Skip to content

v1.7.2

Choose a tag to compare

View all tags
@github-actions github-actions released this 31 May 11:21
· 7 commits to main since this release
v1.7.2
c4d61e7

pollen v1.7.2

Three fixes spanning v1.7.0 and v1.7.1. The first two are
v1.7.0 defects exposed by a follow-up audit; the third is
a regression v1.7.1 introduced when it added Ctrl+P as the
Settings binding.

The OAuth DC status renderer evaluated its switch in the
wrong order. The static token != nil case came first,
which meant a re-fetch on a Device Code panel that already
held a hydrated token left the stale "Bearer …" preview on
screen for the entire flow. The new IdP-issued user_code
was hidden behind the old token, so the user couldn't
transcribe it on the second device, the Poll loop ran for
30 minutes returning authorization_pending, and the only
visible signal of failure was a 4-second toast at the very
end. A failed re-fetch had a parallel issue: the error
sat behind the stale token until the user pressed d to
forget it. The cases are now ordered the same way CC and
AC have always ordered theirs — transient state first
(polling with or without user_code), then error, then the
static Bearer preview.

The Settings overlay's float validator accepted "NaN".
strconv.ParseFloat parses "NaN" successfully into
math.NaN(), and IEEE 754 says NaN comparisons return
false against everything — so the f <= min || f >= max
range check let NaN slip past. The Response panel ratio
field then carried NaN into View's layout math
(width × ratio), and the column counts for the rest of
the session were undefined. (Saving to disk was prevented
by encoding/json, which refuses to marshal NaN, so the
on-disk file was unharmed.) The validator now rejects
NaN and ±Inf explicitly via math.IsNaN and math.IsInf
before the range check.

The Ctrl+P binding v1.7.1 added for the Settings overlay
silently broke two bubbles default bindings:
bubbles/textarea binds Ctrl+P to LinePrevious (move
cursor up one line, used in the Body editor) and
bubbles/textinput binds it to PrevSuggestion (cycle
backwards through autocompletions, used in Headers).
handleKey evaluated the Settings case before delegating
to the focused panel, so Ctrl+P never reached the
underlying widgets. Emacs-trained users editing a
multi-line body lost their cursor-up shortcut, and
Headers users lost suggestion cycling. The Settings
binding now carries the same isTextEditingFocus guard
that the u undo shortcut has used since v1.6 era —
inside a focused textinput or textarea, Ctrl+P falls
through to the widget; from any other focus, Ctrl+P
still opens Settings.

Fixed:

  • renderOAuthDCStatus case order matches CC / AC: polling
    beats stale token, error beats stale token. The user_code
    is shown during re-fetch
  • Settings float validator rejects NaN, +Inf, and -Inf
    before the range check
  • Ctrl+P (and Ctrl+, alias) Settings binding guarded by
    isTextEditingFocus so bubbles textarea LinePrevious and
    textinput PrevSuggestion defaults work again

Notes:

  • v1.x SemVer-frozen surface unchanged. The Settings
    binding's reach is narrowed (no longer fires inside text
    editing), not extended
  • A real-but-lower-priority data race remains in
    applySettings: it writes plain (non-atomic) httpx package
    vars that the Send Cmd goroutine reads from httpx.Do.
    Production occurrences are rare and effects are limited
    to torn reads of primitive types. A Snapshot pattern or
    atomic primitives in httpx is reserved for a future
    release; CI's -race doesn't catch it because no test
    exercises a parallel Send + Settings edit

See CHANGELOG.md for the full list.

Assets 9
Loading