Skip to content

feat(enrichment): floating-promise / unhandled-rejection analyzer#3527

Merged
loopover-orb[bot] merged 3 commits into
JSONbored:mainfrom
bohdansolovie:feat/enrichment-floating-promise-2023-v3
Jul 5, 2026
Merged

feat(enrichment): floating-promise / unhandled-rejection analyzer#3527
loopover-orb[bot] merged 3 commits into
JSONbored:mainfrom
bohdansolovie:feat/enrichment-floating-promise-2023-v3

Conversation

@bohdansolovie

Copy link
Copy Markdown
Contributor

Summary

Fixes #2023

  • Add FloatingPromiseFinding and a local floatingPromise analyzer that flags newly-added promise-shaped calls (fetch, Promise.*, new Promise, or *Async suffix) when the statement is neither awaited, returned, voided, nor same-line .then/.catch-chained
  • Precision-first: TS/JS non-test files only, bare expression statements (assignments skipped), string literals stripped before matching (including chain detection), capped at 25 findings
  • .finally() alone is not treated as handled (it does not consume rejection)
  • Register the analyzer in the REES registry with render/docs/metadata; sync src/review/enrichment-analyzer-names.ts and generated .env.example / UI metadata
  • Add review-enrichment/test/floating-promise.test.ts covering flagged calls, safe handled variants, .finally() and string-literal .catch( regressions, non-JS skip, cap, and brief rendering

Test plan

  • cd review-enrichment && npm run build && npm run metadata && node --test test/floating-promise.test.ts test/analyzer-registry.test.ts
  • CI validate-code

Made with Cursor

bohdansolovie and others added 3 commits July 5, 2026 17:45
Fixes JSONbored#2023

Co-authored-by: Cursor <cursoragent@cursor.com>
`.finally()` does not consume rejection; only .then/.catch skip the finding.

Co-authored-by: Cursor <cursoragent@cursor.com>
String literals can contain `.catch(` text; match chains only after codeOnly().

Co-authored-by: Cursor <cursoragent@cursor.com>
@bohdansolovie bohdansolovie requested a review from JSONbored as a code owner July 5, 2026 15:45
@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@loopover-orb loopover-orb Bot added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 5, 2026
@loopover-orb

loopover-orb Bot commented Jul 5, 2026

Copy link
Copy Markdown

Warning

🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨

⏸️ Gittensory review result - manual review recommended

Review updated: 2026-07-05 15:50:02 UTC

10 files · 1 AI reviewer · no blockers · readiness 62/100 · CI green · clean

⏸️ Suggested Action - Manual Review

Review summary
Clean, well-scoped addition of a floating-promise heuristic analyzer. The core logic is purely functional, correctly anchored to added lines only, and the precision-first design (bare expression statements, no type-checker dependency) is sound. Wiring is complete: type, registry descriptor, render hook, BriefFindings field, enrichment-analyzer-names, analyzer-metadata.json, UI metadata, and .env.example all updated in lock-step. The `.finally()`-is-not-handled semantics are correct and explicitly tested. String-literal stripping via `codeOnly` correctly defuses the `fetch("/.catch(")` regression. No blockers.

Nits — 6 non-blocking
  • floating-promise.ts:54 — the callee regex `^((?:[a-zA-Z_$][\w$]*(?:\.[a-zA-Z_$][\w$]*)*))\ s*\(` nests `[\w$]*` inside `(?:...)*` inside a capture group; while the disjoint character classes (word vs dot) make catastrophic backtracking unlikely in practice, an adversarially crafted long line like `aaaaaa.bbbbbb.cccccc` with no trailing `(` forces the engine to unwind the entire dot-chain — rewrite as the simpler `^([\w$]+(?:\.[\w$]+)*)\s*\(` which is equivalent for valid identifiers and removes the ambiguity entirely.
  • floating-promise.ts — `codeOnly(line)` is called redundantly: once at the top of `detectFloatingPromise` (line ~65) and again inside `extractLeadingCallCallee` (line ~49); hoist the result and pass `code` into the extractor to avoid double-processing.
  • floating-promise.ts:31 — the magic literal `3` in `call.slice(0, MAX_CALL_CHARS - 3)` is the length of the ellipsis string `"..."` — name it (`const ELLIPSIS = "..."; ... call.slice(0, MAX_CALL_CHARS - ELLIPSIS.length) + ELLIPSIS`) so the coupling is explicit.
  • floating-promise.test.ts — no test exercises the `AbortSignal` aborted path in `scanPatchForFloatingPromise` or `scanFloatingPromise`; the throw-on-abort branch is untested.
  • floating-promise.test.ts — the cross-file findings-cap at the `scanFloatingPromise` level (the `MAX_FINDINGS - findings.length` budget passed per file) has no test; only the single-file `scanPatchForFloatingPromise` cap is covered.
  • Readiness score is below the configured threshold — Use the readiness panel as advisory maintainer context; the score does not block this PR.
Signal Result Evidence
Code review ✅ No blockers 1 reviewer
Linked issue ✅ Linked #2023
Related work ⚠️ 3 scoped overlaps Top overlaps are listed below; lower-confidence bulk is hidden.
Change scope ❌ 8/20 High review scope from cached public metadata (1 linked issue).
Validation posture ❌ 5/25 Preflight is holding this PR: the review lane is unavailable, so it is not ready for automated review.
Contributor workload ✅ 10/10 Author activity: 318 registered-repo PR(s), 186 merged, 9 issue(s).
Contributor context ✅ Confirmed Gittensor contributor bohdansolovie; Gittensor profile; 318 PR(s), 9 issue(s).
Gate result ✅ Passing No configured blocker found.
Review context
  • Author: bohdansolovie
  • Role context: outside_contributor
  • Public audience mode: oss maintainer
  • Lane context: Repository registration is not available in the local Gittensory cache.
  • Public profile languages: not available
  • Official Gittensor activity: 318 PR(s), 9 issue(s).
  • Related work: Titles/paths share 7 meaningful terms. (issue #2023, issue #2029)
  • Related work: Titles/paths share 7 meaningful terms. (issue #2023, issue #2033)
  • Related work: Titles/paths share 7 meaningful terms. (issue #2023, issue #2026)
Contributor next steps
  • Review top overlaps.
  • Add a concise scope and risk note.
  • Await review-lane availability.
  • Refresh registry data or choose a registered active repo.
  • Check active issues and PRs before submitting.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@codecov

codecov Bot commented Jul 5, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.09%. Comparing base (7dd3836) to head (cb6b9a3).

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #3527   +/-   ##
=======================================
  Coverage   93.09%   93.09%           
=======================================
  Files         301      301           
  Lines       31450    31450           
  Branches    11483    11483           
=======================================
  Hits        29279    29279           
  Misses       1517     1517           
  Partials      654      654           
Files with missing lines Coverage Δ
src/review/enrichment-analyzer-names.ts 100.00% <ø> (ø)
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@loopover-orb loopover-orb Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gittensory approves — the gate is satisfied and CI is green.

@loopover-orb loopover-orb Bot merged commit 2c547b4 into JSONbored:main Jul 5, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat(enrichment): floating-promise / unhandled-rejection analyzer

1 participant