Skip to content

chore(skillopt-sleep): report review findings on vendored engine to upstream microsoft/SkillOpt #248

Description

@amondnet

Context

PR #247 synced the vendored skillopt_sleep engine to upstream v0.2.0. Gemini Code Assist raised 9 findings on the vendored files, which we declined to patch locally (vendored code is read-only here — fixes belong upstream, see plugins/skillopt-sleep/README.md).

Findings to report upstream (microsoft/SkillOpt)

  • [HIGH/security] scheduler.py _runner_cmd: shell command assembled without shlex.quote escaping — command injection risk / breakage on paths with spaces (feat(skillopt-sleep): sync vendored engine to upstream v0.2.0 #247 (comment))
  • [HIGH] backend.py CliBackend: self._tokens / self._cache mutated from ThreadPoolExecutor threads without a lock (r3522428847), same for CopilotCliBackend (r3522428850), AzureOpenAIBackend (r3522428852), AzureResponsesBackend (r3522428855)
  • [MEDIUM] backend.py: last_call_error not set on Azure backend failures (r3522428858, r3522428860)
  • [MEDIUM] harvest_codex.py: per-file parse exceptions abort the whole harvest (r3522428863)
  • [MEDIUM] tasks_file.py: list-form tasks file never gets reviewed: true, blocking real-backend runs (r3522428866)

Codacy additionally flagged bandit/flake8-level issues in the same files (see PR #247 Codacy comment); vendored paths are now excluded via .codacy.yml.

Action

Metadata

Metadata

Assignees

No one assigned

    Labels

    type:choreMaintenance, build, dependencies

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions