Skip to content

fix: correctness bug sweep + hardening tests across crawlers, patch, and vex#106

Open
Mikola Lysenko (mikolalysenko) wants to merge 1 commit into
mainfrom
fixes/correctness-and-hardening-sweep
Open

fix: correctness bug sweep + hardening tests across crawlers, patch, and vex#106
Mikola Lysenko (mikolalysenko) wants to merge 1 commit into
mainfrom
fixes/correctness-and-hardening-sweep

Conversation

@mikolalysenko
Copy link
Copy Markdown
Collaborator

@mikolalysenko Mikola Lysenko (mikolalysenko) commented Jun 7, 2026

Summary

A broad sweep of correctness, security, and atomicity bug fixes surfaced by a line-by-line review of the codebase, each paired with regression tests (many RED-verified without the fix).

Crawlers

  • Single-quote TOML parsing (cargo crawler dropped name = 'serde')
  • Composer case canonicalization for PURLs / lookups
  • Vendor-before-project-gate ordering (cargo/nuget scanning non-matching trees)
  • Yarn PnP .pnp.js detection
  • NuGet legacy content-folder + local-mode gating
  • Maven skip-section prefix boundary handling
  • Python crawler layout/metadata fallbacks (bare python3, lib64, body-bleed)

Patch engine

  • Path-escape guards: cargo/go redirect coordinate traversal, rollback delete, cargo sidecar read
  • Atomic writes for user-owned manifests: go.mod, Cargo.toml, .cargo/config.toml, package.json, pyproject.toml/requirements.txt
  • bsdiff header validation (forged block-length panic, unbounded prealloc)
  • copy_tree symlink chmod, cow hardlink is_file guard
  • Lock acquire timeout overflow panic

VEX

  • Single-quote product detection
  • Schema / verify / conformance hardening

API client

  • fetch_binary auth error classification (401/403/429 → auth fallback)
  • Token shape + org slug validation

Misc

  • PURL subpath strip leak
  • Manifest deterministic (sorted) serialization + empty-setup omission
  • Severity color ordering (critical vs high)
  • cleanup_blobs orphan handling
  • pth_hook detection + non-atomic write fixes

Test plan

  • cargo test across feature combos
  • CI green

🤖 Generated with Claude Code

@mikolalysenko @claude
fix: correctness bug sweep + hardening tests across crawlers, patch, …
6cceb9a 
…and vex

Fixes a broad set of correctness, security, and atomicity bugs surfaced by
a line-by-line review, each paired with regression tests:

- crawlers: single-quote TOML parsing, case canonicalization, vendor/project
  gate ordering, PnP detection, NuGet legacy/local-mode gating, Maven skip-
  section boundaries, Python layout/metadata fallbacks
- patch: path-escape guards (cargo/go redirect, rollback, sidecars), atomic
  writes for user manifests (go.mod, Cargo.toml, .cargo/config.toml,
  package.json, pyproject/requirements), bsdiff header validation, copy_tree
  symlink chmod, cow hardlink is_file guard, lock timeout overflow
- vex: single-quote product detection, schema/verify hardening
- api/client: fetch_binary auth error classification, token/slug validation
- misc: purl subpath strip, manifest deterministic serialization, severity
  color ordering, cleanup_blobs orphan handling, pth_hook detection fixes

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mikolalysenko