Skip to content

Pr/rpc fixes#140

Open
moshloop wants to merge 10 commits into
mainfrom
pr/rpc-fixes
Open

Pr/rpc fixes#140
moshloop wants to merge 10 commits into
mainfrom
pr/rpc-fixes

Conversation

@moshloop

@moshloop moshloop commented Jul 7, 2026

Copy link
Copy Markdown
Member

Description

Brief description of the changes in this PR.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Performance improvement
  • Code refactoring

Testing

  • Tests pass locally with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • I have tested the CLI with example data

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • Any dependent changes have been merged and published in downstream modules

Breaking Changes

If this is a breaking change, please describe the impact and migration path for existing users:

Additional Notes

Add any additional notes, screenshots, or context about the changes here.

Summary by CodeRabbit

  • New Features
    • Added per-request performance timing in responses via Server-Timing headers.
    • Updated the built-in AI model catalog and default model selection.
    • Added lint support for the example web app’s UI rules.
  • Bug Fixes
    • Hidden flags are no longer shown in help output or included in generated schemas/operation parameters.
    • Route registration now avoids conflicts when routes differ only by wildcard parameter names.
    • Markdown pretty output now preserves schema-defined field order and returns empty output for nil input.

moshloop added 7 commits July 6, 2026 17:25
A completed task kept its runFunc closure for the manager's 10-minute
run-retention window. When the closure captured large state (parsed
inputs, accumulators, intermediate outputs), that state stayed live for
every retained task — a leak that scales with the number of past runs.

Release runFunc once executeTask finishes: it is invoked nowhere else and
retries are already exhausted by then. Completed tasks keep only their
lightweight result and snapshot for viewing.
Implement request-scoped timing accumulation for HTTP handlers with Server-Timing header emission. Provides AddTiming and Track APIs for measuring operation phases within the RPC executor and custom handlers, summing durations by phase name and emitting millisecond-precision metrics in the response header. The middleware preserves http.Flusher for streaming responses and integrates without importing rpc package dependencies.: feat
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c15f9bb7-60ed-4a5a-9c0a-2688b6afee22

📥 Commits

Reviewing files that changed from the base of the PR and between 31e982a and dae8dfa.

⛔ Files ignored due to path filters (2)
  • aichat/go.sum is excluded by !**/*.sum
  • examples/enitity/webapp/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (6)
  • aichat/go.mod
  • examples/enitity/webapp/.oxlintrc.json
  • examples/enitity/webapp/package.json
  • rpc/http/middleware.go
  • rpc/http/middleware_test.go
  • rpc/serve.go
✅ Files skipped from review due to trivial changes (1)
  • examples/enitity/webapp/.oxlintrc.json
🚧 Files skipped from review as they are similar to previous changes (4)
  • rpc/http/middleware_test.go
  • examples/enitity/webapp/package.json
  • rpc/http/middleware.go
  • rpc/serve.go

Walkthrough

This PR adds frontend lint tooling, updates the entity webapp icon wiring, refreshes aichat model and dependency data, adds hidden flag propagation, changes markdown ordering, filters RPC converter flags, adds HTTP timing instrumentation, normalizes route deduplication, and releases worker closures after task completion.

Changes

Clicky-UI Lint Tooling

Layer / File(s) Summary
Lint target, config, and dependency wiring
Makefile, .gitignore, CONTRIBUTING.md, examples/enitity/webapp/.oxlintrc.json, examples/enitity/webapp/package.json, examples/enitity/webapp/pnpm-workspace.yaml
Adds the lint-clicky-ui Makefile target, un-ignores the oxlint config file, documents the command, adds the oxlint configuration, and wires the webapp script and dependency entries.

Webapp Icon Component Migration

Layer / File(s) Summary
TypeScript paths and Vite alias for icons entrypoint
examples/enitity/webapp/tsconfig.json, examples/enitity/webapp/vite.config.ts
Adds vite/client types, reformats clicky-ui path mappings, and adds a Vite alias for @flanksource/clicky-ui/icons.
Icon component usage in App and ChatWidget
examples/enitity/webapp/src/App.tsx, examples/enitity/webapp/src/ChatWidget.tsx
Updates App.tsx and ChatWidget.tsx to import and render clicky-ui icon components in place of the previous string-based icon identifiers, with related JSX reformatting.

