You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
PR #247 synced the vendored skillopt_sleep engine to upstream v0.2.0. Gemini Code Assist raised 9 findings on the vendored files, which we declined to patch locally (vendored code is read-only here — fixes belong upstream, see plugins/skillopt-sleep/README.md).
[HIGH] backend.py CliBackend: self._tokens / self._cache mutated from ThreadPoolExecutor threads without a lock (r3522428847), same for CopilotCliBackend (r3522428850), AzureOpenAIBackend (r3522428852), AzureResponsesBackend (r3522428855)
[MEDIUM] backend.py: last_call_error not set on Azure backend failures (r3522428858, r3522428860)
[MEDIUM] harvest_codex.py: per-file parse exceptions abort the whole harvest (r3522428863)
Codacy additionally flagged bandit/flake8-level issues in the same files (see PR #247 Codacy comment); vendored paths are now excluded via .codacy.yml.
Context
PR #247 synced the vendored
skillopt_sleepengine to upstream v0.2.0. Gemini Code Assist raised 9 findings on the vendored files, which we declined to patch locally (vendored code is read-only here — fixes belong upstream, seeplugins/skillopt-sleep/README.md).Findings to report upstream (microsoft/SkillOpt)
scheduler.py_runner_cmd: shell command assembled withoutshlex.quoteescaping — command injection risk / breakage on paths with spaces (feat(skillopt-sleep): sync vendored engine to upstream v0.2.0 #247 (comment))backend.pyCliBackend:self._tokens/self._cachemutated from ThreadPoolExecutor threads without a lock (r3522428847), same for CopilotCliBackend (r3522428850), AzureOpenAIBackend (r3522428852), AzureResponsesBackend (r3522428855)backend.py:last_call_errornot set on Azure backend failures (r3522428858, r3522428860)harvest_codex.py: per-file parse exceptions abort the whole harvest (r3522428863)tasks_file.py: list-form tasks file never getsreviewed: true, blocking real-backend runs (r3522428866)Codacy additionally flagged bandit/flake8-level issues in the same files (see PR #247 Codacy comment); vendored paths are now excluded via
.codacy.yml.Action
sync-upstream.shrun, verify whether upstream addressed them