fix(electron): ensure valid values cross bridge#1256
Conversation
|
@launchdarkly/js-sdk-common size report |
|
@launchdarkly/browser size report |
|
@launchdarkly/js-client-sdk size report |
|
@launchdarkly/js-client-sdk-common size report |
joker23
force-pushed
the
skz/sdk-1944/electron-json-variation
branch
from
0880a72 to
72dbb13
Compare
|
@cursor review |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This might be a useful common tool?
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 2464c85. Configure here.
joker23
force-pushed
the
skz/sdk-1944/electron-json-variation
branch
2 times, most recently
from
db7a834 to
a5237e3
Compare
joker23
force-pushed
the
skz/sdk-1944/electron-json-variation
branch
from
a5237e3 to
fea3339
Compare
|
@cursor review |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit fea3339. Configure here.
| if (typeof logFn === 'function') { | ||
| logFn.call(this.logger, message); | ||
| } | ||
| }); |
There was a problem hiding this comment.
Log handler permits calling arbitrary methods on logger
Medium Severity
The log IPC handler accepts any string level from the renderer and looks up this.logger[level], calling it if typeof is 'function'. This allows invoking not just the four intended log methods (error, warn, info, debug), but any function-typed property on the logger—including inherited Object.prototype methods like constructor, toString, and hasOwnProperty, as well as internal methods of concrete logger classes (e.g., BasicLogger's static get). A whitelist check against the valid log levels would be more correct and match the test expectation that "invalid severity levels" are ignored.
Reviewed by Cursor Bugbot for commit fea3339. Configure here.
| ); | ||
| return undefined as T; | ||
| } | ||
| } |
There was a problem hiding this comment.
Returning undefined for detail methods causes downstream TypeError
Medium Severity
safeSendSync returns undefined as T on error. For variationDetail and jsonVariationDetail, the declared return type is LDEvaluationDetail / LDEvaluationDetailTyped, which have required properties value and reason. Callers (e.g., ElectronRendererClient.variationDetail) pass this through directly, so any consumer accessing .value or .reason will get a TypeError — replacing one crash with a less informative one downstream.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit fea3339. Configure here.
1 participant
This PR will ensure that the values we pass through the electron bridge are serializable by electron. This is important because the bridge code will throw if none serializable values are passed in.
Note
Medium Risk
Changes renderer→main IPC behavior for
variation/track/JSON calls by catchingsendSyncserialization failures and returningundefined, which could alter downstream expectations if callers relied on throws or guaranteed return values. Adds a newlogIPC channel, so miswiring could hide errors if logging is not configured.Overview
Prevents renderer-side
ipcRenderer.sendSynccalls from throwing when passed non-IPC-serializable values by routingjsonVariation,jsonVariationDetail,variation,variationDetail, andtrackthrough a newsafeSendSyncwrapper that drops the value and returnsundefined.Adds a new synchronous IPC channel
logso the renderer can emit a warn message to the main process;ElectronClientdispatches this to the configuredloggerwhen the severity matches a validLDLoggermethod. Tests were updated to cover log dispatch, invalid severity handling, and the new “sendSync throws → warn + undefined” behavior.Reviewed by Cursor Bugbot for commit fea3339. Bugbot is set up for automated code reviews on this repo. Configure here.