fix: address low-priority review items from Bun→Node migration

[BYK]

Context

Addresses all 5 cleanup items from #990 — low-priority review items deferred during the Bun → Node.js migration.

Changes

1. Remove dead SQLite polyfill code

• Removed NodeDatabasePolyfill, NodeStatementPolyfill, and bunSqlitePolyfill from script/node-polyfills.ts
• Removed bunSqlitePlugin from script/bundle.ts
• These were replaced by src/lib/db/sqlite.ts which handles both runtimes directly

2. Fix which polyfill — timeout + command -v

• Changed from which binary to command -v (POSIX shell builtin) on Unix — works with restricted PATH
• Added timeout: 5000 to execSync call to prevent indefinite blocking
• Windows still uses where (no command -v equivalent)

3. Add stream cleanup to bspatch BufferedStreamReader

• Added cancel() method to BufferedStreamReader that calls reader.cancel() and reader.releaseLock()
• Updated applyPatch finally block to clean up diffReader and extraReader on error paths
• Prevents leaking native DecompressionStream state

4. Fix scanner TOCTOU

• Replaced separate readFile() then stat() calls with a single fs.promises.open() file handle
• Content and mtime are now read from the same handle, eliminating the race window
• Kept isRegularFile() pre-check to avoid blocking open() on FIFOs (1Password guard)

5. Add CI check for patched dependency versions

• New script/check-patches.ts — compares patch file target versions against installed versions
• Added check:patches script to package.json
• Added to CI lint job in .github/workflows/ci.yml
• Catches silent patch skips when a dependency is bumped past the patch version

Also updated .lore.md to fix a stale reference to the non-existent src/lib/which.ts.

Closes #990

[github-actions]

PR Preview Action v1.8.1
🚀 View preview at https://cli.sentry.dev/_preview/pr-991/
Built to branch gh-pages at 2026-05-20 20:15 UTC. Preview will be ready when the GitHub Pages deployment is complete.

[sentry-warden]

Shell injection in Bun.which() polyfill via unquoted command interpolation

The Bun.which() polyfill builds a shell string by directly interpolating command — command -v ${command} on Unix and where ${command} on Windows — and passes it to execSync, which invokes /bin/sh -c (or cmd.exe). A command value containing shell metacharacters (;, $(...), backticks) would execute arbitrary code. The safe pattern is already in src/lib/which.ts: use execFileSync("/bin/sh", ["-c", 'command -v "$1"', "--", command], ...) so command is never interpolated into the shell string.

Evidence

• execSync(cmd, ...) at script/node-polyfills.ts:93 passes a string, which Node.js runs via /bin/sh -c on Unix, making it vulnerable to metacharacter injection.
• cmd is built on line 85 as `command -v ${command}` with no sanitization of command.
• src/lib/which.ts:51-57 shows the correct fix already exists in the codebase: execFileSync("/bin/sh", ["-c", 'command -v "$1"', "--", command]) passes command as a positional arg, never interpolated.
• globalThis.Bun = BunPolyfill (end of polyfill file) installs this as the global Bun.which, reachable by any future caller in the bundled runtime.
• Tests call Bun.which("node") / Bun.which("realpath") with hardcoded strings only, so no current caller exercises a malicious payload.

_{Identified by Warden find-bugs}

[github-actions]

Codecov Results 📊

✅ 7014 passed | Total: 7014 | Pass Rate: 100% | Execution Time: 1ms

📊 Comparison with Base Branch

Metric	Change
Total Tests	—
Passed Tests	—
Failed Tests	—
Skipped Tests	—

✨ No test changes detected

All tests are passing successfully.

✅ Patch coverage is 85.71%. Project has 14253 uncovered lines.
❌ Project coverage is 77.09%. Comparing base (base) to head (head).

Files with missing lines (1)

File	Patch %	Lines
src/lib/bspatch.ts	78.95%	⚠️ 8 Missing

Coverage diff

@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
- Coverage    77.11%    77.09%    -0.02%
==========================================
  Files          322       322         —
  Lines        62167     62211       +44
  Branches         0         0         —
==========================================
+ Hits         47938     47958       +20
- Misses       14229     14253       +24
- Partials         0         0         —

---

Generated by Codecov Action

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit c0d1fea. Configure here.}