Skip to content

chore: bump API version to v2025-11-15#38

Open
azrosen92 wants to merge 1 commit into
mainfrom
bump-api-version-to-v2025-11-15
Open

chore: bump API version to v2025-11-15#38
azrosen92 wants to merge 1 commit into
mainfrom
bump-api-version-to-v2025-11-15

Conversation

@azrosen92
Copy link
Copy Markdown
Collaborator

@azrosen92 azrosen92 commented May 14, 2026
edited
Loading

Summary

  • Adds versioned SDK directory and workflow entries for API version v2025-11-15
  • Existing entries are frozen at their current version for backwards compatibility

Notes

Dependency: merge cleanup PR first (chore: untrack .speakeasy/workflow.local.yaml). This PR has been rebased to assume the file is already gone.

Merge order:

  1. Gusto-Partner-API: fix: harden codegen --new-version scaffold (script hardening)
  2. gusto-python-client cleanup PR
  3. This PR

🤖 Generated with Claude Code

boostsecurity-io-ai[bot]
boostsecurity-io-ai Bot reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown

@boostsecurity-io-ai boostsecurity-io-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 2 New Security Fixes

You just committed 2 security fixes. 😎 Keep up the great work!

🎯 Take a look at what findings you fixed.
Findings
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Original Rule ID: python_random_rule-random
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

The application uses the random module to generate random values. The random
module implements a Mersenne Twister PRNG which is not cryptographically secure
and produces predictable values that can be exploited when used for tokens,
session...
 📘 Learn More

gusto-python-client/gusto_app_int_v_2025_06_15/src/gusto_app_integration/utils/retries.py

Line 186 in 0bccae8

sleep = (initial_interval / 1000) * exponent**retries + random.uniform(0, 1)
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Original Rule ID: python_random_rule-random
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

The application uses the random module to generate random values. The random
module implements a Mersenne Twister PRNG which is not cryptographically secure
and produces predictable values that can be exploited when used for tokens,
session...
 📘 Learn More

gusto-python-client/gusto_embedded_v_2025_06_15/src/gusto_embedded/utils/retries.py

Line 186 in 0bccae8

sleep = (initial_interval / 1000) * exponent**retries + random.uniform(0, 1)

Scanner: boostsecurity - Semgrep

@gusto-fresh-eyes
Copy link
Copy Markdown

gusto-fresh-eyes Bot commented May 14, 2026
edited
Loading

Fresh Eyes Review

Found 4 issues in this PR.

PR Description Issues

  • Minor | description-check: Missing 'Testing' section: No mention of how the new workflow entries and gen configs were validated (e.g., running speakeasy generate, verifying registry resolution, or checking that the new versioned packages build).
  • Minor | description-check: Undocumented formatting change: The description states 'Existing entries are frozen at their current version for backwards compatibility', but the diff shows the entire workflow.yaml was reformatted (2-space indent, added YAML document separator '---', added quotes around variable references). While semantically equivalent, this is not mentioned and may cause noisy diffs or merge conflicts for in-flight branches.

Download findings.json — drag the file into Claude or use /add to propose fixes

Please 👍🏽 👎🏽 if you found this useful. Generated by Fresh Eyes Reviewer. Get help in #ai-code-reviews

@azrosen92 azrosen92 force-pushed the bump-api-version-to-v2025-11-15 branch 2 times, most recently from cdc408e to 1e34cfa Compare May 18, 2026 15:32
@azrosen92 azrosen92 mentioned this pull request May 18, 2026
Merged
@azrosen92 azrosen92 force-pushed the bump-api-version-to-v2025-11-15 branch from 1e34cfa to e2e2dfb Compare May 18, 2026 15:38
@azrosen92 azrosen92 changed the base branch from main to chore/untrack-workflow-local-yaml May 18, 2026 15:38
@azrosen92 azrosen92 force-pushed the chore/untrack-workflow-local-yaml branch from 8b4b07a to c79c5e6 Compare May 19, 2026 20:14
Base automatically changed from chore/untrack-workflow-local-yaml to main May 20, 2026 15:04
@azrosen92 azrosen92 force-pushed the bump-api-version-to-v2025-11-15 branch from e2e2dfb to f000a45 Compare May 20, 2026 15:09
@azrosen92 azrosen92 force-pushed the bump-api-version-to-v2025-11-15 branch from f000a45 to 9426239 Compare May 21, 2026 15:07
gusto-fresh-eyes[bot]
gusto-fresh-eyes Bot reviewed May 21, 2026
View reviewed changes
Comment thread gusto_app_int_v_2025_11_15/.speakeasy/speakeasy-modifications-overlay.yaml
Comment on lines +10 to +13
actions:
- target: $.paths..schema..zip
update:
x-speakeasy-name-override: zip_code
Copy link
Copy Markdown

@gusto-fresh-eyes gusto-fresh-eyes Bot May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Blocker | [fresh_eyes]: code-moves

Dropped overlay action: the original gusto_app_int/.speakeasy/speakeasy-modifications-overlay.yaml has TWO actions — $.paths..schema..zip AND $.components.schemas..properties.zip — but the new versioned copy only includes the first one. The original comments explain both are needed because address schemas referenced via $ref live under components.schemas and won't be caught by the $.paths.. rule alone. Without the second rule, the generated v2025-11-15 SDK will shadow Python's built-in zip() for those schemas (causing pylint W0622 failures).

Please 👍🏽 👎🏽 if you found this useful. Generated by Fresh Eyes Reviewer. Get help in #ai-code-reviews

Comment thread gusto_embedded_v_2025_11_15/.speakeasy/speakeasy-modifications-overlay.yaml
Comment on lines +10 to +13
actions:
- target: $.paths..schema..zip
update:
x-speakeasy-name-override: zip_code
Copy link
Copy Markdown

@gusto-fresh-eyes gusto-fresh-eyes Bot May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Blocker | [fresh_eyes]: code-moves

Dropped overlay action: the original gusto_embedded/.speakeasy/speakeasy-modifications-overlay.yaml has TWO actions — $.paths..schema..zip AND $.components.schemas..properties.zip — but the new versioned copy only includes the first one. Same issue as the app-int overlay: without the $.components.schemas..properties.zip target, zip properties on ref'd schemas won't be renamed to zip_code, shadowing Python's zip() builtin.

Please 👍🏽 👎🏽 if you found this useful. Generated by Fresh Eyes Reviewer. Get help in #ai-code-reviews

@azrosen92 azrosen92 enabled auto-merge (squash) May 21, 2026 18:41
@azrosen92 azrosen92 requested a review from a team May 21, 2026 18:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@boostsecurity-io-ai boostsecurity-io-ai[bot] boostsecurity-io-ai[bot] left review comments

@gusto-fresh-eyes gusto-fresh-eyes[bot] gusto-fresh-eyes[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@azrosen92