[Review] Daily Deep Review — 2026-04-28: Repo stale 16 days, CI blocking all PRs, 3 new dependency PRs

[evan-zhang11]

Daily Repository Deep Review — 2026-04-28

Summary

The repository has been stale for 16 days (last commit: 9f95d3d on 2026-04-12). Main branch CI is broken (verify check failing), and all 8 open PRs are blocked by systematic cargo fmt and frontend_unit failures that appear to originate from the main branch itself.

CI Status — Main Branch

• verify: ❌ failure
• Release jobs: skipped (expected for non-tag pushes)

Open PRs (8 total)

PR	Title	Status	Notes
#234	bump resvg 0.44→0.47	fmt❌ frontend_unit❌	New (Apr 27). Major version bump (0.44→0.47) — review API changes carefully
#233	bump sha2 0.10→0.11	fmt❌ frontend_unit❌	New (Apr 27). Major version bump (0.10→0.11) — breaking changes likely
#232	bump 9 cargo minor/patch	fmt❌ tests❌ e2e❌	New (Apr 27). Multiple deps including axum 0.8.8→0.8.9
#216	bump 10 npm minor/patch	fmt❌ frontend_unit❌	Open since Apr 12
#215	bump Rust 1.94→1.95 Docker	fmt❌ frontend_unit❌	Open since Apr 13
#214	bump action-gh-release 2→3	fmt❌ frontend_unit❌	Open since Apr 13
#173	feat: server file import	draft	Open since Mar, has merge conflicts
#65	bump tower-sessions 0.14→0.15	long-standing	Tracked in #68

Key Findings

1. Systematic CI Blockage (Critical)

Every open PR fails cargo fmt and frontend_unit. This is not PR-specific — it's a main branch issue.

• cargo fmt failure: Likely caused by unformatted code merged in PR feat(icons): add PNG/SVG icon upload and management #201 or earlier. A single cargo fmt commit on main would unblock all PRs.
• frontend_unit failure: Needs investigation — may be a test environment issue or a regression.

Recommendation: Fix main branch CI first (run cargo fmt, fix frontend tests), then re-run all PR CI.

2. Major Dependency Bumps Need Careful Review

• PR chore(deps): bump sha2 from 0.10.9 to 0.11.0 #233 (sha2 0.10→0.11): Breaking API changes expected. Need to verify all sha2 usage is compatible.
• PR chore(deps): bump resvg from 0.44.0 to 0.47.0 #234 (resvg 0.44→0.47): 3 minor versions jump. The read_image_dimensions function in icon_handlers.rs uses resvg::usvg::Tree::from_data — API may have changed.
• PR chore(deps): bump rust from 1.94-slim-bookworm to 1.95-slim-bookworm #215 (Rust 1.95): New Rust version may introduce new lints/clippy warnings.

3. PR #232 Has Most Failures

PR #232 (9 cargo minor/patch bumps) fails 4 checks: backend_fmt, backend_tests, frontend_unit, frontend_e2e, backend_postgis_integration. The test failures suggest actual breakage from dependency changes.

4. Code Review of Recent Changes (commits since last review)

icon_handlers.rs (new, 460 lines) — Code quality review:

• ✅ Path traversal protection using canonicalize + starts_with check
• ✅ Parameterized SQL queries throughout
• ✅ File size limit enforcement
• ✅ Proper cleanup on upload failure (remove_dir_all)
• ⚠️ SVG upload → resvg::usvg::Tree::from_data — XXE risk tracked in [安全] SVG 上传潜在的 XXE (XML External Entity) 攻击向量 #218
• ⚠️ read_image_dimensions runs in spawn_blocking — good, but error results in (None, None) for dimensions with no user-facing error. Icons with unparseable dimensions silently uploaded.

storage.rs (new, 36 lines) — Clean utility module, no issues.

import.rs (+1212 lines) — Now 1585 lines total:

• ✅ normalize_column_name properly sanitizes table/column names (alphanumeric + underscore only)
• ✅ escape_sql_string used for file paths in SQL
• ⚠️ File already tracked as too large ([代码质量] import.rs 增长至 1584 行 45 个函数，需拆分为独立模块 #217, 1584 lines → now 1585)
• ⚠️ Significant complexity increase with OGC_FID workarounds

5. No New Security Vulnerabilities Found

Reviewed new code in icon_handlers.rs, storage.rs, and import.rs additions. Existing issues (#194, #206, #218, #219) cover known concerns. No new SQL injection vectors found.

Action Items

1. Fix main branch CI — highest priority, blocks everything

   • Run cargo fmt on main
   • Investigate and fix frontend_unit failure
   • See fix: main branch CI broken — cargo fmt and biome check failures since 2026-04-12 #223

2. Review PR chore(deps): bump sha2 from 0.10.9 to 0.11.0 #233 (sha2 major bump) — check breaking changes before merge

3. Review PR chore(deps): bump resvg from 0.44.0 to 0.47.0 #234 (resvg 3-version bump) — verify icon dimension parsing still works

4. Consider closing or updating stale issues — 47 open issues, many may be outdated

No New Issues to Create

All findings are already tracked in existing issues (#223, #217, #218, #219, etc.). This review confirms existing issue accuracy.

---

This review was generated by the daily automated deep review cron job.