fix: upgrade Go to 1.26.3 + fix esbuild pnpm approval in e2e#28
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates security tooling and Go dependencies to their latest patch/minor releases, keeping CI scanning and crypto-related libraries current for the efctl CLI.
Changes:
- Bump
golang.org/x/cryptotov0.51.0and refresh related indirectx/*dependencies (x/sys,x/term,x/text). - Update
github/codeql-action(init/autobuild/analyze) fromv4.35.2tov4.35.3with pinned SHAs. - Regenerate
go.sumto match the updated module graph/checksums.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
go.mod |
Updates direct and indirect Go module versions for x/crypto and related x/* deps. |
go.sum |
Updates checksums to reflect the new module versions pulled in by the bump. |
.github/workflows/codeql.yml |
Advances CodeQL action pins to v4.35.3 for CodeQL scanning in CI. |
Resolve GO-2026-4971 (panic in net.Dial/LookupPort with NUL byte on Windows) and GO-2026-4918 (infinite loop in HTTP/2 transport with bad SETTINGS_MAX_FRAME_SIZE). Both vulnerabilities are fixed in Go 1.26.3 standard library.
Scetrov
changed the title
The e2e 'env up' was failing inside the container with: [ERR_PNPM_IGNORED_BUILDS] Ignored build scripts: esbuild@0.27.2 pnpm 10+ requires build scripts to be explicitly approved via onlyBuiltDependencies. The existing patch only wrote to package.json, but pnpm 10+ with corepack may not pick it up reliably. Now also writing onlyBuiltDependencies=esbuild to .npmrc in both builder-scaffold and world-contracts workspace directories. .npmrc is always read regardless of packageManager field, making it the most reliable configuration method. Added unit tests for the new .npmrc patching functionality.
Scetrov
changed the title
gosec v2.26.1 reports G703 (Path traversal via taint analysis) on the os.WriteFile call in patchNpmrc. The path is already validated by safePath before being passed in, so this is a false positive. Added G703 to the #nosec suppression.
…lot suggestions - Add 'pnpm approve-builds esbuild' to CmdDeployWorld to fix e2e CI failure caused by pnpm 10+ requiring explicit build script approval for esbuild (ERR_PNPM_IGNORED_BUILDS error) - Fix CRLF handling in patchNpmrc to trim both \r and \n before appending, preventing Windows/CRLF line ending issues - Fix incorrect #nosec G304 annotation on os.WriteFile call in patchNpmrc (should be G306 for write operations) - Fix test error handling: properly check errors from os.ReadFile calls in TestPatchPackageJSON, TestPatchPackageJSON_NoPackageManager, and TestPatchNpmrc_Idempotent
- Change patchPnpmDependencies to return error instead of void - Aggregate per-repo failures with errors.Join for full visibility - Update start.go to handle returned error and fail fast before container startup - Fix containsAllowBuildsForEsbuild regex false-positive using single regex that verifies esbuild is nested under allowBuilds - Align all CI jobs to use go-version-file: go.mod instead of hardcoded versions, matching codeql.yml approach - Update stale comment to reflect pnpm-workspace.yaml approach - Add test for error propagation when repo directory is missing - Add false-positive guard test for regex detection
…nsion publish test-publish only records transactions without executing them on-chain, so the JSON output lacks objectChanges with published package IDs. This caused BUILDER_PACKAGE_ID to remain empty in builder-scaffold/.env, failing the e2e test assertion. Switch both localnet pubfile and extension fallback to publish to ensure actual deployment and parseable JSON output.
- Fix typos in agents frontmatter (reseaching→researching, equivilent→equivalent) - Remove duplicate 'to to' in codebase-pattern-finder.md - Merge esbuild into existing allowBuilds block to avoid duplicate YAML keys in pnpm-workspace.yaml (patchPnpmWorkspaceYaml) Also adds TestPatchPnpmWorkspaceYaml_MergesIntoExistingAllowBuilds - Update pnpm_esbuild_e2e_investigation.md to reflect implemented state
Addresses review feedback on PR #28. Changes: - replace regex-based pnpm-workspace patching with YAML-aware allowBuilds updates - add tests for inline allowBuilds maps and false-to-true esbuild updates - rewrite investigation doc opening into clear long-term documentation prose - correct the handoff typo in the quoted commit message
Recover the extension package ID from the ephemeral pubfile when test-publish JSON does not include a published package change. Also seed a fresh Pub.extension.toml from the copied world pubfile so repeated localnet extension publishes remain idempotent.
Addresses PR #28 review feedback on the pnpm workspace patcher. Changes: - validate workspace-derived pnpm-workspace.yaml paths with safePath before patching - align #nosec comments with the actual caller validation and gosec behavior - add a traversal-focused unit test for pnpm workspace path resolution
Address PR #28 review feedback by removing dead pnpm helpers, reverting the unrelated localnet extension publish recovery changes, and rewriting the pnpm investigation notes in clear English.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security and tooling updates
go 1.26.2->go 1.26.3ingo.modand CI workflowsgolang.org/x/cryptoand refresh relatedx/*dependencies ingo.sumgithub/codeql-actionpins in CIE2E fix for pnpm/esbuild
efctl env upwas failing inside the container withERR_PNPM_IGNORED_BUILDSforesbuildv10.26+/v11requires build-script approvals at the workspace level; the olderonlyBuiltDependenciespath was not sufficient for this containerized flowpnpm-workspace.yamlin bothbuilder-scaffoldandworld-contractsto setallowBuilds.esbuild: trueallowBuilds:blocks are merged instead of duplicatedsafePathbefore writingallowBuildsmapsRepo agent metadata
.pi/agents/instruction suite and update the managed agent manifests used for repo analysis and review workflowsSupporting docs and notes
pnpm-workspace.yamlapproachVerification
go test ./pkg/setup/...