Conversation
- CWE-915: Adiciona proteção contra prototype pollution em config.setKey() bloqueando __proto__, constructor e prototype - CWE-471: Implementa defensive copying em state.ts usando structuredClone() para getAll(), get() e update() - CWE-400: Adiciona limites maxDepth=10 e maxFiles=500 em listIncFilesRecursive() para prevenir consumo excessivo de recursos - CWE-79: Sanitiza atributo title no webview com escapeAttr() para prevenir XSS - Atualiza dependências vulneráveis (lodash, jws, qs, undici, brace-expansion) via npm audit fix
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: dc1d738a38
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| export async function listIncFilesRecursive(root: string, maxDepth = 10, maxFiles = 500): Promise<string[]> { | ||
| const out: string[] = []; | ||
| async function walk(dir: string) { | ||
| async function walk(dir: string, depth: number) { | ||
| if (depth > maxDepth || out.length >= maxFiles) return; |
There was a problem hiding this comment.
Preserve full include scan by default
The new defaults in listIncFilesRecursive cap traversal to maxDepth = 10 and maxFiles = 500, and the Includes tree still calls it with no overrides (src/vscode/includeTree.ts, listIncFilesRecursive(root)), so larger or deeply nested include layouts now get silently truncated. In those workspaces, .inc files beyond the cap disappear from the tree and their natives are no longer discoverable, which is a functional regression rather than a performance-only change because there is no warning or fallback path.
Useful? React with 👍 / 👎.
No description provided.