Skip to content

ci: gate on patched attw (real fix for the upstream crash)#42

Merged
samuelho-dev merged 1 commit into
mainfrom
ci/attw-local-patched
May 24, 2026
Merged

ci: gate on patched attw (real fix for the upstream crash)#42
samuelho-dev merged 1 commit into
mainfrom
ci/attw-local-patched

Conversation

@samuelho-dev

Copy link
Copy Markdown
Owner

Replaces the advisory attw workaround from #41 with a real fix.

Root cause (found)

@arethetypeswrong/core's extractTarball overwrites unzipped = chunk in the fflate Gunzip streaming callback. fflate emits multiple chunks for larger tarballs, so only the last (empty) chunk was kept → untar returned 0 files → crash on data[0].filename. Size-dependent: our ~72 KB package gunzips into 3 chunks → crash.

Fixes

Follow-up

Once #263 is released, drop patches/ + the dev-dep pin and return the CI step to npx --yes @arethetypeswrong/cli.

bun run attw --pack . --profile node16 --ignore-rules cjs-resolves-to-esm exits 0 with a full report locally.

@arethetypeswrong/core crashes ("Cannot read properties of undefined (reading
'filename')") on tarballs that gunzip into multiple chunks — its extractTarball
overwrites `unzipped` per streaming chunk instead of concatenating, so untar gets
the last (empty) chunk and returns zero files. Root-caused and fixed upstream
(arethetypeswrong/arethetypeswrong.github.io#263).

Pin @arethetypeswrong/cli as a dev dep and apply the same fix via a bun patch on
@arethetypeswrong/core, so CI runs the patched local binary (`bun run attw`)
instead of npx-latest. Reverts the advisory `|| echo` workaround from #41 — attw
gates the package again. Drop the patch + pin and return to npx once the upstream
fix is released.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented May 24, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@samuelho-dev, we couldn't start this review because you've used your available PR reviews for now.

Your plan includes 1 review of capacity. Refill in 34 minutes and 49 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ecb9c35e-3bda-4bd6-8b4b-37dd59427e68

📥 Commits

Reviewing files that changed from the base of the PR and between dc822e7 and b62eb76.

⛔ Files ignored due to path filters (1)
  • bun.lock is excluded by !**/*.lock
📒 Files selected for processing (3)
  • .github/workflows/ci.yml
  • package.json
  • patches/@arethetypeswrong%2Fcore@0.18.2.patch
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/attw-local-patched

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@samuelho-dev samuelho-dev merged commit 9f2eb46 into main May 24, 2026
6 checks passed
samuelho-dev added a commit that referenced this pull request May 24, 2026
@arethetypeswrong/cli crashes ("Cannot read properties of undefined (reading
'filename')") decompressing this package's tarball — its core overwrites the
fflate Gunzip output per chunk instead of concatenating, so any package large
enough to stream in multiple chunks (ours: 341KB/92 files) loses all but the
last empty chunk. That's a checker bug, not a problem with the generated package.

Rather than carry a local patch + pinned dep for a third-party tool, drop attw
entirely. publint remains the gating export validator. Removes the pinned
@arethetypeswrong/cli dev dep, the bun patch, and the attw script/CI step added
in #41/#42.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant