feat(enrichment): add unsafe-any TypeScript counter analyzer#3322
feat(enrichment): add unsafe-any TypeScript counter analyzer#3322jaso0n0818 wants to merge 1 commit into
Conversation
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
|
Caution 🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥🟥 🛑 Gittensory review result - reject/close recommendedReview updated: 2026-07-05 03:54:20 UTC
🛑 Suggested Action - Reject/Close
Review summary Blockers
Nits — 6 non-blocking
Why this is blocked
Review context
Contributor next steps
Signal definitions
🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3322 +/- ##
=======================================
Coverage 93.87% 93.87%
=======================================
Files 277 277
Lines 30522 30522
Branches 11114 11114
=======================================
Hits 28654 28654
Misses 1211 1211
Partials 657 657
🚀 New features to boost your workflow:
|
8e5ed2c to
08b5125
Compare
|
Gittensory is closing this pull request on the maintainer's behalf (AI reviewers agree on a likely critical defect: review-enrichment/src/analyzers/unsafe-any.ts:46 treats every code line whose trimmed text starts with `*` as documentation, so a valid added generator method like `*load(): any {}` or `async *load(): AsyncGenerator {}` is skipped entirely; narrow this to actual comment-continuation lines, for example by moving JSDoc skipping before `toCode` and requiring a comment-shaped raw line such as `/^\s*\*\s/.test(line)` plus a regression test for generator methods.). This is an automated maintenance action — to pursue this change, please open a new pull request with the issues resolved. Closed PRs may be analyzed later to improve review accuracy, but they are not automatically reopened or re-reviewed. |
Closes #2017
What
A new local REES analyzer,
unsafeAny, that counts and locates explicitanyusage a PR ADDS in TypeScript — a: anyannotation, anas anycast, or an<any>assertion/type-argument. A type-safety-erosion signal a reviewer can weigh. Structural regex only (no type-checker), pure, no network.Detection
.ts/.tsx/.mts/.ctsfiles are scanned, so JS or prose can't false-positive on the wordany.\bany\bsoanyOf/anything/Companynever match:annotation—: anycast—as anyassertion— an explicitanyinside an angle-bracket type-argument / assertion list, not only the bare<any>:Record<string, any>,Map<string, any>,Promise<any[]>, andArray<any>are all surfaced (a nested generic matches on its innermost<…>group)secret-log.ts'scodeOnly, same-line/* */and trailing//comments are stripped, and a JSDoc/comment continuation line (trimmed starts with*) is skipped. So"cast as any"in a string,// treat as any value, and* @param p : anyare not counted, whileconst v: any = load(); // TODOstill is. Known limitation (documented in the source, not claimed as a guarantee): cross-line block-comment state is not tracked, so ananyon a continuation line of a multi-line/* … */comment that does not begin with*can still be counted — a rare, accepted false positive of the cheap-strip approach the issue explicitly scopes to "where cheaply detectable".\ No newlineline-counter fix; findings capped (maxFindings: 25) per file and globally.Registration
Registered as a local descriptor (category
quality, costlocal, requires["files"]) with an inlinerender(), following theredos/todoMarkerdescriptor shape. All wiring updated:types.ts(UnsafeAnyFinding+unsafeAny?key),render.ts,analyzer-registry.test.ts, rootsrc/review/enrichment-analyzer-names.ts, roottest/unit/enrichment-wire.test.ts, and the generatedanalyzer-metadata.json/rees-analyzers.ts/.env.examplevianode scripts/generate-analyzer-metadata.mjs.Tests
review-enrichment/test/unsafe-any.test.ts(13 tests) covers: annotation vs cast vs assertion (includingArray<any>),anyinside multi-argument / compound / nested generic type arguments (Record<string, any>,Promise<any[]>,Map<string, any>,Map<K, Set<any>>) surfaced as assertions while a no-anygeneric (Record<string, number>) is not, multiple distinct kinds on one line de-duplicated, word-boundary rejection (anyOf/anything/Company), string/line-comment/block-comment/JSDoc suppression, a real annotation with a trailing comment still counted, non-TS files skipped (.js/.md), added-line scanning with exact locations, added-lines-only with line-number accuracy across mixed hunks, the per-file cap +maxFindings: 0, the entrypoint's TS-only gating + global cap across files, the no-files case, and the rendered brief section. Analyzer metadata is regenerated and committed.