Skip to content

follow-up: review-squad LOW/MED follow-ups (F4, F8, F11, F14)#401

Merged
vikrantpuppala merged 2 commits into
mainfrom
vp/security-bump-followup
Jul 14, 2026
Merged

follow-up: review-squad LOW/MED follow-ups (F4, F8, F11, F14)#401
vikrantpuppala merged 2 commits into
mainfrom
vp/security-bump-followup

Conversation

@vikrantpuppala

@vikrantpuppala vikrantpuppala commented May 30, 2026

Copy link
Copy Markdown
Collaborator

Summary

The LOW/MED review-squad follow-ups from the #390 self-review that were deferred to keep that PR tight. Rebuilt cleanly on top of merged main (post-#390) as a single commit — the earlier version of this branch had diverged badly (branched off 1.15.0, carried a stale duplicate of the entire #390 security-bump, and was missing ~20k lines of since-merged kernel/telemetry work).

F2 (lz4 test ESM-safety) is intentionally dropped. #390 already made the lz4 tests ESM-safe a different way — a golden-frame real-codec suite plus an availability-gated before(), with no module-global loader seam. Re-applying #401's original setLz4LoaderForTest seam would revert merged work (and it carried the memoization-leak bug called out in review — which #390's approach structurally avoids).

F4 — SECURITY-OVERRIDES.md

Documents each of the 7 package.json overrides entries (basic-ftp, @75lb/deep-merge, ws, ip-address, form-data, uuid, serialize-javascript) — class (runtime vs dev), dependent chain, CVE id(s) cleared, and exit condition. Matches the actual merged override set (the earlier draft documented a stale 18-entry set). Referenced from CONTRIBUTING.md.

F8 — FederationProvider HTTP exchange tests

Adds a setFederationFetchForTest() seam so tests can stub node-fetch without patching the import system, then 3 unit tests covering the previously-uncovered token-exchange branch:

  1. Exchange a foreign-issued JWT for a Databricks token — asserts the POST hits /oidc/v1/token on the Databricks host and that init.signal reaches fetch as an AbortSignal (the cast site TS 5 strictness caught in 2.0.0: breaking security bump — Node >=20, thrift 0.23, uuid 11, lz4→lz4-napi (0 OSV findings) #390).
  2. Signal-contract propagation — the signal observed by fetch implements aborted: boolean + addEventListener.
  3. Non-retryable failure falls back to the original token under the default returnOriginalTokenOnFailure: true.

F11 — e2e parallel-safety audit

Adds tests/e2e/README.md documenting the parallelism contract (per-job E2E_TABLE_SUFFIX, uuid.v4() staging file names) and warehouse-capacity considerations for the Node 20/22/24/26 matrix. Drive-by: the lint glob tests/e2e/** expanded to include the new .md; changed to tests/e2e/**/*.{js,ts} (same scope, no false positives).

F14 — OAuthCallbackServerStub interface-drift refactor

Drops the pile of no-op http.Server shim methods (setTimeout, closeAllConnections, ref/unref, Symbol.asyncDispose, the maxHeadersCount/timeout/… property pile) that existed only to satisfy the structural type and grew with every @types/node widening. Production OAuth code calls only listen/close/address; the AuthorizationCode.test.ts call site now carries the assertion via an as unknown as ... cast.

Test plan

  • tsc --noEmit clean (Node 20)
  • eslint clean (glob fix verified — no README parse attempt)
  • prettier --check clean
  • 1253 unit tests passing (incl. the 3 new FederationProvider exchange tests)

This pull request was AI-assisted by Isaac.

@gopalldb

Copy link
Copy Markdown
Collaborator

📄 lib/utils/lz4.ts

⚠️ [MAJOR] lz4 memoization leaks across suites; first test resets too late (afterEach, not beforeEach)
Line 8 | bug | logical_claude_agent

▎ Module-global lz4 memoization leaks into the first lz4.test.ts test, silently defeating its injected loader. resolvedModule (lz4.ts:44) is memoized on the first getResolvedModule() call and only recomputed when it is undefined (lz4.ts:46-48). Sibling suites ArrowResultHandler.test.ts and CloudFetchResultHandler.test.ts run before lz4.test.ts (mocha loads paths alphabetically: result/ < utils/) and construct handlers with lz4Compressed: true, which call LZ4() and memoize resolvedModule to the real module. Because lz4.test.ts calls resetLz4CacheForTest() in afterEach (test:12-16) rather than beforeEach, the FIRST test ('should successfully load and use lz4 module when available') runs against that stale memoized module: the setLz4LoaderForTest(fakeLz4) it installs is never consulted. The assertions still pass (the real module round-trips), so the test silently stops exercising the injected-loader seam it was written to cover.

