Skip to content

issues Search Results · language:Edge language:Python linked:pr language:TypeScript language:TypeScript language:JavaScript

Filter by

7.9M results  (384 ms)

7.9M results

openhoo/hootifactory
[reliability][medium] Mail batch failure re-delivers already-sent siblings; keyless emails double-send; claim-then-send loses email on crash

Problem packages/queue/src/runtime.ts:169-187 processes a pg-boss batch sequentially in one handler promise — one thrown job fails the whole batch, re-delivering already-sent siblings. Jobs with a deliveryKey ...
bug
deep-review
severity:medium
  • wakemeup0
  • Opened 
    3 hours ago
  • #316

cbcoutinho/nextcloud-mcp-server
[Bug]: Updating all-day calendar events with date-only `start_datetime` / `end_datetime` serializes invalid iCalendar DATE values

Summary When updating an existing all-day calendar event through nc_calendar_update_event, passing date-only values such as 2026-06-26 for start_datetime / end_datetime can produce invalid iCalendar output ...
bug
  • silviuchingaru
  • Opened 
    3 hours ago
  • #895

openhoo/hootifactory
[reliability][medium] getBoss() caches a rejected start promise — one transient failure disables pg-boss (email) until restart

Problem packages/queue/src/index.ts:30-49 — if boss.start() / createQueue rejects, startPromise is never reset, so every subsequent enqueue/work returns the same rejected promise until process restart. ...
bug
deep-review
severity:medium
  • wakemeup0
  • Opened 
    3 hours ago
  • #315

openhoo/hootifactory
[reliability][medium] Upload-session reaper does S3 I/O inside its transaction and silently leaks staging data on delete failure

Problem packages/registry-application/src/content/upload-sessions.ts:166-193 — reapExpiredContentUploadSessions deletes S3 staging keys while holding FOR UPDATE locks on up to 100 rows (same idle-in-tx ...
bug
deep-review
severity:medium
  • wakemeup0
  • Opened 
    3 hours ago
  • #314

openhoo/hootifactory
[reliability][high] S3 PUT awaited inside open DB transactions holding advisory locks (storeBlobWithRef, upsertPackageVersionWithBlobRef)

Problem packages/registry-application/src/content/blobs.ts:285-289 and packages/versions.ts:128-135 await blobStore.put() inside db.transaction after lockDigestTx. With DATABASE_IDLE_IN_TRANSACTION_SESSION_TIMEOUT_MS ...
bug
deep-review
severity:high
  • wakemeup0
  • Opened 
    3 hours ago
  • #313

openhoo/hootifactory
[security][info] setUserActive(false) irreversibly deletes memberships and all grants — reactivation restores nothing

packages/auth/src/access-management.ts:108-133 — deactivation deletes the user s group memberships, org memberships, and all permissionGrants (including source= bootstrap system-admin grants). Reactivating ...
deep-review
severity:info
  • wakemeup0
  • Opened 
    3 hours ago
  • #312

openhoo/hootifactory
[security][info] Password policy is length-only (min 8) — consider breached-password checks

apps/api/src/routes/auth-schemas.ts:14,31 — passwords require only min(8); no complexity or breached-password check. Consider a HIBP k-anonymity check and/or a higher minimum for admin accounts. Acceptable ...
deep-review
enhancement
severity:info
  • wakemeup0
  • Opened 
    3 hours ago
  • #311

openhoo/hootifactory
[security][low] Latent XSS sink: chart.tsx injects config values into <style> via dangerouslySetInnerHTML

Problem apps/web/src/components/ui/chart.tsx:93-108 uses dangerouslySetInnerHTML to inject id and color values into a style block without sanitization. Today the config is app-defined (id from useId), ...
bug
deep-review
severity:low
  • wakemeup0
  • Opened 
    3 hours ago
  • #310

happyvertical/smrt
@happyvertical/smrt-tenancy: beforeList false-positive on array tenant filter ({tenantId:[ctx]}) — breaks permission resolution

Summary @happyvertical/smrt-core@0.28.1. Permission resolution throws a tenant-isolation violation where the expected and actual tenant IDs are identical: [tenancy] Failed to resolve permissions: TenantViolationError: ...
  • willgriffin
  • 1
  • Opened 
    3 hours ago
  • #1495

openhoo/hootifactory
[security][low] Document that SCANNER_CLI_RUNTIME=host removes all scanner sandboxing

Problem packages/scanner/src/runtime.ts:51-65 — in host mode the scanner binary runs directly on the host: no --network none, --read-only, cap-drop, mem/pids caps; only the timeout applies. A malicious ...
deep-review
documentation
severity:low
  • wakemeup0
  • Opened 
    3 hours ago
  • #309
Issue origami icon

Learn how you can use GitHub Issues to plan and track your work.

Save views for sprints, backlogs, teams, or releases. Rank, sort, and filter issues to suit the occasion. The possibilities are endless.Learn more about GitHub Issues
ProTip! Restrict your search to the title by using the in:title qualifier.
Issue origami icon

Learn how you can use GitHub Issues to plan and track your work.

Save views for sprints, backlogs, teams, or releases. Rank, sort, and filter issues to suit the occasion. The possibilities are endless.Learn more about GitHub Issues
ProTip! Restrict your search to the title by using the in:title qualifier.