Conversation
There was a problem hiding this comment.
Pull request overview
This pull request upgrades Calcit from version 0.9.20 to 0.11.6, along with updating multiple dependencies and adding comprehensive LLM agent documentation. The upgrade includes changes to the build toolchain (moving to Yarn PnP), dependency management, and CI/CD configuration.
Changes:
- Core Calcit upgrade from 0.9.20 to 0.11.6 with corresponding dependency updates
- Addition of extensive LLM agent documentation (3 new markdown files totaling ~2600 lines)
- Migration to Yarn Plug'n'Play (PnP) with new loader file and .gitignore updates
- CI/CD workflow updates including Node.js and Yarn version changes
Reviewed changes
Copilot reviewed 9 out of 13 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Upgraded @calcit/procs (0.9.20→0.11.6), dayjs (1.11.18→1.11.19), vite (7.1.11→7.3.0) |
| deps.cirru | Updated calcit-version and 9 dependencies to specific versions from "main" branches |
| compact.cirru | Auto-generated Calcit code with added :about field and :examples entries throughout |
| llms/Respo.md | New 920-line comprehensive Respo development guide for LLM agents |
| llms/Calcit.md | New 1083-line Calcit programming guide for AI agents with CLI commands |
| Agents.md | New 609-line Cumulo development guide for LLM agents |
| .pnp.loader.mjs | New 2126-line Yarn PnP ESM loader (generated) |
| .grok/settings.json | New Grok AI configuration file |
| .gitignore | Added .yarn/*.gz to ignore list |
| .gitattributes | Marked .pnp.* and llms/*.md as linguist-generated |
| .github/workflows/upload.yaml | Updated Node.js (20→24), actions/setup-node (v4→v6), removed cache config, added Corepack setup |
Files not reviewed (1)
- .pnp.loader.mjs: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -1,9 +1,9 @@ | |||
|
|
|||
| {} (:package |app) | |||
| {} (:about "|file is generated - never edit directly; learn cr edit/tree workflows before changing") (:package |app) | |||
There was a problem hiding this comment.
The Calcit version "0.11.6" is being set in both package.json (@calcit/procs) and deps.cirru (:calcit-version). However, the compact.cirru file contains a warning message at line 2 stating the file is generated and should never be edited directly. Please verify that the compact.cirru changes were generated by the Calcit tooling and not manually edited.
| js/localStorage.setItem (:storage-key config/site) | ||
| format-cirru-edn $ [] username password |
There was a problem hiding this comment.
The login workflow persists raw credentials to localStorage via js/localStorage.setItem with format-cirru-edn $ [] username password, which stores the username and password in cleartext in the browser. Any XSS or malicious third-party script on this origin can read these credentials and reuse them to impersonate users or pivot to other services where the same password is reused. Avoid storing passwords client‑side at all, or at minimum store only a short‑lived opaque token instead of plaintext credentials.
| js/localStorage.setItem (:storage-key config/site) | |
| format-cirru-edn $ [] username password |
| @@ -1437,8 +1547,10 @@ | |||
| {} (:id op-id) (:name username) (:nickname username) | |||
| :password $ md5 password | |||
There was a problem hiding this comment.
User passwords are hashed with md5 before being stored, which is a weak and outdated algorithm designed for checksums rather than password storage. Attackers with read access to the user database or backup files can efficiently crack MD5 hashes (especially unsalted) using precomputed tables or GPUs and recover original passwords. Replace MD5 with a modern password hashing function (e.g., bcrypt, scrypt, Argon2) with per‑user salts and appropriate work factors to make offline cracking impractical.
|
conflict |
|
@NoEgAm updated |
No description provided.