fix: AxiosHeaders toJSON() return types#10956
Merged
jasonsaayman merged 4 commits intoMay 28, 2026
Merged
Conversation
|
No dependency changes detected. Learn more about Socket for GitHub. 👍 No dependency changes detected in pull request |
Contributor
There was a problem hiding this comment.
16 issues found across 11 files
Confidence score: 2/5
- Multiple high-confidence, high-severity issues indicate clear merge risk:
.github/workflows/build-stats.ymlcan expose write-scoped credentials to PR-executed code and uses an insecureworkflow_runpattern in a public-repo context. - There are concrete runtime breakages in helper scripts, including an undefined variable rethrow in
scripts/helpers/helpers.jsand invalid/malformed git format commands inscripts/helpers/git.js, which can mask real errors and break commit parsing. scripts/build-stat.jsappears to mix SHA strings with expected stat-object fields (size/gzip) for release comparisons, creating a likely regression in diff calculation behavior rather than a minor edge case.- Pay close attention to
.github/workflows/build-stats.yml,scripts/helpers/git.js,scripts/helpers/helpers.js, andscripts/build-stat.js- security exposure plus command/parsing defects are likely to cause incorrect behavior or failures.
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/build-stats.yml">
<violation number="1" location=".github/workflows/build-stats.yml:7">
P1: `workflow_run` trigger is insecure in public repositories. The downstream workflow runs with write permissions and secret access regardless of what triggered the upstream workflow, including fork PRs from external contributors. An attacker can poison output artifacts via a PR, and this workflow then consumes attacker-controlled content in a privileged context. Consider alternative approaches like `workflow_call` or adding additional safeguards to validate the triggering context.</violation>
<violation number="2" location=".github/workflows/build-stats.yml:27">
P2: Action `actions/checkout@v4` is not pinned to a commit SHA. Floating tags can be moved by anyone with write access to the action's repository, enabling supply chain attacks. Pin to a full commit hash (e.g., `actions/checkout@<full-sha> # v4`) for reproducibility and security.</violation>
<violation number="3" location=".github/workflows/build-stats.yml:30">
P0: Disable persisted Git credentials before running PR code to avoid leaking a write-scoped token.</violation>
<violation number="4" location=".github/workflows/build-stats.yml:38">
P2: Potential script injection via template expansion. `${{ github.event.workflow_run.pull_requests[0].base.sha }}` is interpolated directly into the `run:` shell script. Best practice is to pass event data through environment variables rather than direct interpolation in `run:` blocks to avoid code injection. Use an `env:` block to assign the value first, then reference it as `$BASE_SHA` in the script.</violation>
<violation number="5" location=".github/workflows/build-stats.yml:47">
P2: Action `actions/setup-node@v4` is not pinned to a commit SHA. Pin to a full commit hash for supply chain security.</violation>
<violation number="6" location=".github/workflows/build-stats.yml:74">
P2: Action `actions/cache@v4` is not pinned to a commit SHA. Pin to a full commit hash for supply chain security.</violation>
</file>
<file name="scripts/build-stat.js">
<violation number="1" location="scripts/build-stat.js:182">
P1: `base === 'release'` assigns a SHA string to `baseStat`, but later code expects a stat object (`baseStat.size`/`baseStat.gzip`). This breaks diff calculations for release-based comparisons.</violation>
<violation number="2" location="scripts/build-stat.js:261">
P2: The `--template` argument is ignored because `template` is shadowed by a local variable and the script always reads the default template file.</violation>
</file>
<file name="scripts/helpers/git.js">
<violation number="1" location="scripts/helpers/git.js:4">
P1: Defaulting `getCommitInfo` to `HEAD~1` changes no-arg callers to use the previous commit, causing snapshot/check logic to target the wrong SHA.</violation>
<violation number="2" location="scripts/helpers/git.js:7">
P1: `git show` format is missing a newline before `%h`, so `date` and `short` are parsed incorrectly and `short` becomes undefined.</violation>
<violation number="3" location="scripts/helpers/git.js:18">
P1: The `git branch --format` command has an unclosed quote, which makes the command invalid at runtime.</violation>
</file>
<file name="scripts/helpers/npm.js">
<violation number="1" location="scripts/helpers/npm.js:39">
P1: The stream pipeline only handles errors on `extract`; upstream stream errors (especially from gunzip) are not safely routed to `reject`, which can cause unhandled stream errors instead of a rejected promise.</violation>
</file>
<file name="scripts/helpers/github.js">
<violation number="1" location="scripts/helpers/github.js:76">
P1: `FormData.append` is being called with an options object as the 3rd argument, but Web/undici `FormData` expects a filename string there. This can produce an incorrect uploaded filename and ignore the intended content type metadata.</violation>
<violation number="2" location="scripts/helpers/github.js:100">
P2: Creating `GithubAPI` at import time makes non-GitHub code paths fail fast when env vars are missing. Initialization should be deferred until GitHub operations are actually needed.</violation>
</file>
<file name="scripts/helpers/helpers.js">
<violation number="1" location="scripts/helpers/helpers.js:30">
P1: Custom agent: **Flag AI Slop and Fabricated Changes**
`catch(err)` block references undefined variable `e` in rethrow, causing a `ReferenceError` that masks the original error</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
b1d1f21 to
72b4db0
Compare
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
1 issue found across 1 file (changes from recent commits).
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
…igitalBrainJS/axios into fix/types-axios-headers-tojson
toJSON() return typestoJSON() return types
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Narrow AxiosHeaders
toJSON()return types to match the real ones.