Fix: unguarded js method and trusted publishing npm

[mahimairaja]

Summary by CodeRabbit

Release Notes

• Documentation

  • Added Node version requirement (>= 20.19.0) for local JavaScript development

• Bug Fixes

  • Improved error handling for file system operations to gracefully handle read failures

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

📝 Walkthrough

Walkthrough

Added error handling to JavaScript file system operations in the detector and report modules to gracefully handle failures. Modified CI workflows to remove push-based triggers and adjusted path filters. Updated JavaScript README to document Node version requirement.

Changes

Cohort / File(s)	Summary
CI/CD Workflow Updates .github/workflows/publish-js.yml, .github/workflows/js.yml, .github/workflows/python.yml	Removed NODE_AUTH_TOKEN env variable from npm publish. Removed push triggers from js.yml and python.yml; expanded python.yml pull_request paths to include additional workflow files.
JS Package Error Handling packages/js/src/detector.ts, packages/js/src/report.ts	Added try/catch blocks around file system operations (lstatSync, statSync, directory reads) to handle failures gracefully, returning defaults or empty arrays on errors.
JS Documentation packages/js/README.md	Added development note documenting Node version requirement >= 20.19.0 for local JS development.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Whiskers twitch with joy so bright,
Errors caught both left and right!
CI workflows trimmed with care,
Node requirements declared fair.
Graceful fails, no crashes here—
Robustness is crystal clear! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: fixing unguarded JavaScript methods (with error handling in detector.ts and report.ts) and implementing trusted publishing for npm (removing NODE_AUTH_TOKEN env variable).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/unguarded-js-method

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mahimairaja]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/js/src/detector.ts (1)

129-131: ⚠️ Potential issue | 🟡 Minor

Unguarded fs.statSync — inconsistent with the rest of the hardening in this PR.

fs.existsSync → fs.statSync is a TOCTOU: if package.json is removed (or a permission changes) between the two calls, statSync will throw and crash detectEnvironment — exactly the scenario the new try/catch on line 107 is meant to prevent for nodeModulesPath.

🛡️ Proposed fix

-  if (fs.existsSync(packageJsonPath)) {
-    const pkgStat = fs.statSync(packageJsonPath);
-    isOutdated = pkgStat.mtime.getTime() > modified.getTime();
-  }
+  try {
+    const pkgStat = fs.statSync(packageJsonPath);
+    isOutdated = pkgStat.mtime.getTime() > modified.getTime();
+  } catch {
+    // package.json unavailable or removed — leave isOutdated as false
+  }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/js/src/detector.ts` around lines 129 - 131, The call to fs.statSync
for packageJsonPath is unguarded and can throw on TOCTOU races; update
detectEnvironment to wrap the stat call in a try/catch (similar to the
nodeModulesPath handling) around const pkgStat = fs.statSync(packageJsonPath)
and the subsequent isOutdated assignment so a thrown error is caught and handled
(e.g., leave isOutdated false or log/debug and continue) rather than letting
detectEnvironment crash; reference packageJsonPath, pkgStat, isOutdated, and
detectEnvironment when making the change.

🧹 Nitpick comments (1)

packages/js/src/detector.ts (1)

122-123: ?? null is dead code on stat.birthtime / stat.mtime.

fs.Stats.birthtime and fs.Stats.mtime are always Date objects — they are never undefined or null, so the nullish-coalescing fallback can never trigger. On filesystems that don't track creation time, Node.js sets birthtime to the epoch (1970-01-01) rather than null.

♻️ Suggested cleanup

-  const created = stat.birthtime ?? null;
-  const modified = stat.mtime ?? null;
+  const created = stat.birthtime;
+  const modified = stat.mtime;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/js/src/detector.ts` around lines 122 - 123, The nullish-coalescing
fallbacks are unnecessary because fs.Stats.birthtime and fs.Stats.mtime are
always Date objects; update the code that assigns created and modified (the
const created = stat.birthtime ?? null; and const modified = stat.mtime ?? null;
in detector.ts) to directly use stat.birthtime and stat.mtime (remove the "??
null") so the values remain Date instances and avoid dead code.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/js/package.json`:
- Around line 35-37: The package.json currently sets "engines" -> "node":
">=20.19.0", which is a semver-breaking floor that will reject Node 18/19 users;
either revert to a wider range (e.g., >=18 || >=20.19.0 or >=18.0.0) if you
intend to keep supporting Node 18/19, or if the Node 20.19.0-only requirement is
intentional, bump the package "version" and add an explicit note in the
changelog documenting the breaking change and rationale; locate the "engines"
entry and update it, and update the package.json "version" and the project
changelog accordingly (reference keys: "engines", "node": ">=20.19.0",
"version", and the changelog file).

---

Outside diff comments:
In `@packages/js/src/detector.ts`:
- Around line 129-131: The call to fs.statSync for packageJsonPath is unguarded
and can throw on TOCTOU races; update detectEnvironment to wrap the stat call in
a try/catch (similar to the nodeModulesPath handling) around const pkgStat =
fs.statSync(packageJsonPath) and the subsequent isOutdated assignment so a
thrown error is caught and handled (e.g., leave isOutdated false or log/debug
and continue) rather than letting detectEnvironment crash; reference
packageJsonPath, pkgStat, isOutdated, and detectEnvironment when making the
change.

---

Nitpick comments:
In `@packages/js/src/detector.ts`:
- Around line 122-123: The nullish-coalescing fallbacks are unnecessary because
fs.Stats.birthtime and fs.Stats.mtime are always Date objects; update the code
that assigns created and modified (the const created = stat.birthtime ?? null;
and const modified = stat.mtime ?? null; in detector.ts) to directly use
stat.birthtime and stat.mtime (remove the "?? null") so the values remain Date
instances and avoid dead code.