[Review] Daily Deep Review — 2026-05-05: Repo stale 23 days, no changes

[evan-zhang11]

Daily Deep Review — 2026-05-05

Last commit: 2026-04-12 (23 days stale)
New commits since last review: 0
CI status: Nightly ❌ (cargo fmt still failing on font_handlers.rs/icon_handlers.rs — #238)

Open PRs (8 total)

All blocked by CI failure on main (#238):

PR	Description	Status
#232	cargo minor-patch (9 updates)	✅ checks pass
#233	sha2 0.10→0.11	❌ blocked
#234	resvg 0.44→0.47	❌ blocked
#216	npm minor-patch (10 updates)	✅ checks pass
#215	Rust 1.95 Docker image	✅ checks pass
#214	action-gh-release v3	✅ checks pass
#173	Server file import (feat)	❌ merge conflicts
#65	tower-sessions 0.15.0	❌ long-standing

Key Observations

• No changes since last review. Repository remains inactive.
• Critical blocker remains ci: cargo fmt fails on font_handlers.rs and icon_handlers.rs (rustfmt line-length enforcement) #238 (cargo fmt). Fixing this would unblock merging of 4-5 ready PRs.
• PRs chore(deps): bump the cargo-minor-patch group with 9 updates #232, chore(deps): bump the npm-minor-patch group across 1 directory with 10 updates #216, chore(deps): bump rust from 1.94-slim-bookworm to 1.95-slim-bookworm #215, chore(deps): bump softprops/action-gh-release from 2 to 3 #214 all have passing CI and could merge quickly once main CI is fixed.
• No new issues to file — all known problems already tracked in open issues.

Recommended Priority

1. 🔴 Fix ci: cargo fmt fails on font_handlers.rs and icon_handlers.rs (rustfmt line-length enforcement) #238 — cargo fmt on font_handlers.rs/icon_handlers.rs (unblocks everything)
2. 🟡 Merge chore(deps): bump the cargo-minor-patch group with 9 updates #232 + chore(deps): bump the npm-minor-patch group across 1 directory with 10 updates #216 (dependency updates with passing CI)
3. 🟡 Review chore(deps): bump sha2 from 0.10.9 to 0.11.0 #233 (sha2 major bump — breaking changes possible)
4. 🟡 Review chore(deps): bump resvg from 0.44.0 to 0.47.0 #234 (resvg major bump — may affect SVG icon handling)

Tracked Issues Summary (30+ open)

• CI: ci: cargo fmt fails on font_handlers.rs and icon_handlers.rs (rustfmt line-length enforcement) #238, fix: Cargo.lock missing num-rational package entry causing cargo audit failure #225, fix: main branch CI broken — cargo fmt and biome check failures since 2026-04-12 #223
• Security: security: SVG icon served inline enables stored XSS #237 (SVG XSS), [安全] SVG 上传潜在的 XXE (XML External Entity) 攻击向量 #218 (XXE), [安全] DefaultBodyLimit::disable() 全局禁用请求体大小限制 #219 (body limit), security: 4 npm vulnerabilities — Vite path traversal, picomatch ReDoS, postcss XSS, proto pollution #240 (npm vulns)
• Code quality: code-quality: db.rs grown to 1763 lines — connection management, migrations, and utilities should be split into modules #244 (db.rs), code-quality: import.rs grown to 1584 lines — OGC_FID workaround logic should be extracted #241 (import.rs), code-quality: App.jsx grown to 2111 lines (was 612) — needs splitting #230 (App.jsx), code-quality: workspace_handlers.rs at 1259 lines — needs module split #229 (workspace_handlers.rs), code-quality: handlers.rs grown to 1626 lines (was 882) — needs splitting #227 (handlers.rs)
• Docs: docs: behaviors.md missing icon API and several endpoint documentation #243, docs: behaviors.md missing API for tile zoom update (PATCH /api/files/:id/zoom) #231, docs: behaviors.md missing Icon Upload/Management API (ICON-001~003) #228, docs: Major documentation gaps in behaviors.md — workspace, PostGIS, settings, and file-level APIs undocumented #212
• Tests: test: no automated tests for icon upload/management handlers #236 (icon tests)

---

This is an automated daily review by @evan-zhang11.