fix: setup proper tests for core and plugin-openapi packages (Fixes #52)#53
Conversation
- Add tests for plugin-loader with module loading scenarios - Add tests for registry with singleton pattern verification - Add tests for base-generator cleanOutput functionality - Add tests for auto-installer package manager detection - Add tests for error classes and inheritance - Add tests for openapi-tools-generator with single/multiple specs - Add tests for build-command argument building These tests significantly improve coverage for the core functionality as requested in issue #52
Code Review Summary — PR #53Title: fix: setup proper tests for core and plugin-openapi packages (Fixes #52) What I Reviewed
Validation
Strengths
Key Findings / Risks
Suggestions
Verdict
If you want, I can open a follow-up PR to implement the path guard and empty-install short-circuit with updated tests. |
| it('should handle empty package list', () => { | ||
| installPackages([]); | ||
|
|
||
| expect(execSync).toHaveBeenCalledWith('pnpm add -D ', { |
There was a problem hiding this comment.
Security Issue: The test reveals a potential command injection vulnerability. When an empty package array is passed to installPackages(), it generates a malformed command with a trailing space: pnpm add -D .
This could lead to:
- Command execution errors
- Unexpected behavior in production code
- Potential security risks if user input is involved
Consider either:
- Adding a guard clause to skip installation when the package array is empty
- Trimming the command string before execution
- Modifying the test to verify proper handling of empty arrays
The implementation should ensure commands are properly formatted before being passed to execSync().
| expect(execSync).toHaveBeenCalledWith('pnpm add -D ', { | |
| expect(execSync).not.toHaveBeenCalled(); |
Spotted by Diamond
Is this helpful? React 👍 or 👎 to let us know.
|
|
||
| generator.testCleanOutput(mockContext, relOutputPath); | ||
|
|
||
| expect(rmSync).toHaveBeenCalledWith('/workspace', { |
There was a problem hiding this comment.
Security Vulnerability: The test reveals that cleanOutput() will delete the entire workspace root directory when given an empty path. This is dangerous behavior that could lead to catastrophic data loss in production.
The implementation should validate that relOutputPath is not empty or contains only path separators before performing the recursive deletion. Consider adding a guard clause that throws an error or returns early when an empty/invalid path is provided.
// Example fix
if (!relOutputPath || relOutputPath.trim() === '' || relOutputPath === '/' || relOutputPath === '.') {
throw new Error('Cannot clean empty or root output path for safety reasons');
}Spotted by Diamond
Is this helpful? React 👍 or 👎 to let us know.
| process.nextTick(() => mockChildProcess.emit('close', 0)); | ||
| setTimeout(() => mockChildProcess.emit('close', 1), 10); |
There was a problem hiding this comment.
The test has a potential race condition. Using setTimeout with different delays (0ms vs 10ms) creates timing-dependent behavior that could lead to inconsistent test results across different environments. Consider using a more deterministic approach to simulate sequential process completion, such as chaining promises or using jest.advanceTimersByTime() with mocked timers. This would make the test more reliable and better at detecting actual concurrency issues in the generator implementation.
| process.nextTick(() => mockChildProcess.emit('close', 0)); | |
| setTimeout(() => mockChildProcess.emit('close', 1), 10); | |
| jest.useFakeTimers(); | |
| process.nextTick(() => mockChildProcess.emit('close', 0)); | |
| setTimeout(() => mockChildProcess.emit('close', 1), 10); | |
| jest.runAllTimers(); |
Spotted by Diamond
Is this helpful? React 👍 or 👎 to let us know.
Summary
Changes Made
Core Package Tests
Plugin-OpenAPI Package Tests
Test Results
Next Steps
While this PR significantly improves test coverage, additional tests could be added for generator functions and utility functions in follow-up PRs.
Fixes #52