I do deep commit-level analysis on actively maintained open source projects β looking for behavioral contract changes that slip past code review: silent return value mutations, exception scope widening, broken caller assumptions, wrong entity types in API calls.
When I find something real, I report it with a reproducible description and a suggested fix.
Full writeups with code β oss-findings
| Date | Repo | What | Severity | Status |
|---|---|---|---|---|
| Jun 16 | magento/magento2 | #40882 β NoSuchEntityException race in InvalidSkuProcessor bulk price API |
π΄ High | β³ PR #40883 |
| Jun 5 | codeceptjs/CodeceptJS | PR #5639 β --shuffle flag silently ignored after commit #5438 |
π΄ High | β Merged |
| Jun 14 | midjourney-api | #294 β ChannelId used as ServerId in guild API |
π΄ High | β³ Open |
| Jun 14 | midjourney-api | #295 β Dead code in cacheCommand(), cache never populated |
π‘ Medium | β³ Open |
| Jun 14 | bagisto/bagisto | #11338 β getClientOriginalName() path traversal in RMAImageRepository β incomplete security fix |
π΄ Critical | β³ Open |
| Jun 14 | bagisto/bagisto | #11339 β v-html XSS in Shop views β product_name + datagrid columns unescaped |
π΄ High | β³ Open |
| Jun 13 | MoneyPrinterTurbo | PR #1033 β CLI local source validation fix | π‘ Medium | β Merged |
| Jun 10 | MoneyPrinterTurbo | #1013 β Groq model unvalidated on list-fetch failure | π‘ Medium | β Fixed PR #1014 |
| Jun 4 | medusajs/medusa | Discussion #15550 β Race condition in compensatePaymentIfNeededStep |
π΄ High | π Watching |
| Jun 4 | MoneyPrinterTurbo | #985 β >= comparison risk in duration check |
π‘ Medium | π Community PR expected |
| Jun 4 | MoneyPrinterTurbo | #984 β Qwen empty choices[] β unhandled crash |
π΄ High | β Fixed PR #994 |
| Jun 4 | Understand-Anything | Discussion β commit analysis findings | π‘ Medium | π Watching |
| Repository | Language | Stars | Finding |
|---|---|---|---|
| harry0703/MoneyPrinterTurbo | Python | 22K+ | 3 bugs found, 3 fixed |
| medusajs/medusa | TypeScript | 28K+ | Race condition in async workflow step |
| erictik/midjourney-api | TypeScript | 1.8K | 2 bugs found |
| apify/crawlee-python | Python | 9K+ | Silent URL filtering behavior change |
| tox-dev/tox | Python | 4K+ | Config override namespace risk |
| gptme/gptme | Python | 4K+ | LLM routing logic analysis |
| Lum1104/Understand-Anything | Python | β | Commit analysis findings |
| acacode/swagger-typescript-api | TypeScript | 4K+ | Analyzed β no actionable findings |
| bagisto/bagisto | PHP | 9.1K+ | 2 security bugs found |
| aws/aws-sam-cli | Python | 6.7K | Analyzed β no actionable findings |
| codeceptjs/CodeceptJS | JavaScript | 10K+ | shuffle regression β PR #5639 merged β |
| magento/magento2 | PHP | 14K+ | NoSuchEntityException race condition in bulk price API |
Issues Opened ββββββββββ 10
PRs Submitted ββββββββββ 3
PRs Merged ββββββββββ 4 β accepted by maintainers
Discussions ββββββββββ 2
Repos Analyzed ββββββββββ 12
Confirmed Bugs ββββββββββ 6