chore: sync quickjs-ng release v0.15.0#742
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates QuickJS-NG to version 0.15.0, implementing TC39 Explicit Resource Management and adding atob/btoa intrinsics. It resolves several bugs, including a heap-use-after-free vulnerability in array length handling and an out-of-bounds write during array expansion. The update also introduces a security policy and expands the test suite. Reviewer feedback identifies typos in the new security documentation and inconsistent indentation in a test file.
| - **The threat model matches QuickJS.** The bug must be reachable from | ||
| untrusted JavaScript source running in an otherwise trusted embedder. Bugs | ||
| that require loading untrusted bytecode, passing crafted values through the | ||
| C API, or otherwise compromiing the embedder are out of scope (see above). |
There was a problem hiding this comment.
Typo: "compromiing" should be "compromising".
| with marginal or speculative findings makes the catalog less useful for the | ||
| people who actually rely on it. | ||
|
|
||
| We **mnight** request a CVE when an issue: |
There was a problem hiding this comment.
Typo: "mnight" should be "might". Also, there is an extra space after the word.
|
|
||
| - Crashes or assertion failures that require malicious bytecode, crafted C | ||
| API input, or other embedder compromise (out of scope, see above). | ||
| - Bugs found purely by running a publicly available AI tool against the code, |
There was a problem hiding this comment.
There is a double space between "available" and "AI".
| print("PASS: got graceful error:", e.message); | ||
| } else { | ||
| throw e; // unexpected — re-throw | ||
| } |
There was a problem hiding this comment.
The indentation in this block is inconsistent (mixing 2, 6, and 8 spaces). It should consistently use 4-space increments to match the surrounding code.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #742 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 17 17
Lines 3705 3705
=========================================
Hits 3705 3705 Continue to review full report in Codecov by Sentry.
🚀 New features to boost your workflow:
|
1 participant
Sync vendored quickjs-ng sources to v0.15.0.
Release: https://github.com/quickjs-ng/quickjs/releases/tag/v0.15.0
This PR was generated automatically by the scheduled quickjs-ng release sync workflow.