Skip to content

Pypi#13

Merged
johnpmitsch merged 2 commits into
mainfrom
pypi
Apr 21, 2026
Merged

Pypi#13
johnpmitsch merged 2 commits into
mainfrom
pypi

Conversation

@johnpmitsch

@johnpmitsch johnpmitsch commented Apr 21, 2026

Copy link
Copy Markdown
Collaborator

Note

Medium Risk
Moderate risk because it changes packaging identifiers/metadata (name, version, Python support range) and introduces a new release workflow that can publish artifacts to PyPI if misconfigured.

Overview
Adds a new manual GitHub Actions workflow (publish-pypi.yml) to publish the Python wheels and sdist from a GitHub Release tag to PyPI using twine, including a guard that verifies the expected artifact counts before upload.

Renames the Python package from sdk to quicknode-sdk, bumps the version to 0.1.0a6, raises requires-python to >=3.11, and fills out PyPI metadata (authors, keywords, classifiers, and project URLs) across pyproject.toml, crates/python/pyproject.toml, and uv.lock.

Reviewed by Cursor Bugbot for commit 16ac47f. Bugbot is set up for automated code reviews on this repo. Configure here.

@johnpmitsch johnpmitsch merged commit 2202ce4 into main Apr 21, 2026
5 checks passed

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 16ac47f. Configure here.

--dir dist
gh release download "${{ inputs.tag }}" \
--pattern 'quicknode_sdk-*.tar.gz' \
--dir dist

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Script injection via unsanitized workflow input in shell

High Severity

${{ inputs.tag }} is directly interpolated into shell run commands, which is a well-known GitHub Actions script injection vulnerability. A user with write access could supply a crafted tag value (e.g., containing "; malicious-command #) that breaks out of the double quotes and executes arbitrary commands. Since this job later runs twine upload with access to PYPI_API_TOKEN, injected code could tamper with the dist/ contents before upload, enabling a supply chain attack on PyPI. The safe fix is to pass the input via an environment variable (env: TAG: ${{ inputs.tag }}) and reference "$TAG" in the shell.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 16ac47f. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant