fix: variable sites shared across concurrent requests#2736
Conversation
Signed-off-by: Boris <boris.kole@outlook.com>
There was a problem hiding this comment.
Sorry @boriskole, you have reached your weekly rate limit of 500000 diff characters.
Please try again later or upgrade to continue using Sourcery
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR adjusts multisite-related state in schedulecreatedate.jsp to be request-scoped (instead of JSP declaration fields) and cleans up HTML/JSP formatting in the schedule grid.
Changes:
- Move
sites/bMultisitesfrom JSP declaration (<%! ... %>) to request-time scriptlet variables (<% ... %>). - Minor whitespace/line formatting change around the
bgcolortable cell rendering.
There was a problem hiding this comment.
Code Review
This pull request refactors schedulecreatedate.jsp by moving the sites list and bMultisites flag declarations from the JSP declaration block to the scriptlet block, preventing shared state across requests. The review feedback suggests initializing sites to an empty list instead of null to avoid potential NullPointerExceptions when multisites are disabled.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
📝 WalkthroughWalkthroughJSP instance fields ChangesMultisite Variable Scope Refactoring
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related issues
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
✨ Simplify code
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Signed-off-by: Boris <boris.kole@outlook.com>
| %> | ||
| <% | ||
|
|
||
| List<Site> sites = Collections.emptyList(); |
Signed-off-by: Boris <boris.kole@outlook.com>
|
@coderabbitai review |
@Ben-Heerema I have started the AI code review. It will take a few minutes to complete. |
|
@coderabbitai review please? |
|
@boriskole awesome work! Idk why coderabbit isn't working so I won't request yingbull until I get that sorted but everything else is checking out! Thanks for your help :) Note: I think sonar is failing due to missing secrets (token) so that is expected. |
|
@coderabbitai review |
✅ Action performedReview finished.
|
|
@yingbull this PR looks good. |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (1)
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp:37
getSiteHTML(...)builds an HTML snippet usingSite.bgColorandSite.shortNamewithout any validation/encoding. Since these values come from the database/config (and are ultimately user-controlled via admin UI), this can enable CSS injection via the style attribute and XSS via the rendered text. This file already uses encoding elsewhere; it should apply the same hardening here (similar toscheduleflipview.jsp).
private String getSiteHTML(String reason, List<Site> sites) {
if (reason == null || reason.trim().length() == 0)
return "";
else
return "<span style='background-color:" + ApptUtil.getColorFromLocation(sites, reason) + "'>" + ApptUtil.getShortNameFromLocation(sites, reason) + "</span>";
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp (1)
42-48: 🧹 Nitpick | 🔵 Trivial | 💤 Low valueThread-safety fix is correct.
Moving
sitesfrom a JSP declaration (instance field) to a request-local scriptlet variable properly addresses the data race described in issue#2647. Initializing withCollections.emptyList()before conditional DAO population is a clean pattern.Minor style note:
java.util.Collectionsis redundant since line 62 importsjava.util.*. Could simplify toCollections.emptyList().Optional simplification
- List<Site> sites = java.util.Collections.emptyList(); + List<Site> sites = Collections.emptyList();🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp` around lines 42 - 48, The thread-safety fix moved the previously shared JSP field into a request-local variable 'sites' with initialization using java.util.Collections.emptyList() and conditional population via bMultisites = IsPropertiesOn.isMultisitesEnable() and SiteDao siteDao = (SiteDao) WebApplicationContextUtils.getWebApplicationContext(application).getBean(SiteDao.class); siteDao.getAllSites(); — simplify the style by replacing the fully-qualified java.util.Collections.emptyList() with Collections.emptyList() (since java.util.* is already imported) while keeping the same initialization and conditional logic around 'bMultisites' and 'siteDao.getAllSites()'.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp`:
- Around line 42-48: The thread-safety fix moved the previously shared JSP field
into a request-local variable 'sites' with initialization using
java.util.Collections.emptyList() and conditional population via bMultisites =
IsPropertiesOn.isMultisitesEnable() and SiteDao siteDao = (SiteDao)
WebApplicationContextUtils.getWebApplicationContext(application).getBean(SiteDao.class);
siteDao.getAllSites(); — simplify the style by replacing the fully-qualified
java.util.Collections.emptyList() with Collections.emptyList() (since
java.util.* is already imported) while keeping the same initialization and
conditional logic around 'bMultisites' and 'siteDao.getAllSites()'.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 8205cf71-ea39-4949-87e3-8e2bb237ad04
📒 Files selected for processing (1)
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
📜 Review details
🧰 Additional context used
📓 Path-based instructions (9)
**/*.{jsp,java}
📄 CodeRabbit inference engine (.github/copilot-instructions.md)
Use OWASP Encoder for ALL user input output: in JSP use
${e:forHtml(value)}with taglib<%@ taglib uri="owasp.encoder.jakarta" prefix="e" %>, in Java useEncode.forHtml(value), with context-specific variants (forHtmlAttribute,forJavaScript,forCssString,forUri,forUriComponent)Use OWASP Encoder null-safe CARLOS wrappers for all user input encoding:
<carlos:encode>tag,${carlos:forXxx()}EL functions, orSafeEncode.forXxx()Java methods. DO NOT use<e:forXxx>,${e:forXxx()}, orEncode.forXxx()directly in new code.
