and audit vulnerabilities Jun 14, 2026
@flyingsquirrel0419 flyingsquirrel0419 marked this pull request as ready for review June 14, 2026 03:02

@turin-dev turin-dev left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall — CI is green and the dependency update direction makes sense.

One minor issue before merge: CHANGELOG.md adds a released 3.1.1 section, but package.json and package-lock.json still say 3.1.0. If this PR is intended to be the 3.1.1 release, please bump the package version too. Otherwise, I’d keep these notes under Unreleased until the release PR.

Non-blocking: the FetchRateLimiter type fix works, but the task / resolve casts could be avoided by storing a run: () => Promise<void> closure in QueueItem, which would preserve the T relationship at enqueue time without casting resolve to accept unknown.

@coderabbitai

coderabbitai Bot commented Jun 14, 2026

Copy link
Copy Markdown

Note

Unit test generation is a public access feature. Expect some limitations and changes as we gather feedback and continue to improve it.


Generating unit tests... This may take up to 20 minutes.

@flyingsquirrel0419 flyingsquirrel0419 deleted the fix/type-error-lint-audit-v2 branch June 14, 2026 08:17
@flyingsquirrel0419 flyingsquirrel0419 restored the fix/type-error-lint-audit-v2 branch June 14, 2026 08:19
@coderabbitai

coderabbitai Bot commented Jun 14, 2026

Copy link
Copy Markdown

✅ Created PR with unit tests: #99

@flyingsquirrel0419 flyingsquirrel0419 deleted the fix/type-error-lint-audit-v2 branch June 14, 2026 08:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Fix high-severity Path Traversal vulnerability in tmp dependency Fix TypeScript type error in FetchRateLimiter queue resolution

2 participants