chore: harden existing platform implementation#1402
Conversation
Pins the new hardening behavior: - NodeStorage: warn on malformed cache, non-string cache values ignored, symlink-safe temp write, localStoragePath-mismatch warning. - NodeResponse: rejects when the body exceeds the size cap (exports MAX_RESPONSE_BYTES so the test references the exact threshold). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
|
@launchdarkly/js-sdk-common size report |
|
@launchdarkly/js-client-sdk-common size report |
|
@launchdarkly/js-client-sdk size report |
|
@launchdarkly/browser size report |
|
@cursor review |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit ec40d10. Configure here.
| } catch (error) { | ||
| this._logger?.warn( | ||
| `Discarding malformed flag cache at ${this._storageFile}: ${error instanceof Error ? error.message : error}`, | ||
| ); |
There was a problem hiding this comment.
Spurious warning on first run when no cache exists
Medium Severity
The inner catch block in _initialize now logs a "Discarding malformed flag cache" warning for every error from fs.readFile, including ENOENT when the cache file simply doesn't exist yet. On first SDK use (or after cache cleanup), every user with a logger will see this misleading warning even though there's nothing wrong — the file just hasn't been created. The warning text should only appear for genuinely malformed content, not a missing file.
Reviewed by Cursor Bugbot for commit ec40d10. Configure here.
1 participant
This PR hardens the node client sdk platform implementation that is already merged. This is done in response to some reviews ran on a future branch.
What changed:
wxopen so the write cannot be redirected through a symlink; warn whengetNodeStorageis called with alocalStoragePaththat differs from the process singleton's.Note
Medium Risk
Large new client lifecycle (identify, connection modes, events) plus filesystem and HTTP behavior changes; mistakes could affect flag delivery, caching, or resource use, though changes are heavily tested.
Overview
This PR delivers the LaunchDarkly Node client-side SDK (
createClient,start/identify, variations, events, connection modes) on top of sharedjs-client-sdk-common, withNodeDataManagerhandling bootstrap vs cache, streaming/polling/offline, and fixes for bootstrap+streaming (no duplicate identify callbacks), post-close identify, and offline mid-identify.Platform hardening (aligned with the stated goal):
NodeStoragelogs malformed cache and flush failures, keeps only string cache entries, writes via exclusivewxtemp files (symlink-safe), and warns when a secondlocalStoragePathis ignored;NodeResponserejects bodies over 100 MB;NodeRequestsapplies a 30s default HTTP timeout.Broad Jest coverage was added for bootstrap, data sources, events, and the public client API; release tooling drops
src/index.tsfrom node-client release-please extra-files.Reviewed by Cursor Bugbot for commit ec40d10. Bugbot is set up for automated code reviews on this repo. Configure here.