Skip to content

fix(scripts): sanity check self-exclusion on POSIX#2

Merged
PythonLuvr merged 1 commit into
mainfrom
fix/sanity-check-self-exclusion-posix
May 27, 2026
Merged

fix(scripts): sanity check self-exclusion on POSIX#2
PythonLuvr merged 1 commit into
mainfrom
fix/sanity-check-self-exclusion-posix

Conversation

@PythonLuvr
Copy link
Copy Markdown
Owner

@PythonLuvr PythonLuvr commented May 27, 2026

Summary

Fixes a cross-platform bug in scripts/check-sanity.mjs that has been silently breaking Mac and Ubuntu CI for several releases.

The script's self-exclusion logic used new URL(import.meta.url).pathname.replace(/^\//, ""), which works on Windows but breaks on POSIX. The wrong path means SELF never matches the actual file during the walk, the script scans itself, hits its own personal-token regex definition at line 40, and reports 9 false-positive "leaks" all pointing at scripts/check-sanity.mjs:40.

Why CI looked passing

Windows CI (Node 20.x and 22.x) passed because the self-exclusion happens to work there. Mac and Ubuntu have been red on the same job since the script landed. Net effect: the sanity check has not actually been running on POSIX CI. A real personal-data leak in any shipped file would never have surfaced through POSIX, because the script self-fails before scanning anything else.

Fix

Use fileURLToPath(import.meta.url) instead of manual pathname manipulation. It returns a correct absolute path on every platform.

-import { join, relative } from "node:path";
+import { join, relative } from "node:path";
+import { fileURLToPath } from "node:url";
 
 const ROOT = process.cwd();
 const TARGETS = [".md", ".ts", ".mts", ".cts", ".mjs", ".json", ".yml", ".yaml"];
 const SKIP = new Set(["node_modules", "dist", ".git", ".openwar", "coverage"]);
-const SELF = relative(ROOT, new URL(import.meta.url).pathname.replace(/^\//, ""));
+const SELF = relative(ROOT, fileURLToPath(import.meta.url));

Test plan

  • npm run lint passes locally on Windows (regression check)
  • CI passes on Ubuntu 20.x / 22.x
  • CI passes on macOS 20.x / 22.x

🤖 Generated with Claude Code

@PythonLuvr @claude
fix(scripts): make sanity check self-exclusion work on POSIX
3afe266 
The previous self-exclusion used
`new URL(import.meta.url).pathname.replace(/^\//, "")`, which works on
Windows (pathname looks like `/C:/Users/...`, stripping the leading
slash yields a usable path) but breaks on POSIX (pathname is already
`/abs/path/...`, and stripping the leading slash makes it relative, so
the equality against `relative(ROOT, full)` never matches).

Result: on Linux and macOS the script scans itself, hits the
personal-token regex's own pattern definition at line 40, and reports
9 false-positive "leaks" all pointing at scripts/check-sanity.mjs:40.
Windows CI passed; POSIX CI has been red on every push since the script
landed.

Two consequences:
- Merge-to-main CI red on Mac and Ubuntu for the past several releases.
- More importantly, the sanity check has not actually been running on
  POSIX CI. A real leak in any shipped file would never have surfaced
  because the script self-fails first.

Fix: use Node's `fileURLToPath(import.meta.url)`, which returns a
correct absolute path on every platform.

Verified locally on Windows (`npm run lint` still passes). POSIX
verification depends on CI.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@PythonLuvr PythonLuvr merged commit d103b14 into main May 27, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@PythonLuvr