Skip to content

fix: ignore unsafe hydrated release assets#470

Open
ThunderTr77 wants to merge 1 commit into
TouchAI-org:mainfrom
ThunderTr77:fix/nonfrontend-release-feed-bug-2
Open

fix: ignore unsafe hydrated release assets#470
ThunderTr77 wants to merge 1 commit into
TouchAI-org:mainfrom
ThunderTr77:fix/nonfrontend-release-feed-bug-2

Conversation

@ThunderTr77

Copy link
Copy Markdown
Contributor

Summary

  • Ignore unsafe Velopack history asset file names that contain path separators or empty path segments.
  • Write the hydrated feed with only safe package entries so the release directory cannot be populated outside its intended folder.
  • Add a regression test covering a traversal-style package name in the existing feed.

Related issue or RFC

Related to https://github.com/TouchAI-org/TouchAI

AI assistance disclosure

  • Tool(s) used: AI assistant
  • Scope of assistance: bug identification, patch drafting, and local verification
  • Human review or rewrite performed: reviewed the diff and test output before publishing
  • Architecture or boundary impact: none

Testing evidence

Vitest targeted: tests/ci/hydrate-velopack-history.test.ts --pool=vmThreads --fileParallelism=false passed (1 test)
Prettier check passed for the changed files
ESLint passed for the changed files
git diff --check passed

pnpm test:pr did not run locally because the Windows environment only exposes pnpm through Corepack while the hook expects a direct pnpm shim. CI should provide full-suite proof before merge.

Risk notes

  • AgentService, runtime, MCP, or schema impact: none
  • database baseline or migration impact: none
  • release or packaging impact: Velopack history hydration now drops unsafe package names from hydrated feeds and downloaded package files

Screenshots or recordings

Not applicable; this changes release history hydration logic covered by unit tests.

Checklist

  • The PR title follows Conventional Commits and is valid for squash merge.
  • This PR is either ready for review or explicitly marked as a Draft PR.
  • I did not use [WIP] or similar title prefixes.
  • If AI materially assisted this PR, I disclosed the tools and scope and I personally reviewed every affected change.
  • I can explain the why, what, and how of this change without relying on an AI tool.
  • If this touches AgentService, runtime, MCP, or schema boundaries, there is an accepted RFC.
  • If this changes architecture or adds a new cross-boundary abstraction, there is an accepted RFC.
  • I ran pnpm test:pr for this code PR, or this is a docs-only change.
  • If I changed Rust behavior or tests, I reviewed pnpm test:coverage:rust or relied on CI coverage evidence.
  • If I changed desktop startup/window/search/popup/settings/E2E paths, I ran pnpm test:e2e locally or documented why CI is the first valid proof.
  • I added tests or explained why tests are not appropriate.
  • I updated docs when behavior changed.

@ThunderTr77 ThunderTr77 requested a review from hiqiancheng as a code owner June 15, 2026 14:24
@coderabbitai

coderabbitai Bot commented Jun 15, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@ThunderTr77, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 14 minutes and 30 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 452b978c-6af3-4bb3-a883-e6b9a5f29afd

📥 Commits

Reviewing files that changed from the base of the PR and between ebc3494 and 14756d3.

📒 Files selected for processing (3)
  • apps/desktop/scripts/ci/hydrate-velopack-history.d.mts
  • apps/desktop/scripts/ci/hydrate-velopack-history.mjs
  • apps/desktop/tests/ci/hydrate-velopack-history.test.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@ThunderTr77 ThunderTr77 force-pushed the fix/nonfrontend-release-feed-bug-2 branch from c1c7186 to 14756d3 Compare June 15, 2026 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant