Validate all-builds path and annotate format options#905
Closed
Validate all-builds path and annotate format options#905
Conversation
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
Greptile SummaryAdded missing security and format validations to
The changes ensure Confidence Score: 5/5
Important Files Changed
Flowchartflowchart TD
A[run with --all-builds] --> B[runAllBuildsCommand]
B --> C[Apply defaults]
C --> D{saveDir provided?}
D -->|Yes| E[safeResolvePath validation]
D -->|No| F{annotate enabled?}
E --> F
F -->|Yes| G{format === yaml?}
F -->|No| H[Load config file]
G -->|No| I[Throw Error: requires YAML]
G -->|Yes| H
H --> J[Export each build]
J --> K[Success]
I --> L[Exit with code 1]
Last reviewed commit: bc56af2 |
Member
Author
|
CI note: current Node Linting failure is the known Prettier workflow-file issue; unblock tracked in #908. |
Member
Author
|
Superseded by #914, which carries the same all-builds validation fix and also includes the Prettier unblocker for clean CI. |
Member
Author
|
Closing in favor of #914. |
justin808
added a commit
that referenced
this pull request
Mar 11, 2026
Supersedes #905. Closes #782. ## Summary - carry forward the `runAllBuildsCommand` validation fixes from #905 - save-dir path validation via `safeResolvePath` - annotate+format validation parity with `run()` - include `.prettierignore` update for Claude workflow files (from #908) so Node lint is not blocked by unrelated workflow formatting ## Validation - yarn test test/package/configExporter.test.js <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Touches release automation, installer conflict handling, and process execution/manifest logic; while well-tested, these paths are user-facing and can impact publishing and developer workflows if edge cases are missed. > > **Overview** > This release bumps Shakapacker to `v9.6.0`, stamps a new `CHANGELOG.md` section, and updates release documentation to make changelog-first releases the default (including correct prerelease header formats). > > Release automation is significantly expanded in `rakelib/release.rake`: `create_release` can now infer the target version from `CHANGELOG.md`, performs stricter version/tag policy validation (with an explicit override), runs dry runs in a temporary git worktree, refreshes dummy app lockfiles, and automatically creates/updates the matching GitHub release via `gh`. > > Installer behavior is hardened and made more CI-friendly: adds `SKIP=true` mode (and unified truthy parsing) to preserve existing files, fixes transpiler config updates and Babel-only installs, and ensures `package.json` retains the exact shakapacker dependency source/version requested. Dev server defaults no longer ship permissive CORS headers (users must opt in), entrypoint discovery now ignores dotfiles, and manifest handling/error messages are improved (including avoiding ENOENT for `webpack-assets-manifest` merge mode). > > Node/package-facing improvements include new bundler-agnostic exports (`getBundler`, `getCssExtractPlugin*`, `get*Plugin`, `isWebpack/isRspack`) with typings/docs, extra validation in config exporter all-builds mode, and routing log output to stderr when `--json` is requested to keep stdout valid JSON. CI/workflows are updated for Claude tooling permissions/tooling, and dependency constraints are updated (e.g., allow `compression-webpack-plugin` v12). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit d8b6e9f. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **Bug Fixes** * Enforced YAML when using annotations with build exports. * Added security checks to prevent path traversal in export save paths. * **Tests** * Added tests covering annotation format validation and path traversal rejection. * **Documentation** * Reflowed and aligned tables in the Node package API docs. * **Chores** * Added a GitHub authentication preflight for releases and updated workflow checkout step. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Co-authored-by: Claude Opus 4.6 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #782
Summary
safeResolvePathvalidation for--all-builds --save-dirinrunAllBuildsCommand--annotaterequires YAML format inrunAllBuildsCommand(matching normalrun()behavior)run()for both validation pathsWhy
runAllBuildsCommandpreviously skipped validations thatrun()already applied in non---all-buildspaths, creating inconsistent behavior and weaker path-safety guarantees.Validation
yarn test test/package/configExporter.test.js