feat: limit tgz file size through configuration #926
Conversation
e.g.: only allow <= 80MB tgz to sync ```ts largePackageVersionSize: 80 * 1024 * 1024 ```
|
Note Other AI code review bot(s) detectedCodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review. WalkthroughThis pull request introduces a feature to control syncing of large package versions based on a configurable size threshold and an unpkg whitelist. A new configuration parameter Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes
Possibly related PRs
Suggested reviewers
Poem
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary of ChangesHello @fengmk2, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces a crucial feature to manage the storage and bandwidth consumption associated with package synchronization. It enables the system to enforce a configurable maximum size for Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request introduces a feature to limit the size of tgz files that can be synced, controlled by a new configuration largePackageVersionSize. Packages exceeding this size are rejected unless they are on a whitelist. The changes are well-implemented across the configuration, services, and tests.
My main feedback is to address code duplication in PackageSyncerService.ts where the size check logic is repeated. Extracting this into a helper method would improve maintainability. Additionally, in PackageVersionFileService.ts, improving type safety by defining a specific interface for the unpkg-white-list manifest instead of using as any would be beneficial.
Overall, this is a good addition to the project.
| const size = dist.size; | ||
| if (size && size > this.config.cnpmcore.largePackageVersionSize) { | ||
| const isAllowLargePackageVersion = await this.packageVersionFileService.isAllowLargePackageVersion( | ||
| scope, | ||
| name, | ||
| version, | ||
| ); | ||
| if (!isAllowLargePackageVersion) { | ||
| lastErrorMessage = `large package version size: ${size}, allow size: ${this.config.cnpmcore.largePackageVersionSize}, see ${UNPKG_WHITE_LIST_URL}`; | ||
| logs.push(`[${isoNow()}] ❌ [${syncIndex}] Synced version ${version} fail, ${lastErrorMessage}`); | ||
| await this.taskService.appendTaskLog(task, logs.join('\n')); | ||
| logs = []; |
There was a problem hiding this comment.
This block of code for checking large package sizes is duplicated in syncPackageWithPackument (lines 1362-1373). To improve maintainability and avoid potential inconsistencies, consider extracting this logic into a private helper method.
For example, you could create a method like _ensurePackageSizeAllowed that encapsulates this check and returns whether to continue the loop.
| this.#unpkgWhiteListAllowPackages = manifest.allowPackages ?? ({} as any); | ||
| // oxlint-disable-next-line typescript-eslint/no-explicit-any | ||
| this.#unpkgWhiteListAllowScopes = manifest.allowScopes ?? ([] as any); | ||
| this.#unpkgWhiteListAllowLargePackages = manifest.allowLargePackages ?? ({} as any); |
There was a problem hiding this comment.
Using as any bypasses type safety. To improve type safety and code clarity, you could define a specific interface for the unpkg-white-list manifest that includes the custom properties allowPackages, allowScopes, and allowLargePackages. Then, you can cast the manifest object to this new interface. This would eliminate the need for as any and provide better type checking.
Example:
interface UnpkgWhiteListManifest extends PackageJSONType {
allowPackages?: Record<string, { version: string; }>;
allowScopes?: string[];
allowLargePackages?: Record<string, { version: string; }>;
}
// ... inside updateUnpkgWhiteList method
if (!manifest) return;
const unpkgManifest = manifest as UnpkgWhiteListManifest;
this.#unpkgWhiteListCurrentVersion = unpkgManifest.version;
this.#unpkgWhiteListAllowPackages = unpkgManifest.allowPackages ?? {};
this.#unpkgWhiteListAllowScopes = unpkgManifest.allowScopes ?? [];
this.#unpkgWhiteListAllowLargePackages = unpkgManifest.allowLargePackages ?? {};There was a problem hiding this comment.
Actionable comments posted: 0
♻️ Duplicate comments (2)
app/core/service/PackageSyncerService.ts (1)
870-887: GuardlargePackageVersionSizesemantics to avoid “accidentally block everything/nothing”.
Current check assumesthis.config.cnpmcore.largePackageVersionSizeis a valid positive number. If it’s0,undefined, or mis-typed, behavior can be surprising. Consider treating non-positive/undefined as “disabled”, and usetypeof === 'number'guards.
Also, the same logic exists twice (classic vs packument path) — already noted in past reviews.@@ - const size = dist.size; - if (size && size > this.config.cnpmcore.largePackageVersionSize) { + const size = dist.size; + const maxSize = this.config.cnpmcore.largePackageVersionSize; + if (typeof size === 'number' && typeof maxSize === 'number' && maxSize > 0 && size > maxSize) { const isAllowLargePackageVersion = await this.packageVersionFileService.isAllowLargePackageVersion( scope, name, version, ); @@ - lastErrorMessage = `large package version size: ${size}, allow size: ${this.config.cnpmcore.largePackageVersionSize}, see ${UNPKG_WHITE_LIST_URL}`; + lastErrorMessage = `large package version size: ${size}, allow size: ${maxSize}, see ${UNPKG_WHITE_LIST_URL}`;What is the default value (and intended “disabled” behavior) of `largePackageVersionSize` in cnpmcore’s config/schema/docs?Also applies to: 892-893, 1368-1386, 1391-1392
app/core/service/PackageVersionFileService.ts (1)
53-60: Replaceas anywhitelist parsing with a typed manifest shape; add explicit return type.
The newallowLargePackagessupport is fine, but it extends the existingas anypattern (which bypasses strict TS). Prefer a dedicated interface for theunpkg-white-listmanifest and setisAllowLargePackageVersion(...): Promise<boolean>. This matches repo “strict TS” guidance.Also applies to: 115-125, 128-138
🧹 Nitpick comments (5)
config/config.default.ts (1)
59-60: MakelargePackageVersionSizeconfigurable via env (keeps default behavior but improves operability).Right now it’s effectively “unlimited unless code overrides config”. Consider wiring it to an env var like the rest of the config surface:
- largePackageVersionSize: Number.MAX_SAFE_INTEGER, + largePackageVersionSize: env('CNPMCORE_CONFIG_LARGE_PACKAGE_VERSION_SIZE', 'number', Number.MAX_SAFE_INTEGER),app/port/config.ts (1)
157-160: Clarify units/semantics in the config doc (bytes, and behavior when size is missing).Suggested tweak:
/** - * allow large package version size, default is MAX_SAFE_INTEGER + * Max allowed package tarball size in bytes for syncing; default is MAX_SAFE_INTEGER (no limit). + * Note: if upstream metadata lacks `dist.size`, behavior should be defined (skip check vs. fallback to download size). */ largePackageVersionSize: number;test/core/service/PackageSyncerService/executeTaskWithPackument.test.ts (1)
2157-2229: Good coverage for “oversize blocked” and “oversize allowed by whitelist”; consider de-brittling assertions.Two small hardening tweaks:
- Avoid hard-coding the whitelist URL string in regex (import and use the exported constant instead, if available), so tests won’t break on URL changes.
- In the “block” test, consider removing
mock.error(NPMRegistry.prototype, 'downloadTarball')and/or explicitly asserting it was not called; otherwise, a regression that incorrectly downloads despite oversize could still “pass” due to the forced error masking the root cause.(Also optional: in the “allow” test, assert
PackageVersionFileService.prototype.isAllowLargePackageVersionwas called with the expected package name/version.)test/core/service/PackageSyncerService/executeTask.test.ts (2)
14-15: Good coverage addition for the “allow” path; consider isolating mocks to avoid order-dependent failures.
The new tests are valuable, butshould mock large package version size blockcurrently relies on the whitelist data not being present (so the service returns false). To make it deterministic, explicitly stubPackageVersionFileService.prototype.isAllowLargePackageVersiontofalsein the block test (and restore afterward).
2181-2253: Potential cross-test leakage viamock(app.config.cnpmcore, ...)and prototype stubs.
Both new tests patchapp.config.cnpmcoreand (in the allow test) patch a prototype method; if mocks aren’t auto-restored per test in this repo, later tests can become flaky. Suggest adding explicit restore for these patches within the test(s) (or a localafterEach(async () => mock.restore())in this file/describe). Based on learnings, tests should keep mocks scoped and cleaned up.@@ it('should mock large package version size block', async () => { @@ + mock(PackageVersionFileService.prototype, 'isAllowLargePackageVersion', async () => false); @@ assert.match( log, /Synced version 2.0.0 fail, large package version size: 104857601, allow size: 104857600, see https:\/\/github\.com\/cnpm\/unpkg-white-list/, ); + await mock.restore(); }); @@ it('should mock large package version size allow', async () => { @@ assert.match(log, /Synced version 2.0.0 size: 104857601 too large, it is allowed to sync by unpkg white list/); app.mockAgent().assertNoPendingInterceptors(); + await mock.restore(); });
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (6)
app/core/service/PackageSyncerService.ts(4 hunks)app/core/service/PackageVersionFileService.ts(5 hunks)app/port/config.ts(1 hunks)config/config.default.ts(1 hunks)test/core/service/PackageSyncerService/executeTask.test.ts(2 hunks)test/core/service/PackageSyncerService/executeTaskWithPackument.test.ts(2 hunks)
🧰 Additional context used
📓 Path-based instructions (5)
**/*.{js,ts,tsx,jsx}
📄 CodeRabbit inference engine (.github/copilot-instructions.md)
**/*.{js,ts,tsx,jsx}: Use single quotes in JavaScript/TypeScript code (from Prettier configuration)
Use 2-space indentation (from Prettier configuration)
Maintain 120 character line width maximum (from Prettier configuration)
Use trailing commas in ES5 syntax (from Prettier configuration)
Avoid parentheses in arrow functions when possible (from Prettier configuration)
Maximum of 6 function parameters (from Oxlint configuration)
Warn on console usage (from Oxlint configuration)
Disallow anonymous default exports (from Oxlint configuration)
Use ES modules (import/export) syntax throughout
Files:
app/port/config.tsconfig/config.default.tstest/core/service/PackageSyncerService/executeTaskWithPackument.test.tsapp/core/service/PackageVersionFileService.tstest/core/service/PackageSyncerService/executeTask.test.tsapp/core/service/PackageSyncerService.ts
**/*.{ts,tsx}
📄 CodeRabbit inference engine (.github/copilot-instructions.md)
**/*.{ts,tsx}: Use strict TypeScript with comprehensive type definitions - avoidanytypes, use proper typing orunknown
Export types and interfaces for reusability in TypeScript
Files:
app/port/config.tsconfig/config.default.tstest/core/service/PackageSyncerService/executeTaskWithPackument.test.tsapp/core/service/PackageVersionFileService.tstest/core/service/PackageSyncerService/executeTask.test.tsapp/core/service/PackageSyncerService.ts
**/*.ts
📄 CodeRabbit inference engine (CLAUDE.md)
**/*.ts: Use strict TypeScript with proper typing - avoidanytypes, use proper typing orunknowninstead
Use ES modules withimport/exportsyntax throughout the codebase
Use single quotes (') for strings
Use 2-space indentation
Enforce 120 character line width
Use ES5 trailing commas
Limit functions to a maximum of 6 parameters
Do not use console statements - use logger instead
Files:
app/port/config.tsconfig/config.default.tstest/core/service/PackageSyncerService/executeTaskWithPackument.test.tsapp/core/service/PackageVersionFileService.tstest/core/service/PackageSyncerService/executeTask.test.tsapp/core/service/PackageSyncerService.ts
test/**/*.test.ts
📄 CodeRabbit inference engine (.github/copilot-instructions.md)
test/**/*.test.ts: Test files must use.test.tssuffix
Tests must use@eggjs/mockfor mocking and testing
Tests must useassertfromnode:assert/strictfor assertions
Test files should be organized intest/directory mirroring source structure
Mock external dependencies usingmock()from@eggjs/mockin tests
Use realistic test data created throughTestUtilhelper methods
Clean up after tests - database is reset between test files
Test both success and failure cases - error paths are equally important
Test files should follow naming pattern: describe('[HTTP_METHOD /api/path] functionName()', ...)
test/**/*.test.ts: Test files must use.test.tssuffix
Use@eggjs/mockfor mocking in test files
Useassertfromnode:assert/strictin test files
Test files must mirror source structure intest/directory and test both success and error cases
Files:
test/core/service/PackageSyncerService/executeTaskWithPackument.test.tstest/core/service/PackageSyncerService/executeTask.test.ts
app/core/service/**/*.ts
📄 CodeRabbit inference engine (.github/copilot-instructions.md)
app/core/service/**/*.ts: Services must implement core business logic without HTTP concerns or direct database access
Services must use@SingletonProto()for service lifecycle management
Services must orchestrate multiple repositories and entities, managing transactions and events
Files:
app/core/service/PackageVersionFileService.tsapp/core/service/PackageSyncerService.ts
🧠 Learnings (11)
📚 Learning: 2025-11-29T15:42:37.586Z
Learnt from: CR
Repo: cnpm/cnpmcore PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-29T15:42:37.586Z
Learning: Applies to test/**/*.test.ts : Test both success and failure cases - error paths are equally important
Applied to files:
test/core/service/PackageSyncerService/executeTaskWithPackument.test.tstest/core/service/PackageSyncerService/executeTask.test.ts
📚 Learning: 2025-11-29T15:42:37.586Z
Learnt from: CR
Repo: cnpm/cnpmcore PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-29T15:42:37.586Z
Learning: Applies to app/core/service/**/*.ts : Services must orchestrate multiple repositories and entities, managing transactions and events
Applied to files:
test/core/service/PackageSyncerService/executeTaskWithPackument.test.tstest/core/service/PackageSyncerService/executeTask.test.tsapp/core/service/PackageSyncerService.ts
📚 Learning: 2025-11-29T15:42:37.586Z
Learnt from: CR
Repo: cnpm/cnpmcore PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-29T15:42:37.586Z
Learning: Applies to test/**/*.test.ts : Mock external dependencies using `mock()` from `eggjs/mock` in tests
Applied to files:
test/core/service/PackageSyncerService/executeTaskWithPackument.test.tstest/core/service/PackageSyncerService/executeTask.test.ts
📚 Learning: 2025-11-29T15:42:37.586Z
Learnt from: CR
Repo: cnpm/cnpmcore PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-29T15:42:37.586Z
Learning: Applies to **/*.{ts,tsx} : Use strict TypeScript with comprehensive type definitions - avoid `any` types, use proper typing or `unknown`
Applied to files:
app/core/service/PackageVersionFileService.ts
📚 Learning: 2025-11-29T15:42:56.815Z
Learnt from: CR
Repo: cnpm/cnpmcore PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-29T15:42:56.815Z
Learning: Applies to **/*.ts : Use strict TypeScript with proper typing - avoid `any` types, use proper typing or `unknown` instead
Applied to files:
app/core/service/PackageVersionFileService.ts
📚 Learning: 2025-11-29T15:42:56.815Z
Learnt from: CR
Repo: cnpm/cnpmcore PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-29T15:42:56.815Z
Learning: Applies to test/**/*.test.ts : Use `eggjs/mock` for mocking in test files
Applied to files:
test/core/service/PackageSyncerService/executeTask.test.ts
📚 Learning: 2025-11-29T15:42:56.815Z
Learnt from: CR
Repo: cnpm/cnpmcore PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-29T15:42:56.815Z
Learning: Applies to test/**/*.test.ts : Test files must mirror source structure in `test/` directory and test both success and error cases
Applied to files:
test/core/service/PackageSyncerService/executeTask.test.ts
📚 Learning: 2025-11-29T15:42:37.586Z
Learnt from: CR
Repo: cnpm/cnpmcore PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-29T15:42:37.586Z
Learning: Applies to test/**/*.test.ts : Tests must use `eggjs/mock` for mocking and testing
Applied to files:
test/core/service/PackageSyncerService/executeTask.test.ts
📚 Learning: 2025-11-29T15:42:37.586Z
Learnt from: CR
Repo: cnpm/cnpmcore PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-29T15:42:37.586Z
Learning: Applies to test/**/*.test.ts : Use realistic test data created through `TestUtil` helper methods
Applied to files:
test/core/service/PackageSyncerService/executeTask.test.ts
📚 Learning: 2025-11-29T15:42:56.815Z
Learnt from: CR
Repo: cnpm/cnpmcore PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-29T15:42:56.815Z
Learning: Applies to test/**/*.test.ts : Use `assert` from `node:assert/strict` in test files
Applied to files:
test/core/service/PackageSyncerService/executeTask.test.ts
📚 Learning: 2025-11-29T15:42:37.586Z
Learnt from: CR
Repo: cnpm/cnpmcore PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-29T15:42:37.586Z
Learning: Applies to **/*.{ts,tsx} : Export types and interfaces for reusability in TypeScript
Applied to files:
app/core/service/PackageSyncerService.ts
🧬 Code graph analysis (3)
app/core/service/PackageVersionFileService.ts (2)
app/core/entity/Package.ts (1)
fullname(63-65)app/common/PackageUtil.ts (1)
getFullname(25-27)
test/core/service/PackageSyncerService/executeTask.test.ts (1)
test/TestUtil.ts (2)
app(167-172)TestUtil(66-402)
app/core/service/PackageSyncerService.ts (2)
app/common/LogUtil.ts (1)
isoNow(1-3)app/core/service/PackageVersionFileService.ts (2)
isAllowLargePackageVersion(128-138)UNPKG_WHITE_LIST_URL(24-24)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)
- GitHub Check: test on mysql (node@22, shard@2/3, enableJSONBuilder@true)
- GitHub Check: test on mysql (node@22, shard@1/3, enableJSONBuilder@true)
- GitHub Check: test on mysql (node@22, shard@2/3, enableJSONBuilder@false)
- GitHub Check: test on mysql (node@24, shard@1/3, enableJSONBuilder@true)
- GitHub Check: test on mysql (node@24, shard@1/3, enableJSONBuilder@false)
- GitHub Check: test on mysql (node@20, shard@2/3, enableJSONBuilder@true)
- GitHub Check: test on mysql (node@20, shard@2/3, enableJSONBuilder@false)
- GitHub Check: test on mysql (node@20, shard@1/3, enableJSONBuilder@false)
- GitHub Check: test on postgresql (node@22, shard@0/3)
- GitHub Check: test on postgresql (node@24, shard@2/3)
- GitHub Check: test on postgresql (node@20, shard@0/3)
- GitHub Check: test on postgresql (node@20, shard@1/3)
- GitHub Check: test on postgresql (node@20, shard@2/3)
- GitHub Check: test-deployment
- GitHub Check: build-and-push-image
🔇 Additional comments (3)
test/core/service/PackageSyncerService/executeTaskWithPackument.test.ts (1)
14-15: Import addition is appropriate for the new whitelist-size tests.app/core/service/PackageSyncerService.ts (1)
36-38: LGTM: service wiring forPackageVersionFileService+ shared URL constant.
Clean DI + reuse ofUNPKG_WHITE_LIST_URLkeeps log messaging consistent.Also applies to: 86-88
app/core/service/PackageVersionFileService.ts (1)
24-25: Good: exportingUNPKG_WHITE_LIST_URLreduces string duplication across services/tests.
There was a problem hiding this comment.
Pull request overview
This pull request adds a configurable size limit for package tarballs during synchronization, allowing administrators to block large packages from being synced while optionally whitelisting specific packages that exceed the limit.
Key Changes
- Introduces
largePackageVersionSizeconfiguration option (default:Number.MAX_SAFE_INTEGER) to set maximum allowed package tarball size - Adds whitelist support for large packages through the existing unpkg-white-list mechanism
- Includes comprehensive test coverage for both blocking and allowing large packages
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
config/config.default.ts |
Adds default configuration for largePackageVersionSize set to MAX_SAFE_INTEGER (effectively unlimited by default) |
app/port/config.ts |
Defines TypeScript interface for the new largePackageVersionSize configuration option |
app/core/service/PackageVersionFileService.ts |
Exports UNPKG_WHITE_LIST_URL constant, adds isAllowLargePackageVersion method for whitelist checking, and tracks large package whitelist from unpkg-white-list package |
app/core/service/PackageSyncerService.ts |
Implements size checking logic in two sync methods, blocking packages exceeding the limit unless whitelisted, and adds size information to sync logs |
test/core/service/PackageSyncerService/executeTaskWithPackument.test.ts |
Adds duplicate import and two test cases covering block and allow scenarios for large packages |
test/core/service/PackageSyncerService/executeTask.test.ts |
Adds duplicate import and two test cases covering block and allow scenarios for large packages |
| import { Task as TaskEntity } from '../../../../app/core/entity/Task.ts'; | ||
| import { PackageManagerService } from '../../../../app/core/service/PackageManagerService.ts'; | ||
| import { PackageSyncerService } from '../../../../app/core/service/PackageSyncerService.ts'; | ||
| import { PackageVersionFileService } from '../../../../app/core/service/PackageVersionFileService.ts'; |
There was a problem hiding this comment.
Duplicate import detected. The PackageVersionFileService is already imported at line 25 of this file. Adding it again at line 14 creates a duplicate import statement that should be removed.
| import { Task as TaskEntity } from '../../../../app/core/entity/Task.ts'; | ||
| import { PackageManagerService } from '../../../../app/core/service/PackageManagerService.ts'; | ||
| import { PackageSyncerService } from '../../../../app/core/service/PackageSyncerService.ts'; | ||
| import { PackageVersionFileService } from '../../../../app/core/service/PackageVersionFileService.ts'; |
There was a problem hiding this comment.
Duplicate import detected. The PackageVersionFileService is already imported at line 25 of this file. Adding it again at line 14 creates a duplicate import statement that should be removed.
| this.#unpkgWhiteListAllowPackages = manifest.allowPackages ?? ({} as any); | ||
| // oxlint-disable-next-line typescript-eslint/no-explicit-any | ||
| this.#unpkgWhiteListAllowScopes = manifest.allowScopes ?? ([] as any); | ||
| this.#unpkgWhiteListAllowLargePackages = manifest.allowLargePackages ?? ({} as any); |
There was a problem hiding this comment.
The oxlint-disable comments for no-explicit-any were removed from lines 116-117, but the code still uses as any type assertions. Either restore the oxlint-disable comments or fix the type assertions to avoid using any. Line 118 also uses as any without the disable comment, creating inconsistency.
| */ | ||
| enableSyncUnpkgFilesWhiteList: boolean; | ||
| /** | ||
| * allow large package version size, default is MAX_SAFE_INTEGER |
There was a problem hiding this comment.
The documentation comment is misleading. It says "allow large package version size" which sounds like a boolean flag, but it's actually the maximum allowed size in bytes. Consider rewording to "maximum allowed package version size in bytes, default is MAX_SAFE_INTEGER" to be more precise.
| * allow large package version size, default is MAX_SAFE_INTEGER | |
| * Maximum allowed package version size in bytes. Default is MAX_SAFE_INTEGER. |
| app.mockAgent().assertNoPendingInterceptors(); | ||
| }); | ||
|
|
||
| it('should mock large package version size block', async () => { |
There was a problem hiding this comment.
The test name "should mock large package version size block" could be more descriptive. Consider renaming to "should block sync when package version size exceeds limit" to better describe the test's purpose and expected behavior.
| it('should mock large package version size block', async () => { | |
| it('should block sync when package version size exceeds limit', async () => { |
| if (!isAllowLargePackageVersion) { | ||
| lastErrorMessage = `large package version size: ${size}, allow size: ${this.config.cnpmcore.largePackageVersionSize}, see ${UNPKG_WHITE_LIST_URL}`; | ||
| logs.push(`[${isoNow()}] ❌ [${syncIndex}] Synced version ${version} fail, ${lastErrorMessage}`); | ||
| await this.taskService.appendTaskLog(task, logs.join('\n')); |
There was a problem hiding this comment.