AI Chat Default Model Catalog Update

Layer / File(s) Summary
Agent request spec construction
aichat/agent.go
Imports commons-db/shell and updates the captain request spec to set Budget.MaxTurns and Setup.Cwd.
Default model ID and catalog contents
aichat/models.go, aichat/agent_test.go, aichat/models_test.go
Updates DefaultModelID, replaces the built-in model catalog entries and context windows, and adjusts model-related test expectations.
Module graph refresh
aichat/go.mod
Updates the direct and indirect dependency requirements for the aichat module, including a new direct commons-db dependency and broad transitive version changes.

Hidden CLI Flag Support

Layer / File(s) Summary
Hidden field contract, parsing, and binding
flags/types.go, flags/parser.go, flags/binding.go, flags/parser_test.go
Extends FieldInfo with Hidden, sets it from the struct tag during parsing, and marks the Cobra flag hidden in BindFlag; tests cover parsing and binding visibility.

Schema-Ordered Markdown Formatting

Layer / File(s) Summary
Schema-ordered rendering and fallback
formatters/markdown_formatter.go, formatters/map_input_test.go
Adds nil handling, renders schema-defined fields before extra typed-map fields, and verifies the rendered label order in tests.

RPC Converter Flag Filtering

Layer / File(s) Summary
Local non-persistent flag filtering
rpc/converter.go, rpc/converter_flags_test.go
ConvertCommand now reads cmd.LocalNonPersistentFlags(), and the new test asserts inherited and hidden flags are excluded from generated parameters and schema.

HTTP Server-Timing Middleware

Layer / File(s) Summary
Timings accumulator and context wiring
rpc/http/timing.go, rpc/http/timing_test.go
Introduces the Timings accumulator, context wiring helpers, duration recording helpers, and header rendering for accumulated phases.
TimingMiddleware and timingRecorder
rpc/http/middleware.go, rpc/http/middleware_test.go
Wraps handlers with request timing context, stamps Server-Timing on write paths, and preserves flush and unwrap behavior; tests cover the header output and flush handling.

RPC Route Dedup for Wildcard Names

Layer / File(s) Summary
Wildcard-normalized dedupe key
rpc/serve.go, rpc/serve_test.go
Adds normalizeWildcardNames, switches duplicate detection to use the normalized path key, and changes route logging to clicky logging.

Task Worker RunFunc Release

Layer / File(s) Summary
RunFunc cleanup and GC verification test
task/worker.go, task/worker_release_test.go
executeTask nils task.runFunc after completion, and the new test uses a finalizer to confirm the captured payload becomes collectible.

Possibly related PRs

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The title is too vague to identify the main change and reads like a placeholder. Use a concise, specific title describing the primary fix or feature, such as the RPC timing and linting updates.
Description check ❓ Inconclusive The description matches the template structure but only contains placeholders, so it lacks the actual PR details. Replace the placeholders with a real summary, selected change type, testing performed, checklist status, and any breaking-change notes.
✅ Passed checks (3 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch pr/rpc-fixes
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch pr/rpc-fixes

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Gavel crashed before producing results

Exit code: 1
Error: gavel exited 1 before writing results

Last lines of gavel.log

go: downloading github.com/geoffgarside/ber v1.1.0 go: downloading gopkg.in/warnings.v0 v0.1.2 go: downloading github.com/cloudflare/circl v1.6.3 go: downloading github.com/cenkalti/backoff/v5 v5.0...

Full gavel.log, JSON stub, and HTML stub are in the workflow artifact.

View full results

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
flags/binding.go (1)

125-134: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Reject hidden+required flags for body-less RPC calls.

ParseStructFields allows hidden:"true" and required:"true" together, but rpc/converter.go drops hidden fields from the generated parameters. That makes the value unreachable for GET/HEAD-style RPCs, so Cobra will still fail with a missing required flag. Add a parser check or a test for this combination.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@flags/binding.go` around lines 125 - 134, ParseStructFields currently allows
hidden and required flags to be combined, but hidden fields are omitted by
rpc/converter.go so body-less RPC calls can never supply them. Add a validation
in ParseStructFields or the flag metadata path to reject hidden:"true" with
required:"true" together, and cover the behavior with a test around the
info.Hidden/info.Required handling and cmd.MarkFlagRequired/MarkHidden setup.
🧹 Nitpick comments (1)
rpc/serve.go (1)

498-501: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Route output should go through clicky logging, not fmt.Printf.

These warning lines write directly to os.Stdout. Per the repository guidelines, library code should route output through the clicky logging path (e.g. clicky.Warnf) rather than fmt.Printf/fmt.Println, so live task rendering isn't corrupted. The pre-existing fmt.Printf calls elsewhere in this function share the same issue.

As per coding guidelines: "Do not write directly to os.Stdout or os.Stderr in library code; route output through the clicky logging/writer path instead" and "emit logs through clicky.Infof, clicky.Errorf, clicky.Warnf, or clicky.Debugf rather than fmt.Println".

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@rpc/serve.go` around lines 498 - 501, The duplicate-endpoint warning in the
RPC registration flow is writing directly to standard output via fmt.Printf,
which should be routed through clicky logging instead. Update the warning path
in the endpoint registration logic in serve.go to use clicky.Warnf (or the
appropriate clicky logger) for the duplicate endpoint message and the related
Path/Already registered/Skipping details, and replace the other fmt.Printf calls
in the same function with clicky logging so library output does not bypass the
task rendering path.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@examples/enitity/webapp/.oxlintrc.json`:
- Around line 3-8: The oxlint config in the webapp example references the
clicky-ui plugin via a specifier that resolves outside this repository, so
update the setup accordingly. Either change the plugin path in the
.oxlintrc.json entry for clicky-ui to point to a location inside this repo, or
add clear documentation in the relevant setup docs explaining that a sibling
clicky-ui checkout is required. Use the clicky-ui plugin entry in the jsPlugins
array as the locator.

In `@rpc/http/middleware.go`:
- Around line 12-18: TimingMiddleware currently relies on timingRecorder.stamp()
being triggered by WriteHeader/Write/Flush, so handlers that return without
writing never set Server-Timing. Update TimingMiddleware to call rec.stamp()
after next.ServeHTTP returns, and keep the existing write-path behavior in
timingRecorder unchanged. Add a regression test around TimingMiddleware to cover
a handler that returns without writing and assert the Server-Timing header is
still emitted.

---

Outside diff comments:
In `@flags/binding.go`:
- Around line 125-134: ParseStructFields currently allows hidden and required
flags to be combined, but hidden fields are omitted by rpc/converter.go so
body-less RPC calls can never supply them. Add a validation in ParseStructFields
or the flag metadata path to reject hidden:"true" with required:"true" together,
and cover the behavior with a test around the info.Hidden/info.Required handling
and cmd.MarkFlagRequired/MarkHidden setup.

---

Nitpick comments:
In `@rpc/serve.go`:
- Around line 498-501: The duplicate-endpoint warning in the RPC registration
flow is writing directly to standard output via fmt.Printf, which should be
routed through clicky logging instead. Update the warning path in the endpoint
registration logic in serve.go to use clicky.Warnf (or the appropriate clicky
logger) for the duplicate endpoint message and the related Path/Already
registered/Skipping details, and replace the other fmt.Printf calls in the same
function with clicky logging so library output does not bypass the task
rendering path.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 354ff0d0-8083-4437-8944-fae7e2198e29

📥 Commits

Reviewing files that changed from the base of the PR and between 0101296 and 31e982a.

⛔ Files ignored due to path filters (1)
  • examples/enitity/webapp/pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (30)
  • .gitignore
  • CONTRIBUTING.md
  • Makefile
  • aichat/agent.go
  • aichat/agent_test.go
  • aichat/models.go
  • aichat/models_test.go
  • examples/enitity/webapp/.oxlintrc.json
  • examples/enitity/webapp/package.json
  • examples/enitity/webapp/pnpm-workspace.yaml
  • examples/enitity/webapp/src/App.tsx
  • examples/enitity/webapp/src/ChatWidget.tsx
  • examples/enitity/webapp/tsconfig.json
  • examples/enitity/webapp/vite.config.ts
  • flags/binding.go
  • flags/parser.go
  • flags/parser_test.go
  • flags/types.go
  • formatters/map_input_test.go
  • formatters/markdown_formatter.go
  • rpc/converter.go
  • rpc/converter_flags_test.go
  • rpc/http/middleware.go
  • rpc/http/middleware_test.go
  • rpc/http/timing.go
  • rpc/http/timing_test.go
  • rpc/serve.go
  • rpc/serve_test.go
  • task/worker.go
  • task/worker_release_test.go

Comment thread examples/enitity/webapp/.oxlintrc.json
Comment thread rpc/http/middleware.go
moshloop added 2 commits July 7, 2026 10:32
…edge case

Gavel-Issue-Id: 6b2997e35e373dc3d3209e33280094ab
Claude-Session-Id: f7ecddc5-467d-4fd4-a7b8-f0778f653659
@moshloop moshloop enabled auto-merge (rebase) July 7, 2026 07:35
@socket-security

socket-security Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedgolang/​github.com/​flanksource/​commons-db@​v0.1.1372100100100100
Addednpm/​@​flanksource/​clicky-ui@​0.3.97710010096100
Addednpm/​oxlint@​1.72.0911009295100

View full report

@socket-security

socket-security Bot commented Jul 7, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: golang github.com/envoyproxy/go-control-plane/envoy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/firebase/genkit/go@v1.8.0golang/github.com/flanksource/commons-db@v0.1.13golang/github.com/flanksource/clicky@v1.21.36golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/envoyproxy/go-control-plane/envoy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/firebase/genkit/go@v1.8.0golang/github.com/flanksource/commons-db@v0.1.13golang/github.com/flanksource/clicky@v1.21.36golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/envoyproxy/go-control-plane/envoy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/firebase/genkit/go@v1.8.0golang/github.com/flanksource/commons-db@v0.1.13golang/github.com/flanksource/clicky@v1.21.36golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/envoyproxy/go-control-plane/envoy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/firebase/genkit/go@v1.8.0golang/github.com/flanksource/commons-db@v0.1.13golang/github.com/flanksource/clicky@v1.21.36golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/envoyproxy/go-control-plane/envoy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/firebase/genkit/go@v1.8.0golang/github.com/flanksource/commons-db@v0.1.13golang/github.com/flanksource/clicky@v1.21.36golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/envoyproxy/go-control-plane/envoy is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/firebase/genkit/go@v1.8.0golang/github.com/flanksource/commons-db@v0.1.13golang/github.com/flanksource/clicky@v1.21.36golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/envoyproxy/go-control-plane/envoy@v1.37.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/microsoft/go-mssqldb is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/flanksource/commons-db@v0.1.13golang/github.com/microsoft/go-mssqldb@v1.10.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/microsoft/go-mssqldb@v1.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/planetscale/vtprotobuf is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?golang/github.com/firebase/genkit/go@v1.8.0golang/github.com/flanksource/commons-db@v0.1.13golang/github.com/flanksource/clicky@v1.21.36golang/github.com/planetscale/vtprotobuf@v0.6.1-0.20240319094008-0393e58bdf10

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/planetscale/vtprotobuf@v0.6.1-0.20240319094008-0393e58bdf10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm jotai is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: examples/enitity/webapp/pnpm-lock.yamlnpm/@flanksource/clicky-ui@0.3.9npm/jotai@2.20.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jotai@2.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant