Commit faba6be
authored
fix: Stabilize flaky lease renewer test and patch security vulnerabilities (#1640)
* fix: Widen goroutine margin in lease renewer idempotency test
TestLeaseRenewer_StartIsIdempotent failed in nightly CI with goroutine
count 7 vs expected max 6 (initial + 2). runtime.NumGoroutine() includes
all process goroutines (GC, timers, other tests), making a tight margin
fragile on busy CI runners.
Widen from +2 to +5 to absorb runtime jitter while still detecting a
real goroutine leak (3 unguarded Start() calls would add +3).
* fix: Patch hono and express-rate-limit security vulnerabilities
- hono: Update to 4.12.7 (from 4.12.5) to fix prototype pollution via
__proto__ key in parseBody({ dot: true }) (GHSA-v8w9-8mx6-g223)
- express-rate-limit: Update to 8.3.1 (from 8.2.x) to fix IPv4-mapped
IPv6 address bypass of per-client rate limiting (GHSA-46wh-pxpv-q5gq)
* fix: Use await polling instead of widened goroutine margin
Replace the point-in-time goroutine count check with await polling,
matching the pattern already used by TestLeaseRenewer_NoGoroutineLeak
in the same file. This tolerates transient runtime jitter while keeping
the assertion tight enough (+2) to detect the target bug.
---------
Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>1 parent 6dff3c6 commit faba6be
2 files changed
Lines changed: 20 additions & 16 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
374 | 374 | | |
375 | 375 | | |
376 | 376 | | |
377 | | - | |
378 | | - | |
379 | | - | |
380 | | - | |
381 | | - | |
382 | | - | |
| 377 | + | |
| 378 | + | |
| 379 | + | |
| 380 | + | |
| 381 | + | |
| 382 | + | |
| 383 | + | |
| 384 | + | |
| 385 | + | |
| 386 | + | |
383 | 387 | | |
384 | 388 | | |
385 | 389 | | |
0 commit comments