Files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
**/*.jsp
📄 CodeRabbit inference engine (.github/instructions/jsp-security.instructions.md)
**/*.jsp: Every JSP file MUST include OWASP Encoder output encoding for ALL user data
Add required taglib with URIowasp.encoder.jakarta(Jakarta EE) to every new JSP file:<%@ taglib uri="owasp.encoder.jakarta" prefix="e" %>
Use${e:forHtml(value)}for HTML body output encoding, NOT<c:out>orfn:escapeXml()
Use${e:forHtmlAttribute(value)}for HTML attribute encoding
Use${e:forJavaScript(value)}for JavaScript string encoding
Use${e:forJavaScriptAttribute(value)}for JavaScript in HTML attribute encoding
Use${e:forCssString(value)}for CSS string encoding
Use${e:forUri(value)}for URL path encoding
Use${e:forUriComponent(value)}for URL parameter encoding
CSRF tokens are auto-injected by CSRFGuard 4.5. Do NOT add manual CSRF hidden inputs to JSP files
Avoid using<c:out value="${...}" />in new JSP code; use${e:forHtml(...)}instead
Avoid usingfn:escapeXml()in new JSP code; use${e:forHtml(...)}instead
NEVER output user data without encoding in JSP files; avoid raw${variable}without OWASP Encoder functions
**/*.jsp: Add comprehensive JSP comment blocks after copyright headers documenting purpose, features, parameters, and@sincefor all JSP page templates
AJAX JSPs that read CSRF-TOKEN viadocument.querySelector('input[name="CSRF-TOKEN"]')must either contain at least one<form action="<real URL>" method="post">OR include the canonical bootstrap fragment<%@ include file="/WEB-INF/jspf/csrf-token.jspf" %>
Files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
{README.md,docs/**/*.md,src/main/webapp/**/*.jsp,src/main/webapp/**/*.html}
📄 CodeRabbit inference engine (GEMINI.md)
Refer to this system as 'CARLOS EMR' or 'CARLOS' in all user-facing content (UI, documentation, README files, issue templates, workflows)
Files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
{src/main/webapp/**/*.jsp,src/main/java/io/github/carlos_emr/carlos/*/web/**Action.java}
📄 CodeRabbit inference engine (GEMINI.md)
Use OWASP Encoder for ALL user inputs:
Encode.forHtml()for Java code, or${e:forHtml()}EL function for JSP (prefer EL functions in JSP)
Files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
src/main/webapp/**/*.jsp
📄 CodeRabbit inference engine (GEMINI.md)
src/main/webapp/**/*.jsp: Include JSP taglib declaration<%@ taglib uri="owasp.encoder.jakarta" prefix="e" %>once per JSP that uses EL encoding functions
Use context-appropriate OWASP encoding: HTML body${e:forHtml()}, HTML attribute${e:forHtmlAttribute()}, JavaScript${e:forJavaScript()}, CSS${e:forCssString()}, URL${e:forUri()}or${e:forUriComponent()}
Add comprehensive JSP comment blocks after copyright headers with purpose, features, parameters, and@sincedocumentation
Prefer JSP EL encoding functions${e:...()}over scriptlets; use JSP with JSTL/EL for cleaner, context-aware encoding
Files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
{src/main/java/io/github/carlos_emr/carlos/**/*.java,src/main/webapp/**/*.jsp}
📄 CodeRabbit inference engine (GEMINI.md)
PHI (Patient Health Information) must NEVER be logged or exposed in error messages
Files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
**/*.{jsp,xml}
📄 CodeRabbit inference engine (CLAUDE.md)
JSP views for web pages must be placed under
src/main/webapp/WEB-INF/jsp/**and actions should forward to internal WEB-INF paths, not public JSP files
Files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
**/*
📄 CodeRabbit inference engine (CLAUDE.md)
Preserve all existing copyright headers in modified files; do not remove or change GPL version statements
Files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
**/*.{java,jsp,xml,js,css}
📄 CodeRabbit inference engine (CLAUDE.md)
New files must use CARLOS project header as defined in
docs/copyright-header-carlos.md
Files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
🧠 Learnings (10)
📚 Learning: 2026-03-15T15:52:50.897Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 644
File: src/main/webapp/admin/updateDrugref.jsp:63-70
Timestamp: 2026-03-15T15:52:50.897Z
Learning: Guideline: For JSPs (any .jsp) that perform fetch() with POST and rely on CSRF tokens not auto-injected by CSRFGuard 4.5, insert a hidden form into the page body: <form method="post" style="display:none;"></form>. This causes CSRFGuardScriptInjectionFilter to inject the CSRF-TOKEN hidden input into that form, making the token available as document.querySelector('input[name="CSRF-TOKEN"]') for inclusion in fetch() request bodies. If getCsrfToken() returns '' as a fallback, ensure it is accompanied by a clear console.warn and that the hidden form guarantees token injection. Apply this pattern to JSPs where manual CSRF token integration is required.
Applied to files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
📚 Learning: 2026-03-23T01:03:12.952Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 715
File: src/main/webapp/provider/appointmentprovideradminday.jsp:2610-2633
Timestamp: 2026-03-23T01:03:12.952Z
Learning: In this repo, avoid changing only a single caller that invokes `SearchDemographic.do` from GET to POST. If the request method for `SearchDemographic.do` needs to change, do it as one coordinated, global change across *all* JSP callers (so request semantics stay consistent) and include required CSRF token handling as part of that same migration. Do not introduce a mixed GET/POST pattern for this endpoint across the codebase.
Applied to files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
📚 Learning: 2026-04-06T03:31:35.622Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1116
File: src/main/webapp/billing/CA/BC/genTAS00.jsp:181-183
Timestamp: 2026-04-06T03:31:35.622Z
Learning: When using the OWASP Java Encoder (`Encode.*`) in JSP, select the encoder based on the actual JavaScript context:
- Use `Encode.forJavaScript()` when inserting data into a JavaScript string literal (e.g., values embedded in `'...'?` or inside a `javascript:` href that contains JS code).
- Use `Encode.forJavaScriptAttribute()` only when the JavaScript appears inside an HTML event handler attribute (e.g., `onclick="..."`).
Do not flag `Encode.forJavaScript()` as incorrect merely because it contains JavaScript; only flag it if the target location is an HTML event attribute requiring `forJavaScriptAttribute()`.
Applied to files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
📚 Learning: 2026-03-17T21:22:37.959Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 667
File: src/main/webapp/form/demographicMeasurementModal.jsp:242-242
Timestamp: 2026-03-17T21:22:37.959Z
Learning: In src/main/webapp/form/demographicMeasurementModal.jsp, showMeasurementDialog() builds bodyHtml from server data (this.dataField, this.measuringInstruction) and unsafely inlines a live DOM value (document.getElementById(elementId).value) into an HTML attribute context before assigning to innerHTML. This is a self-XSS/attribute-injection vector, but it has been assessed as acceptable risk given authenticated users. Do not flag as a critical XSS unless new untrusted input sources are introduced to bodyHtml. Review guidance should be: (1) Treat this as a narrow self-XSS risk, not a general XSS issue; (2) Do not escalate unless you add new untrusted inputs; (3) Document the rationale in code comments and/or review notes; (4) If future changes add untrusted sources, re-evaluate and consider sanitization, stricter encoding, or replacing innerHTML construction with safer DOM manipulation; (5) Consider a minimal CI guard that flags additions of new untrusted inputs to the bodyHtml constructio...
Applied to files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
📚 Learning: 2026-03-27T22:41:03.205Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 604
File: src/main/webapp/tickler/ticklerMain.jsp:87-88
Timestamp: 2026-03-27T22:41:03.205Z
Learning: In JSPs, it can be intentional for a Java scriptlet variable (e.g., `isDemoView` inside `<% ... %>`) and a separately named `pageContext` attribute (e.g., `pageContext.setAttribute("hasDemoView", isDemoView)`) to coexist. The scriptlet variable is used within `<% %>` code, while the `pageContext` attribute is accessed via JSTL/EL (e.g., `${hasDemoView}`). These are different namespaces—if the `pageContext` attribute is set before use, do not flag `${...}` as an unresolved/broken reference just because a similarly named scriptlet variable exists with a different name.
Applied to files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
📚 Learning: 2026-03-27T23:09:08.560Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 724
File: src/main/webapp/billing/CA/BC/billingDeleteWithoutNo.jsp:148-148
Timestamp: 2026-03-27T23:09:08.560Z
Learning: In this codebase’s JSP/JS usage of `BroadcastChannel`, follow the established convention: wrap both the `new BroadcastChannel(...)` instantiation and the `postMessage(...)` call in a `try/catch` block with an empty (or comment-only) catch handler like `catch (e) { /* BroadcastChannel not supported */ }`. Do not re-run the `BroadcastChannel` logic inside the catch block. This repository’s convention does not use feature detection such as `typeof BroadcastChannel === 'undefined'` for this guard.
Applied to files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
📚 Learning: 2026-03-27T23:09:13.720Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 724
File: src/main/webapp/billing/CA/CLINICAID/billingDeleteWithoutNo.jsp:77-77
Timestamp: 2026-03-27T23:09:13.720Z
Learning: When using `BroadcastChannel` in this repo, follow the established guard convention: wrap `BroadcastChannel` message posting in a `try/catch` and use an empty (or comment-only) `catch` body (e.g., `catch (e) { /* BroadcastChannel not supported */ }`). Do not use `typeof BroadcastChannel !== 'undefined'` as the primary guard; keep this pattern consistent across all JSP files in `src/main/webapp/**`—especially the JSP billing files—and for any code that posts `BroadcastChannel` messages.
Applied to files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
📚 Learning: 2026-04-06T03:31:14.839Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1116
File: src/main/webapp/billing/CA/BC/support/billingfeeitem.jsp:138-143
Timestamp: 2026-04-06T03:31:14.839Z
Learning: In this repository’s JSP files, when outputting untrusted values that will be embedded inside JavaScript string literals within HTML event handler attributes (e.g., inside `onclick="..."` or any attribute whose value contains JavaScript code with values surrounded by single or double quote delimiters), prefer `Encode.forJavaScript()` as the recommended encoder for the JavaScript-string-literal context. Do not suggest replacing it with `Encode.forJavaScriptAttribute()` for these event-handler/JS-string-literal contexts; both are safe, but `forJavaScript()` is the general-purpose recommended choice for values placed in JS string literals.
Applied to files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
📚 Learning: 2026-04-06T15:22:52.578Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1147
File: src/main/webapp/demographic/demographicappthistory.jsp:0-0
Timestamp: 2026-04-06T15:22:52.578Z
Learning: For JSP views under src/main/webapp, when looking up multisite attributes from a map (e.g., `siteBgColor`) keyed by a location that may have become inactive/deleted, don’t assume the key exists. Guard against null/empty results before rendering. Pattern: fetch the mapped `String[]` (e.g., `String[] sbc = siteBgColor.get(appointment.getLocation());`), derive `siteColor` and `siteLabel` with null/length checks (fall back to `""` for CSS color and to the location label when the array is missing/too short), then render with `Encode.forCssString(siteColor)` and `Encode.forHtml(siteLabel)` to avoid NPEs and incorrect output.
Applied to files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
📚 Learning: 2026-04-08T02:45:55.926Z
Learnt from: yingbull
Repo: carlos-emr/carlos PR: 1358
File: src/main/webapp/documentManager/showDocument.jsp:481-481
Timestamp: 2026-04-08T02:45:55.926Z
Learning: In this codebase’s JSPs (carlos-emr/carlos), it is an established convention to pass the numeric `docId` unquoted to `ForwardSelectedRows(docId + ':DOC', ...)` (i.e., relying on JS type coercion such as `123 + ":DOC"` → `"123:DOC"`). Do not flag these calls as inconsistent or fragile for missing quotes; do not “fix” by quoting only some occurrences, since that would create inconsistency. Ensure the value used for any JavaScript-context encoding is handled by adding/verifying `Encode.forJavaScriptAttribute(docId)` for `docId` where applicable before embedding it in JavaScript/HTML attributes.
Applied to files:
src/main/webapp/WEB-INF/jsp/schedule/schedulecreatedate.jsp
|
@yingbull I think this is good to go, the major bot review was an XSS/CSS concern but I made a separate ticket. |
|
Hey, do I need to make some changes or is this PR fine? |
|
@cubic-dev-ai review |
@Ben-Heerema I have started the AI code review. It will take a few minutes to complete. |
|
Tip For best results, initiate chat on the files or code changes. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Fetch the PR diff
gh pr view 2736 --repo carlos-emr/carlos --json files,body,titleLength of output: 2607 🏁 Script executed: #!/bin/bash
# Get the actual diff
gh pr diff 2736 --repo carlos-emr/carlosLength of output: 1930 🏁 Script executed: #!/bin/bash
# Check related JSP files for the same pattern
rg -n '<%!' --type=xml -g '*.jsp'Length of output: 9634 🏁 Script executed: #!/bin/bash
# Find and view the modified file plus related JSPs
fd -e jsp -i 'schedulecreatedate\|scheduleholidaysetting\|scheduleedittemplate' --exec cat {}Length of output: 400 🏁 Script executed: #!/bin/bash
# Find schedule-related JSPs and check for instance-field patterns
fd -e jsp . src/main/webapp/WEB-INF/jsp/schedule/ --exec echo {}
echo "---"
# Check scheduleholidaysetting, scheduleedittemplate and scheduledatepopup for mutable instance fields
for f in scheduleholidaysetting scheduleedittemplate scheduledatepopup scheduleflipview; do
echo "=== Searching for $f ==="
fd -e jsp -i "$f" --exec head -80 {}
doneLength of output: 16806 🏁 Script executed: #!/bin/bash
# Check scheduledatepopup.jsp for the problematic pattern
cat src/main/webapp/WEB-INF/jsp/schedule/scheduledatepopup.jsp | head -100Length of output: 4581 🏁 Script executed: #!/bin/bash
# Look at the <%! %> blocks in schedule JSPs that might have mutable instance fields
rg -n 'private\s+\w.*;\s*$|<%!\s*\w' src/main/webapp/WEB-INF/jsp/schedule/Length of output: 1266
However, while reviewing the related schedule JSPs, I found two more files with the same class of bug that should be tracked as follow-up work: 🐛
|
| File | Status |
|---|---|
schedulecreatedate.jsp |
✅ Fixed by this PR |
scheduleholidaysetting.jsp |
✅ Clean (uses scriptlets only) |
scheduleedittemplate.jsp |
✅ Clean (uses scriptlets only) |
scheduleflipview.jsp |
❌ Same bug — needs follow-up |
scheduledatepopup.jsp |
❌ Mutable instance field — needs follow-up |
Would you like me to open a GitHub issue to track the fixes needed in scheduleflipview.jsp and scheduledatepopup.jsp?
|
@coderabbitai Thanks for checking. There are already tickets for those follow-ups: #2677 covers the No new ticket needed here; this PR should stay scoped to #2647. |
|
Tip For best results, initiate chat on the files or code changes.
✏️ Learnings added
|
|
@boriskole it looks good as far as I can tell. |
Description
Moved the
sitesvariable to a scriptlet block to ensure the data is not shared across concurrent requests anymore.Related Issues
Fixes #2647
How Was This Tested?
Ran to verify
Checklist
git commit -s)Summary by cubic
Moved
sitesandbMultisitesto per-request scope inschedulecreatedate.jspto stop data leaking across concurrent requests;sitesnow defaults toCollections.emptyList(). Fixes #2647.sites/bMultisitesper request; load viaSiteDaoonly when multi-site is enabled.bgcolorattribute.Written for commit 514ce1f. Summary will update on new commits.