feat: add script to automate updating bugsnag api client#392
feat: add script to automate updating bugsnag api client#392
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| console.log(`Downloading generated client from ${link}...`); | ||
| const zipPath = "/tmp/bugsnag-client.zip"; | ||
| execSync(`curl -s "${link}" -o ${zipPath}`); |
Check failure
Code scanning / CodeQL
Uncontrolled command line Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 16 hours ago
In general, the safest fix is to avoid constructing shell command strings from untrusted input and instead use child_process APIs that accept the command and its arguments as separate parameters without invoking a shell (execFileSync, spawnSync, etc.). This prevents shell metacharacters in the input from being interpreted as part of the command.
For this specific case, we should replace the execSync curl invocation with a call to execFileSync (from the same child_process module) and pass link and zipPath as separate arguments. That preserves existing behavior (still calling curl -s <link> -o <zipPath>) but no longer runs through a shell, so link is only ever treated as a single argument. Concretely, in scripts/update-bugsnag-api.ts around line 68, change:
execSync(\curl -s "${link}" -o ${zipPath}`);`
to:
execFileSync("curl", ["-s", link, "-o", zipPath]);
We also need to import execFileSync from child_process alongside the existing execSync import at the top of the same file. No other logic or files need to be changed.
| @@ -1,4 +1,4 @@ | ||
| import { execSync } from "child_process"; | ||
| import { execSync, execFileSync } from "child_process"; | ||
| import * as fs from "fs"; | ||
| import * as path from "path"; | ||
| import { Node, Project, SyntaxKind } from "ts-morph"; | ||
| @@ -65,7 +65,7 @@ | ||
|
|
||
| console.log(`Downloading generated client from ${link}...`); | ||
| const zipPath = "/tmp/bugsnag-client.zip"; | ||
| execSync(`curl -s "${link}" -o ${zipPath}`); | ||
| execFileSync("curl", ["-s", link, "-o", zipPath]); | ||
|
|
||
| console.log("Extracting api.ts..."); | ||
| const extractedApi = execSync( |
1 participant
Goal
Automate the previously manual process for updating the Bugsnag API client.
Design
The Bugsnag API client (
src/bugsnag/client/api/api.ts) is generated from SwaggerHub but requires significant manual post-processing (removing duplicate imports, pruning object-oriented wrappers/factories we don't use, removing unused API exports, etc.).This PR introduces an automated Node.js script (
scripts/update-bugsnag-api.ts) usingts-morphand the Swagger generator API to automate the end-to-end process.The new workflow is simply running
npm run update:bugsnag-api.This script handles:
swagger.jsondirectly from SmartBear's public API.typescript-fetchclient via the Swagger Generator API.node:urlimports.ts-morphto reliably delete object-oriented API classes, factories, FPs, and generic fetch APIs that aren't necessary.npx biome check --write --unsafe.prekpre-commit hooks.Changeset
scripts/update-bugsnag-api.tsto orchestrate AST manipulation and network requests."update:bugsnag-api"topackage.jsonscripts.src/bugsnag/client/api/api.tsheader comments to document the new 2-step process.api.tswhich has been generated and heavily trimmed by the new script, bringing it to the latest version of the spec.Testing
Ran
npm run update:bugsnag-apiwhich successfully generated the new code, applied all AST transformations, stripped unused exports, formatted with biome, and passedprekchecks.Ran
npm run test:runand confirmed all 894 unit tests continue to pass.