Skip to content

[spark-compete] tolerate malformed package scripts#1423

Open
Aeyod7 wants to merge 1 commit into
vibeforge1111:masterfrom
Aeyod7:spark-fresh-bughunt-20260607
Open

[spark-compete] tolerate malformed package scripts#1423
Aeyod7 wants to merge 1 commit into
vibeforge1111:masterfrom
Aeyod7:spark-fresh-bughunt-20260607

Conversation

@Aeyod7

@Aeyod7 Aeyod7 commented Jun 7, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Spark Compete Packet

{
  "schema": "spark-compete.packet.v1",
  "event": "submit",
  "submission_mode": "pr_review",
  "submission_target_url": "https://github.com/vibeforge1111/spark-cli/pull/1423",
  "team": "ARC DEBUG TEAM",
  "members": [
    "Aeyod7",
    "Shady-web",
    "AlgofootPrint"
  ],
  "author": "Aeyod7",
  "target_repo": "vibeforge1111/spark-cli",
  "issue": "Malformed npm package scripts could crash direct_node_package_script_argv with ValueError instead of failing closed.",
  "evidence": [
    "Before patch: direct_node_package_script_argv('npm run dev', package root with scripts.dev = 'node \"unterminated') raised ValueError: No closing quotation.",
    "After patch: the same malformed package script returns None instead of throwing.",
    "Focused tests passed: 3 passed in 0.09s.",
    "Full CLI test file passed: 664 passed, 1 skipped, 160 subtests passed in 14.20s.",
    "compileall and git diff --check both passed."
  ],
  "proposed_fix": "Catch ValueError alongside SystemExit in direct_node_package_script_argv when parsing package scripts and return None for malformed scripts; add regression coverage.",
  "pr": {
    "url": "https://github.com/vibeforge1111/spark-cli/pull/1423",
    "title": "[spark-compete] tolerate malformed package scripts",
    "branch": "Aeyod7:spark-fresh-bughunt-20260607"
  },
  "review_claim": "pr_review"
}

actual_behavior

A malformed package.json npm script with an unterminated quote could crash the package-script fast path:

{"scripts": {"dev": "node \"unterminated"}}

Calling direct_node_package_script_argv("npm run dev", root) raised:

ValueError: No closing quotation

expected_behavior

Malformed package scripts should fail closed and return None, matching the surrounding fallback behavior for missing package files, invalid JSON, absent scripts, empty scripts, and command-splitting failures. Spark CLI startup/runtime handling should not crash just because a local npm script is malformed.

repro_steps

  1. Create a temporary package root with package.json containing {"scripts": {"dev": "node \\"unterminated"}}.
  2. Call direct_node_package_script_argv("npm run dev", root).
  3. Before this patch, the helper raised ValueError: No closing quotation.
  4. After this patch, the helper returns None.

before_after_proof

  • Before proof: targeted repro raised ValueError: No closing quotation from direct_node_package_script_argv.
  • After proof: the same targeted repro printed None.
  • Changed behavior is covered by SparkCliTests::test_direct_node_package_script_argv_returns_none_for_malformed_package_script.

tests_or_smoke

PYTHONPATH=src python3 -m pytest tests/test_cli.py::SparkCliTests::test_direct_node_package_script_argv_returns_none_for_malformed_package_script tests/test_cli.py::SparkCliTests::test_direct_node_package_script_argv_resolves_vite_without_cmd_wrapper tests/test_cli.py::SparkCliTests::test_direct_node_package_script_argv_resolves_ts_node_without_cmd_wrapper -q
# 3 passed in 0.09s

PYTHONPATH=src python3 -m pytest tests/test_cli.py -q
# 664 passed, 1 skipped, 160 subtests passed in 14.20s

PYTHONPATH=src python3 -m compileall -q src tests
# passed

git diff --check
# passed

duplicate_notes

Checked this as a focused malformed package.json npm-script crash in direct_node_package_script_argv. No clear existing PR was found for this exact package-script ValueError path. Related malformed runtime command quote lanes were treated as weaker / possibly duplicate and were not included here.

risk_notes

Small CLI-owned defensive parsing fix. It only broadens the existing failure handling around package-script command splitting from SystemExit to SystemExit or ValueError, returning None so the caller can use normal fallback behavior. No secrets, credentials, installer publication, or external network behavior changed.

review_claim

pr_review

Contributor Checklist

  • This PR is one focused fix, not a stack of unrelated fixes.
  • The packet above is complete and valid JSON.
  • Repro, before/after proof, tests, duplicate notes, and risk notes are included.
  • No secrets, tokens, private logs, PDFs, archives, binaries, or unknown downloads are included.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Aeyod7