The log message reads awkwardly. Consider rephrasing to "size: ${size} exceeds limit but is whitelisted for sync" or "size: ${size} is too large but allowed by unpkg whitelist" for better clarity.
| if (size && size > this.config.cnpmcore.largePackageVersionSize) { | ||
| const isAllowLargePackageVersion = await this.packageVersionFileService.isAllowLargePackageVersion( | ||
| scope, | ||
| name, |
There was a problem hiding this comment.
The log message reads awkwardly. Consider rephrasing to "size: ${size} exceeds limit but is whitelisted for sync" or "size: ${size} is too large but allowed by unpkg whitelist" for better clarity.
| res: {}, | ||
| headers: {}, | ||
| }); | ||
| mock(app.config.cnpmcore, 'enableSyncUnpkgFilesWhiteList', true); |
There was a problem hiding this comment.
The test enables the whitelist feature but relies on the implicit behavior that the package won't be in the whitelist. For better test clarity and explicitness, consider either: (1) removing line 2174 since the whitelist feature isn't needed for this test case, or (2) adding an explicit mock for isAllowLargePackageVersion to return false, similar to how the allow test mocks it to return true.
| mock(app.config.cnpmcore, 'enableSyncUnpkgFilesWhiteList', true); |
| headers: {}, | ||
| }); | ||
| mock(app.config.cnpmcore, 'enableSyncUnpkgFilesWhiteList', true); | ||
| mock(app.config.cnpmcore, 'largePackageVersionSize', 100 * 1024 * 1024); |
There was a problem hiding this comment.
The test enables the whitelist feature but relies on the implicit behavior that the package won't be in the whitelist. For better test clarity and explicitness, consider either: (1) removing line 2198 since the whitelist feature isn't needed for this test case, or (2) adding an explicit mock for isAllowLargePackageVersion to return false, similar to how the allow test mocks it to return true.
| mock(app.config.cnpmcore, 'largePackageVersionSize', 100 * 1024 * 1024); | |
| mock(app.config.cnpmcore, 'largePackageVersionSize', 100 * 1024 * 1024); | |
| // Explicitly mock isAllowLargePackageVersion to return false for clarity | |
| mock(PackageSyncerService.prototype, 'isAllowLargePackageVersion', async () => false); |
| ); | ||
| } | ||
|
|
||
| async isAllowLargePackageVersion(pkgScope: string, pkgName: string, pkgVersion: string) { |
There was a problem hiding this comment.
The method name reads awkwardly as "is allow large package version". Consider renaming to "isLargePackageVersionAllowed" which follows standard English grammar and is more consistent with naming conventions like "isPackageAllowed" vs "isAllowPackage".
| async isAllowLargePackageVersion(pkgScope: string, pkgName: string, pkgVersion: string) { | |
| async isLargePackageVersionAllowed(pkgScope: string, pkgName: string, pkgVersion: string) { |
[skip ci] ## 4.16.0 (2025-12-13) * feat: limit tgz file size through configuration (#926) ([a631fad](a631fad)), closes [#926](#926) [hi#level](https://github.com/hi/issues/level) * chore: test on Node.js v20 (#925) ([deb3748](deb3748)), closes [#925](#925) [hi#level](https://github.com/hi/issues/level)
|
🎉 This PR is included in version 4.16.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
cnpm/cnpmcore#926 cnpm/cnpmcore#926 <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit * **New Features** * Introduced large-package and large-scope whitelisting capabilities for improved dependency handling. * **Documentation** * Updated CLI usage examples and added workflow guidance for new large-package and large-scope features. * **Chores** * Configured allowances for specified large packages and scopes. <sub>✏️ Tip: You can customize this high-level summary in your review settings.</sub> <!-- end of auto-generated comment: release notes by coderabbit.ai -->
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #926 +/- ##
==========================================
- Coverage 95.37% 95.26% -0.12%
==========================================
Files 197 197
Lines 22139 22205 +66
Branches 2445 2450 +5
==========================================
+ Hits 21116 21154 +38
- Misses 1023 1051 +28 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
e.g.: only allow <= 80MB tgz to sync
Summary by CodeRabbit
New Features
Tests
✏️ Tip: You can customize this high-level summary in your review settings.