You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: address code-review findings + bring in the variant-apply-failure test
Adversarial review (PR #105) surfaced real bugs in the new code; fix them and
make the swept-in WIP test pass reliably so it can land.
VEX / setup-state (property 7):
- configured_ecosystems detected Python via plan_python, which applies the
--ecosystems filter — so `vex --ecosystems cargo` in a python-set-up repo
reported python as NOT set up and dropped its patches. Detect python on-disk
state directly (is_python_project + choose_python_manifests + deps_contain_hook),
bypassing the filter like every other ecosystem in that probe.
- ecosystem_from_manual_name was missing maven/nuget/deno — the apply-only
ecosystems that are the *primary* use of `setup.manual` — so declaring them
manual silently dropped their patches from VEX. Add them (feature-gated) +
a unit test covering every compiled-in ecosystem.
Launchers (supply-chain hardening):
- The RubyGems + Composer launchers followed redirects without enforcing HTTPS;
a MitM could redirect github.com -> http:// and serve a malicious binary AND
a matching SHA256SUMS (both attacker-controlled), defeating the checksum.
Enforce HTTPS on every hop: Ruby refuses a non-HTTPS (initial/redirect) URL
and resolves relative redirects with URI.join; PHP sets
CURLOPT_PROTOCOLS/REDIR_PROTOCOLS=HTTPS and the no-curl fallback follows
redirects manually, vetting each hop's scheme. Documented the (accepted,
user-owned) cache-trust model at the cache-hit path.
Cargo recursive glob:
- collect_manifests_recursive (crates/**) followed symlinked dirs via metadata,
so a loop symlink could re-add the workspace root as a duplicate member and an
escaping symlink could make setup EDIT an out-of-tree Cargo.toml (breaking the
in-repo-only contract). Skip symlinked dirs in the recursive walk (matches the
`glob` crate); single-level crates/* still follows a symlinked member. +unix test.
variant-apply-failure test (was unrelated broken WIP, now fixed + included):
- Fixed the `purl` borrow-after-move, then rewrote it to invoke the binary as a
subprocess and capture the child's stdout instead of an in-process
`gag::BufferRedirect` (which races libtest's stdout capture and failed
deterministically under default `cargo test`). No `gag` dep; passes reliably.
Verified: clippy --workspace --all-features -D warnings exits 0; the full
setup/vex/cargo suites + the variant test pass; ruby `gem build` + `ruby -c`
clean; PHP `php -l` clean (docker php:8.2).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
0 commit comments