codeant-ai-for-open-source[bot] commented on PR #36756: URL: https://github.com/apache/superset/pull/36756#issuecomment-3673011220
## Nitpicks 🔍 <table> <tr><td>🔒 <strong>No security issues identified</strong></td></tr> <tr><td>⚡ <strong>Recommended areas for review</strong><br><br> - [ ] <a href='https://github.com/apache/superset/pull/36756/files#diff-c99ae4b2b09b756ab2189a99a9685229f9d12633fc2616c368ea869770f603bfR538-R780'><strong>Missing Runtime Validation</strong></a><br>The new flags are declared as a plain dict with many values. There is no runtime validation of key names or value types; typos or non-boolean values may silently cause incorrect behavior. Add checks to fail-fast during startup if values are invalid.<br> - [ ] <a href='https://github.com/apache/superset/pull/36756/files#diff-c0572d70185f0d91aea4df42841fcbb06ce801baa65cb0582833b144c01b393fR63-R67'><strong>Fragile DEFAULT_FEATURE_FLAGS detection</strong></a><br>The regex used to locate the DEFAULT_FEATURE_FLAGS dict is brittle: it requires an exact type annotation spelling and a particular placement of the closing brace. Variations (no type annotation, single quotes, different spacing/line breaks, nested braces or trailing comma on the same line) will cause the script to fail to locate the dict and exit. Consider a more robust approach (brace counting or AST-based extraction) to reliably find the dict contents.<br> - [ ] <a href='https://github.com/apache/superset/pull/36756/files#diff-c0572d70185f0d91aea4df42841fcbb06ce801baa65cb0582833b144c01b393fR99-R103'><strong>Fragile flag key/value parsing</strong></a><br>The flag detection regex only accepts double-quoted uppercase keys and exact True/False tokens on the same form. If keys use single quotes, lowercase, additional whitespace, inline comments, or there are trailing commas/formatting differences, flags may not be detected. Make the key/value pattern more flexible.<br> - [ ] <a href='https://github.com/apache/superset/pull/36756/files#diff-c99ae4b2b09b756ab2189a99a9685229f9d12633fc2616c368ea869770f603bfR538-R780'><strong>Large Feature Flags Block</strong></a><br>The PR adds a very large inline DEFAULT_FEATURE_FLAGS dict. This increases maintenance burden and risks drift between code and docs/feature extraction tooling. Validate any consumers that assume presence/absence of specific keys and ensure downstream code isn't broken by reordering/renaming.<br> - [ ] <a href='https://github.com/apache/superset/pull/36756/files#diff-f81fd8a91255770aa68d662a21840c2c0ee9996e2b136c74177ff7e7db841e49R26-R28'><strong>External Link Safety</strong></a><br>Anchor tags are rendered from the `flag.docs` value coming from JSON. If the value is an external URL, consider adding `target="_blank"` plus `rel="noopener noreferrer"`, and/or validate the URL scheme to avoid unsafe/relative redirects or inadvertent navigation behavior.<br> </td></tr> </table> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
