Copilot/add mise and oxlint #8
Conversation
Co-authored-by: danielbodnar <1790726+danielbodnar@users.noreply.github.com>
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ✅ Deployment successful! View logs |
cloudx-sh | 65949e1 | Dec 24 2025, 01:08 AM |
There was a problem hiding this comment.
Pull request overview
This pull request adds development tooling improvements and creates new template packages for a Cloudflare Workers/Sandbox SDK project.
Changes:
- Migrated from npm to bun for package management and replaced prettier/eslint with oxlint
- Added mise for tool version management with configuration in
.mise.toml - Created three new template packages:
template(containers),minimal(sandbox), andclaude-code(Claude Code integration)
Reviewed changes
Copilot reviewed 32 out of 41 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Migrated scripts to use bun and oxlint instead of npm/prettier/eslint |
| package-lock.json | Updated dependencies including @cloudflare/sandbox to 0.6.7 and added oxlint |
| .mise.toml | New mise configuration defining tool versions and common tasks |
| Dockerfile | Added mise installation to container image |
| README.md, CLAUDE.md | Updated documentation to reflect bun/mise usage |
| packages/template/* | New template package for Cloudflare containers with Go backend |
| packages/minimal/* | New minimal sandbox SDK example package |
| packages/claude-code/* | New Claude Code integration example package |
Files not reviewed (1)
- packages/template/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| 1. **`/run`** - Executes Python code and returns the output | ||
| 2. **`/file`** - Creates a file, reads it back, and returns the contents |
There was a problem hiding this comment.
The documentation refers to executing Python code in the example, but the actual implementation in src/index.ts shows shell commands using echo. The documentation should be updated to accurately reflect that the example executes shell commands, not Python code.
|
|
||
| Runs `python -c "print(2 + 2)"` and returns: |
There was a problem hiding this comment.
The documentation states the example runs Python code, but the actual implementation uses a shell command with echo. This inconsistency should be corrected to match the actual implementation.
| @@ -0,0 +1,4 @@ | |||
| FROM docker.io/cloudflare/sandbox:0.6.7 | |||
| RUN npm install -g @anthropic-ai/claude-code | |||
There was a problem hiding this comment.
The RUN npm install -g @anthropic-ai/claude-code line pulls and executes a globally installed CLI from the npm registry without pinning a specific version or verifying integrity, creating a supply-chain risk. If the package or the npm distribution channel is compromised, a rebuild of this image would silently bake an attacker-controlled binary into the container, which would then run inside your sandbox with access to code and potentially secrets. To mitigate this, pin @anthropic-ai/claude-code to a specific, reviewed version and/or enforce integrity verification (for example via a lockfile, checksum, or signature validation) as part of the image build.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Daniel Bodnar <1790726+danielbodnar@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Daniel Bodnar <1790726+danielbodnar@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Daniel Bodnar <1790726+danielbodnar@users.noreply.github.com>
No description provided.