follow-up: review-squad LOW/MED follow-ups (5 items, stacked on #390)#401
Open
vikrantpuppala wants to merge 1 commit into
Open
follow-up: review-squad LOW/MED follow-ups (5 items, stacked on #390)#401vikrantpuppala wants to merge 1 commit into
vikrantpuppala wants to merge 1 commit into
Conversation
Stacked on top of PR #390 (security-bump-runtime-and-dev). Addresses the LOW/MED findings from the self-review pass that were intentionally deferred from the main PR to keep its scope tight. - F4: Add SECURITY-OVERRIDES.md — document each of the 18 entries in package.json's overrides with provenance (CVE id, dependent chain, exit condition). Reference it from CONTRIBUTING.md. Pure docs. - F2: lz4 test ESM-safe — refactor lib/utils/lz4.ts to expose setLz4LoaderForTest()/resetLz4CacheForTest() seams so the suite can inject stubs without patching Module._load. Drops the Node-22+ conditional skip; suite now runs on every Node version (16/18/20/22/24). 904 → 904 passing on Node 16/18/20 (unchanged), 898→904 on Node 22/24 (lz4 suite re-enabled). - F8: FederationProvider HTTP exchange tests — refactor to expose a setFederationFetchForTest() seam, then add 3 unit tests that exercise the exchange branch where the AbortController + node-fetch shim typing fix lives. Verifies (a) signal reaches fetch as an AbortSignal, (b) signal implements the standard contract, (c) failed exchanges fall back to original token. 904 → 907 passing. - F11: e2e parallel-safety audit — verified all DDL in tests/e2e/ is templated against E2E_TABLE_SUFFIX and staging files use uuid.v4(). Added tests/e2e/README.md documenting the parallelism contract and warehouse capacity considerations. - F14: OAuthCallbackServerStub interface-drift refactor — dropped the pile of no-op shim methods (setTimeout, closeAllConnections, address, ref, unref, Symbol.asyncDispose, etc.) that existed only to satisfy http.Server's structural type. Production code calls only listen() and close() on the stub, which it does implement. The test-site cast in AuthorizationCode.test.ts already carries the "trust me, this is Server-shaped" assertion via `as unknown as ...`. Drive-by lint-script fix: switched the lint script's glob from `tests/e2e/**` (which expanded to .md files and made eslint complain) to `tests/e2e/**/*.{js,ts}`. Same scope, no false positives. Verified locally: prettier, lint, tsc --noEmit, and npm test (907 passing) all clean on Node 16/18/20/22. OSV-Scanner still reports zero findings on the lockfile. Co-authored-by: Isaac Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Stacked on top of #390 (security-bump-runtime-and-dev). Addresses the LOW/MED findings from the multi-perspective self-review pass on #390 that were intentionally deferred to keep that PR's scope tight.
Each item below has a 1:1 correspondence with a finding (F-number) from the #390 self-review.
F4 — Add
SECURITY-OVERRIDES.mdDocuments each of the 18 entries in
package.json'soverridesblock:Pure docs. Referenced from CONTRIBUTING.md.
F2 — lz4 test ESM-safe
Refactored
lib/utils/lz4.tsto exposesetLz4LoaderForTest(fn)andresetLz4CacheForTest()seams. The test (tests/unit/utils/lz4.test.ts) was previously skipping the entire suite on Node 22+ because it patched CJS-only primitives (Module._load,require.cache). Now it injects via the new seams, and the suite runs cleanly on every Node version in the matrix.F8 — FederationProvider HTTP exchange tests
Refactored
lib/connection/auth/tokenProvider/FederationProvider.tsto exposesetFederationFetchForTest(fn)so tests can stubnode-fetchwithout patching the import system. Then added 3 unit tests inFederationProvider.test.tsthat exercise the previously-uncovered HTTP exchange branch:/oidc/v1/tokenon the Databricks host, the method is POST, ANDinit.signalreachesfetchas anAbortSignal-shaped object (this is the cast site that TS 5 type-strictness caught in Clear OSV-Scanner HIGH/MED/LOW findings via dep bumps + overrides #390).aborted: booleanandaddEventListener: Function.returnOriginalTokenOnFailure: true.907 passing (904 prior + 3 new).
F11 — e2e parallel-safety audit
Audited all DDL in
tests/e2e/**. AllCREATE TABLE/DROP TABLEstatements are templated against${E2E_TABLE_SUFFIX}(which is unique per-job in CI:${{ github.sha }}_node${{ matrix.node-version }}). Staging tests instaging_ingestion.test.tsalready useuuid.v4()for file names. No test mutates the shared catalog/schema/volume.Added
tests/e2e/README.mddocumenting the parallelism contract, env-var inventory, and warehouse-capacity considerations for the new 5-entry matrix in #390.F14 —
OAuthCallbackServerStubinterface-drift refactorThe stub in
tests/unit/.stubs/OAuth.tspreviously carried a pile of no-op shim methods (setTimeout,closeAllConnections,closeIdleConnections,getConnections,ref,unref,Symbol.asyncDispose, plusmaxHeadersCount,maxRequestsPerSocket,timeout,headersTimeout,keepAliveTimeout,requestTimeout,maxConnections,connections) — each of these existed only to satisfyhttp.Server's structural type and accumulated as@types/nodewidened the interface.Production OAuth code only calls
listen()andclose()on the returned server (verified by greppinglib/connection/auth/DatabricksOAuth/). The structural-type satisfaction is already handled by theas unknown as (typeof authCode)['createHttpServer']cast inAuthorizationCode.test.ts(from #390's F10).Dropped the dead shims; kept the minimal
address()returningnull. Future@types/nodeadditions tohttp.Serverwon't require touching this stub anymore.Drive-by
The repo's lint script glob expanded
tests/e2e/**into all files (including.md), causing eslint to attempt parsing the newtests/e2e/README.md. Changed"lint": "eslint lib/** tests/e2e/** --ext .js,.ts"→"lint": "eslint 'lib/**/*.{js,ts}' 'tests/e2e/**/*.{js,ts}' --ext .js,.ts". Same scope, no false positives.Test plan
npm run prettier— cleannpm run lint— cleannpx tsc --project tsconfig.build.json --noEmit— cleannpm teston Node 16 — 907 passingnpm teston Node 20 — 907 passingnpm teston Node 22 — 907 passing (was 898 + 6 pending — lz4 suite now active)osv-scanner scan source --lockfile=package-lock.json— No issues foundThis pull request was AI-assisted by Isaac.