Skip to content

chore(python): bump monty to v0.0.18#1809

Merged
chaliy merged 3 commits into
mainfrom
claude/awesome-cerf-5yLIt
May 29, 2026
Merged

chore(python): bump monty to v0.0.18#1809
chaliy merged 3 commits into
mainfrom
claude/awesome-cerf-5yLIt

Conversation

@chaliy
Copy link
Copy Markdown
Contributor

@chaliy chaliy commented May 29, 2026

What

Three related maintenance changes:

  1. Bump embedded Python (monty) to v0.0.18 — from rev 9b5f478 (0.0.17) to tag v0.0.18.
  2. Gate the ripgrep differential tests on the pinned rg version (15.1.0).
  3. Patch uuid CVE-2026-41907 in the examples lockfile.

Why

  • monty: keep the embedded Python interpreter current. v0.0.18 ships a breaking OsCall API change.
  • rg test gating: the differential tests compare byte-for-byte against the real rg binary, whose output formatting, accepted --colors specs, and built-in file types vary by release. CI pins ripgrep 15.1.0, but a mismatched local rg (e.g. distro 14.x) produced confusing byte-mismatch failures unrelated to any bashkit bug.
  • uuid: Dependabot alert GHSA-w5hq-g745-h8pq (medium) — uuid@10.0.0 (transitive via @langchain/langgraph) has a missing buffer bounds check in v3/v5/v6.

How

  • monty: OsCall replaced its name-only OsFunction enum + generic args/kwargs fields with a tagged OsFunctionCall carrying typed args, accessed via take_function_call(). handle_os_call now projects it through the public to_args() and dispatches on the stable name() string — per-op VFS logic unchanged. cargo vet --locked still passes (no new exemptions needed).
  • rg test gating: differential tests skip with a clear notice when the local rg is absent or a different version, and run fully against the pinned 15.1.0 as CI does.
  • uuid: the examples package.json declared overrides under a top-level overrides key, which pnpm ignores (it reads pnpm.overrides), so the intended uuid pin never applied. Moved the overrides under the pnpm key and regenerated the lockfile — uuid now resolves to 14.0.0 (≥ 11.1.1, the patched version); no vulnerable uuid@10.0.0 remains.

Tests / verification

  • cargo test --features python -p bashkit --lib → 2365 passed (59 python tests cover the monty API adaptation: open/read/write/stat/mkdir/iterdir/rename/getenv/datetime).
  • rg differential tests verified both ways: skip cleanly with local rg 14.1.0, run + pass against rg 15.1.0.
  • cargo fmt --check, cargo clippy --all-targets -- -D warnings, cargo vet --locked: all clean.
  • Examples lockfile regenerated with pnpm install --lockfile-only; resolves cleanly, --frozen-lockfile stays in sync.

Generated by Claude Code

chaliy added 3 commits May 29, 2026 20:35
@chaliy
chore(python): bump monty to v0.0.18
faa4b6d 
Update embedded Python (monty) from rev 9b5f478 (0.0.17) to tag v0.0.18.

The OsCall API changed: the name-only OsFunction enum plus generic
args/kwargs fields were replaced by a tagged OsFunctionCall carrying typed
args, exposed on OsCall via take_function_call(). Bridge handle_os_call to
the new shape using the public to_args() projection and dispatch on the
stable name() string, keeping per-op VFS logic unchanged.
@chaliy
test(rg): gate ripgrep differential tests on pinned version
03661ae 
The rg differential tests compare byte-for-byte against the real ripgrep
binary, whose output formatting, accepted --colors specs, and built-in file
types vary across releases. CI pins ripgrep 15.1.0 (RG_VERSION), but a
mismatched local rg (e.g. distro 14.x) produced confusing byte-mismatch
failures unrelated to any bashkit bug.

Gate the differential tests on the pinned version: skip with a clear notice
when the local rg is absent or a different version, and run fully against
15.1.0 as CI does.
@chaliy
fix(examples): patch uuid CVE-2026-41907 via pnpm overrides
f28e1fe 
The examples package declared dependency overrides under a top-level
"overrides" key, which pnpm ignores (it reads "pnpm.overrides"), so the
intended uuid pin never applied and the lockfile kept the vulnerable
uuid@10.0.0 (transitive via @langchain/langgraph). Move the overrides under
the pnpm key and regenerate the lockfile so uuid resolves to 14.0.0
(>= 11.1.1, the patched version), resolving the missing-bounds-check
advisory (GHSA-w5hq-g745-h8pq).
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 29, 2026

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 bashkit f28e1fe Commit Preview URL

Branch Preview URL		 May 29 2026, 09:22 PM

@chaliy chaliy merged commit 2a02bbb into main May 29, 2026
34 checks passed
@chaliy chaliy deleted the claude/awesome-cerf-5yLIt branch May 29, 2026 22:44
chaliy added a commit that referenced this pull request May 30, 2026
@chaliy
chore(python): bump monty to v0.0.18 (#1809)
d04b4f5 
- chore(python): bump monty to v0.0.18 (adapt to tagged OsFunctionCall API)
- test(rg): gate ripgrep differential tests on pinned version 15.1.0
- fix(examples): patch uuid CVE-2026-41907 via pnpm.overrides (uuid 14.0.0)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chaliy