PR #398 #1192
cameroncookecodeql
on: dynamic
Matrix: analyze
Annotations
3 warnings
|
Analyze (python)
Starting April 2026, the CodeQL Action will skip computing file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses.
To opt out of this change, create a custom repository property with the name `github-codeql-file-coverage-on-prs` and the type "True/false", then set this property to `true` in the repository's settings.
|
|
Duplicate JSON-RPC request IDs permanently inflate in-flight counter and block idle shutdown:
src/server/request-lifecycle.ts#L49
In the wrapped `onmessage` handler, every incoming JSON-RPC request triggers `observer.onRequestStarted?.()` unconditionally, but the request id is added to a `Set`, which silently dedupes repeats. If a client (buggy or malicious) reuses a request id, `onRequestStarted` is invoked twice while the matching response only triggers `onRequestCompleted` once (because `pendingRequestIds.delete(id)` returns false the second time). The `inFlightRequestCount` in the idle controller therefore drifts upward and never returns to zero, defeating the idle-timeout shutdown that this PR introduces.
|
|
Synchronous throw from downstream onmessage leaves request marked as in-flight forever:
src/server/request-lifecycle.ts#L49
The wrapped `onmessage` adds the request id to `pendingRequestIds` and notifies `onRequestStarted` before invoking `downstreamOnMessage(message, extra)`. If the downstream handler throws synchronously (or the SDK never produces a response for any reason, e.g., a handler crash), no corresponding response will pass through `transport.send`, so `onRequestCompleted` is never called. The idle controller's `inFlightRequestCount` stays elevated and idle shutdown can never trigger.
|