Skip to content

ci: make attw advisory (upstream crash), keep publint gating#41

Merged
samuelho-dev merged 1 commit into
mainfrom
ci/attw-advisory
May 24, 2026
Merged

ci: make attw advisory (upstream crash), keep publint gating#41
samuelho-dev merged 1 commit into
mainfrom
ci/attw-advisory

Conversation

@samuelho-dev

Copy link
Copy Markdown
Owner

Follow-up to #39. @arethetypeswrong/cli crashes internally ("Cannot read properties of undefined (reading 'filename')") on this package's ESM-only multi-subpath exports — reproduced across attw versions (0.17.4 / 0.18.1 / 0.18.2) and on a clean rebuild, independent of package content. This was failing the "Verify package" CI step.

publint (the real export validator) passes ("All good!"), so attw is downgraded to a warning (|| echo ::warning::) while publint stays gating. Revert once the upstream attw bug is fixed.

(The #39 squash-merge landed before this CI commit existed, so main's CI would otherwise stay red on the attw crash.)

@arethetypeswrong/cli crashes internally ("Cannot read properties of undefined
(reading 'filename')") on this package's ESM-only multi-subpath exports — across
versions and on a clean rebuild, unrelated to package content. publint validates
the exports are correct and stays gating; attw is downgraded to a warning so its
crash no longer fails CI. Revert once the upstream bug is fixed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented May 24, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@samuelho-dev, we couldn't start this review because you've used your available PR reviews for now.

Your plan includes 1 review of capacity. Refill in 44 minutes and 7 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 334b7c76-31c9-41f6-b918-faa2381282e2

📥 Commits

Reviewing files that changed from the base of the PR and between be1a22e and e6f5f39.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/attw-advisory

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@samuelho-dev samuelho-dev merged commit dc822e7 into main May 24, 2026
6 checks passed
samuelho-dev added a commit that referenced this pull request May 24, 2026
@arethetypeswrong/core crashes ("Cannot read properties of undefined (reading
'filename')") on tarballs that gunzip into multiple chunks — its extractTarball
overwrites `unzipped` per streaming chunk instead of concatenating, so untar gets
the last (empty) chunk and returns zero files. Root-caused and fixed upstream
(arethetypeswrong/arethetypeswrong.github.io#263).

Pin @arethetypeswrong/cli as a dev dep and apply the same fix via a bun patch on
@arethetypeswrong/core, so CI runs the patched local binary (`bun run attw`)
instead of npx-latest. Reverts the advisory `|| echo` workaround from #41 — attw
gates the package again. Drop the patch + pin and return to npx once the upstream
fix is released.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
samuelho-dev added a commit that referenced this pull request May 24, 2026
@arethetypeswrong/cli crashes ("Cannot read properties of undefined (reading
'filename')") decompressing this package's tarball — its core overwrites the
fflate Gunzip output per chunk instead of concatenating, so any package large
enough to stream in multiple chunks (ours: 341KB/92 files) loses all but the
last empty chunk. That's a checker bug, not a problem with the generated package.

Rather than carry a local patch + pinned dep for a third-party tool, drop attw
entirely. publint remains the gating export validator. Removes the pinned
@arethetypeswrong/cli dev dep, the bun patch, and the attw script/CI step added
in #41/#42.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant