[runtime] Fix warnings#138
Conversation
My VSCode is configured with format-on-save and uses the standard Microsoft C/C++ Extension Pack. The changes looks legit. It should probably be enforced by the CI, not sure it's worth it at this time.
Apparently the noreturn attribute is not enough to silence this warning.
but I didn't get rid of them completely (add -Wsign-conversion if you want to see them)
9ffecdd to
ea02f7c
Compare
jberdine
left a comment
There was a problem hiding this comment.
Overall LGTM. There is one change noted inline that I don't know why the warning isn't pointing to a bug. It would be good to understand that before silencing the warning.
| @@ -79,14 +79,15 @@ void sk_obstack_attach_page(char* lpage) { | |||
| } | |||
There was a problem hiding this comment.
I can't comment on the commit summary, but does "My VSCode is configured with format-on-save and uses the standard Microsoft C/C++ Extension Pack." mean that it runs clang-format, or does its own thing?
There was a problem hiding this comment.
I was too lazy to check...
Looks like it's indeed clang-format: https://code.visualstudio.com/docs/cpp/cpp-ide#_code-formatting and it's using the .clang-format file already present.
| @@ -1,8 +1,12 @@ | |||
| MEMSIZE32=1073741824 | |||
|
|
|||
| COMMONFLAGS=-Wall -Wextra -Wno-sign-conversion -Wno-sometimes-uninitialized -Wno-c2x-extensions -Wsign-compare -Wextra-semi-stmt | |||
There was a problem hiding this comment.
I would probably throw in -Wconversion too. That tends to catch a lot of useful things.
There was a problem hiding this comment.
👍
I actually did -Weverything and looked at warnings that appeared and could be worth fixing later.
|
This is great! I've wanted to do this for a long time :D. If you've got cycles and fancy it: I was also thinking of throwing in ubsan and asan for debug builds. |
Created https://intern.skiplabs.io/tasks/3bHdAtQiSR_wcnxJtJ9uX_XdsUC for it ;-) |
|
Do we have -werror somewhere? Or are these all just warnings? |
|
They are just warnings for now. werror would be good if people agree. |
Bring on the |
At least for the release profile, but I have to manually set CXXFLAGS when iterating on the compiler anyhow so adding |
Closes Dependabot alert #339 (GHSA-v6wh-96g9-6wx3 / CVE-2026-53632, medium — launch-editor NTLMv2 hash disclosure via UNC path handling on Windows). www had launch-editor@2.13.2 (vulnerable range <= 2.14.0). launch-editor is a transitive dep of webpack-dev-server (^2.6.1), so a plain `npm update launch-editor --package-lock-only` bumps it to 2.14.1 within range — no override needed. Single-package, 4-line diff. No breaking changes: 2.14.1 is the UNC-path security fix itself ("fix: reject UNC paths", #138); 2.14.0 adds package types and editor- path detection fixes (Trae casing, vscode path) — all additive. The public API (launch an editor) is unchanged. launch-editor is dev-only tooling — webpack-dev-server's click-to-open- in-editor overlay during `docusaurus start`, and the vuln is Windows/UNC-specific; it never runs in CI or the shipped static site. Closes #339. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
## Summary Closes Dependabot alert [#339](https://github.com/SkipLabs/skip/security/dependabot/339) — [GHSA-v6wh-96g9-6wx3](GHSA-v6wh-96g9-6wx3) / CVE-2026-53632 (**medium**: `launch-editor` NTLMv2 hash disclosure via UNC path handling on Windows). `www` had `launch-editor@2.13.2` (vulnerable range `<= 2.14.0`). ## Fix `launch-editor` is a transitive dep of `webpack-dev-server` (`^2.6.1`), so a plain `npm update launch-editor --package-lock-only` bumps it to **2.14.1** within range — no override needed. Single-package, 4-line diff. ## Breaking-change check Changelog 2.13.2 → 2.14.1: - **v2.14.1**: `fix: reject UNC paths` (#138) — the security fix itself — plus non-major dep bumps. - **v2.14.0**: `feat: add and improve package types` (additive), editor-path detection fixes (Trae casing, vscode path). No breaking changes; the public API (launch an editor) is unchanged. ## Verification - Fresh `npm install` → single `launch-editor@2.14.1`; no copy `<= 2.14.0`. - Diff scoped to the one package; no lockfile drift. `launch-editor` is dev-only tooling — `webpack-dev-server`'s click-to-open-in-editor overlay during `docusaurus start` — and the vuln is Windows/UNC-specific. It never runs in CI or reaches the shipped static site. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
In #135, @jberdine found that we used pointer arithmetic on
void. This could have been avoided by enabling compiler warnings. So let's do it and fix a few more oddities.I've run
as suggested by @jberdine