▎ 💡 Suggested Fix: Reset the memoized state in a beforeEach (in addition to, or instead of, the afterEach), or call resetLz4CacheForTest() at the top of each test before the first getResolvedModule(), so every test starts from resolvedModule === undefined regardless of what earlier suites memoized. This guarantees the injected loader is actually consulted.
▎ suggestion
▎ beforeEach(() => {
▎ consoleWarnStub = sinon.stub(console, 'warn');
▎ resetLz4CacheForTest();
▎ });

@vikrantpuppala vikrantpuppala force-pushed the vp/security-bump-runtime-and-dev branch from 8d81b92 to b2aa909 Compare July 13, 2026 09:56
Rebuilt cleanly on top of merged main (post-#390). The original #401
branch had diverged badly (branched off 1.15.0, carried a stale duplicate
of the entire #390 security-bump, missing ~20k lines of since-merged
kernel/telemetry work). This is only the genuinely-new follow-up content.

F2 (lz4 test ESM-safety) is intentionally DROPPED: #390 already made the
lz4 tests ESM-safe a different way (golden-frame real-codec suite + an
availability-gated before()), so #401's setLz4LoaderForTest seam would
revert merged work.

- F4: SECURITY-OVERRIDES.md documents each of the 7 package.json
  `overrides` entries (class, dependent chain, CVE ids, exit condition),
  matching the actual merged override set (not the stale 18-entry set the
  original branch documented). Referenced from CONTRIBUTING.md.

- F8: FederationProvider gains a setFederationFetchForTest() seam so tests
  can stub node-fetch without patching the import system; adds 3 unit tests
  exercising the previously-uncovered HTTP exchange branch (exchange
  success + endpoint/method/AbortSignal assertions, signal contract,
  non-retryable-failure fallback to the original token).

- F11: tests/e2e/README.md documents the parallelism contract (per-job
  E2E_TABLE_SUFFIX, uuid.v4() staging file names) and warehouse-capacity
  considerations for the Node 20/22/24/26 matrix. Drive-by: fix the lint
  script glob (`tests/e2e/**` -> `tests/e2e/**/*.{js,ts}`) so eslint no
  longer tries to parse the new README.md.

- F14: OAuthCallbackServerStub drops the pile of no-op http.Server shim
  methods (setTimeout/closeAllConnections/ref/unref/Symbol.asyncDispose/
  the maxHeadersCount... property pile). Production OAuth code only calls
  listen/close/address; the AuthorizationCode.test.ts call site now carries
  the structural-type assertion via an `as unknown as ...` cast, so
  @types/node widening no longer forces stub churn.

Verified on Node 20: tsc --noEmit clean, eslint clean, prettier clean,
1253 unit tests passing.

Co-authored-by: Isaac
Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
@vikrantpuppala vikrantpuppala force-pushed the vp/security-bump-followup branch from 7bc63c9 to d112b5e Compare July 14, 2026 07:05
@vikrantpuppala vikrantpuppala changed the base branch from vp/security-bump-runtime-and-dev to main July 14, 2026 07:05
@vikrantpuppala vikrantpuppala changed the title follow-up: review-squad LOW/MED follow-ups (5 items, stacked on #390) follow-up: review-squad LOW/MED follow-ups (F4, F8, F11, F14) Jul 14, 2026

@gopalldb gopalldb left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved via Isaac Review: no blocking comments (0 critical / 0 major / 0 minor). All 5 raised comments were Info-level, and 3 were rejected as invalid during validation.

@github-actions

Copy link
Copy Markdown

Thanks for your contribution! To satisfy the DCO policy in our contributing guide every commit message must include a sign-off message. One or more of your commits is missing this message. You can reword previous commit messages with an interactive rebase (git rebase -i main).

Signed-off-by: Vikrant Puppala <vikrant.puppala@databricks.com>
@vikrantpuppala vikrantpuppala force-pushed the vp/security-bump-followup branch from f6d4e60 to 3293568 Compare July 14, 2026 08:35
@vikrantpuppala vikrantpuppala added this pull request to the merge queue Jul 14, 2026
Merged via the queue into main with commit 0385e1d Jul 14, 2026
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants