Skip to content

release: v0.5.8 — custom math evaluator, strict mode, dependency cleanup#85

Merged
VariableThe merged 4 commits into
mainfrom
refactor/replace-expr-eval
Jun 29, 2026
Merged

release: v0.5.8 — custom math evaluator, strict mode, dependency cleanup#85
VariableThe merged 4 commits into
mainfrom
refactor/replace-expr-eval

Conversation

@VariableThe

@VariableThe VariableThe commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Release v0.5.8

Features & Highlights

  • Safer Math Evaluation: Replaced expr-eval (unpatched high-severity vulnerability) with a custom recursive-descent arithmetic evaluator. Zero dependencies, 2KB, supports all existing math and variable features.
  • TypeScript Strict Mode: Enabled strict: true across the entire codebase — catches null/type issues at compile time with zero new errors.
  • API Type Safety: Made the onEvent helper generic instead of using any, so event payloads are properly typed end-to-end.
  • CI Coverage Guardrails: Added minimum coverage thresholds (stmts 65%, branches 50%, funcs 55%, lines 65%) to vitest config.

Chores & Cleanup

  • Removed 4 unused dependencies (@tauri-apps/plugin-fs, @tauri-apps/plugin-shell, @emnapi/core, @emnapi/runtime).

Version Bumps & Docs

  • Bumped version to 0.5.8 across frontend and Tauri backend.
  • Added release note notes/New Features in v0.5.8.md.
  • Updated CHANGELOG.md and AUDIT_LOG.md.

Summary by CodeRabbit

  • New Features

    • Added a safer built-in arithmetic evaluator, improving expression handling across the app.
    • Enabled stricter type checking and added minimum test coverage targets.
  • Bug Fixes

    • Improved event payload typing for more reliable data handling.
    • Removed several unused packages, reducing app weight and maintenance overhead.
  • Chores

    • Updated the app version to 0.5.8 across project files.

- Replace expr-eval with custom arithmetic evaluator (fixes high-severity vulnerability)
- Enable TypeScript strict mode
- Remove unused dependencies (plugin-fs, plugin-shell, @emnapi)
- Fix any type in onEvent helper with proper generics
- Add coverage thresholds to vitest config
@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@VariableThe, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 51 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 950c1669-60d1-4747-9781-5cab3e4070a8

📥 Commits

Reviewing files that changed from the base of the PR and between 94dc0c5 and ed06c32.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (4)
  • AUDIT_LOG.md
  • package.json
  • src/lib/evaluator.test.ts
  • src/lib/evaluator.ts
📝 Walkthrough

Walkthrough

Version 0.5.8 replaces the expr-eval dependency with a new custom recursive-descent arithmetic evaluator (src/lib/evaluator.ts). The evaluator is integrated into MathEvaluator.ts, VariableScope.ts, and useVariables.ts. TypeScript strict mode is enabled, onEvent gains generic payload typing, unused dependencies are removed, Vitest coverage thresholds are added, and version fields are bumped across manifests.

Changes

v0.5.8: Custom Evaluator, Strict Mode, Dependency Cleanup

Layer / File(s) Summary
Custom evaluator core and tests
src/lib/evaluator.ts, src/lib/evaluator.test.ts
New recursive-descent parser with ParseError, tokenizer, and precedence-aware infix/unary/primary evaluation. evaluate(expression, scope) is the public API. Tests cover arithmetic, variables, and all error paths.
Replace expr-eval at call sites
src/lib/editor/MathEvaluator.ts, src/lib/editor/VariableScope.ts, src/hooks/useVariables.ts
Imports of expr-eval Parser/Values replaced with the local evaluate helper at all evaluation call sites in the math and variable-scope update flows.
TypeScript strict mode and onEvent typing
tsconfig.app.json, src/api.ts
compilerOptions.strict set to true; onEvent converted to onEvent<T> with listen<T> eliminating the any payload type and the associated eslint suppression.
Dependency removal and coverage thresholds
package.json, vite.config.ts
Removes expr-eval, @tauri-apps/plugin-fs, @tauri-apps/plugin-shell, @emnapi/core, @emnapi/runtime; bumps version to 0.5.8; adds Vitest test.coverage.thresholds.
Version bumps and release docs
src-tauri/Cargo.toml, src-tauri/tauri.conf.json, CHANGELOG.md, AUDIT_LOG.md, notes/New Features in v0.5.8.md
Version field bumped to 0.5.8 in Cargo and Tauri config. CHANGELOG, AUDIT_LOG, and release notes document all v0.5.8 changes including the security remediation for expr-eval.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

  • VariableThe/PaperCache#9: Modifies the same variable expression evaluation path in src/hooks/useVariables.ts, previously switching to lazy-loaded mathjs.
  • VariableThe/PaperCache#77: Modifies src/api.ts at the same onEvent helper, introducing the centralized subscription pattern that this PR now tightens with generic typing.

Poem

🐇 No more expr-eval in my warren today,
I carved my own parser from scratch, hip-hooray!
With tokens and precedence stacked in a tree,
TypeScript strict mode watches over me.
Old deps removed, the burrow feels light—
v0.5.8 hops proudly into the night! 🌙

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately captures the main release changes: custom evaluator, strict mode, and dependency cleanup.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch refactor/replace-expr-eval

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
AUDIT_LOG.md (1)

12-12: 📐 Maintainability & Code Quality | 🔵 Trivial

Clarify dependency removal claim.

The statement that @tauri-apps/plugin-fs and @tauri-apps/plugin-shell are "not in Cargo.toml" is technically true but misleading — these are npm packages, not Rust crates, so they would never appear in Cargo.toml. Consider rephrasing to clarify they were removed from package.json and were unused in the JS/TS codebase.

-2. **Unused Dependency Removal**: Removed `@tauri-apps/plugin-fs`, `@tauri-apps/plugin-shell` (not in Cargo.toml), and `@emnapi/core`, `@emnapi/runtime` (not imported anywhere).
+2. **Unused Dependency Removal**: Removed `@tauri-apps/plugin-fs`, `@tauri-apps/plugin-shell`, and `@emnapi/core`, `@emnapi/runtime` from `package.json` (none were imported in the JS/TS codebase).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@AUDIT_LOG.md` at line 12, The dependency removal note is misleading because
it references Cargo.toml for npm packages; update the “Unused Dependency
Removal” entry in AUDIT_LOG.md to clearly state that `@tauri-apps/plugin-fs` and
`@tauri-apps/plugin-shell` were removed from package.json and were unused in the
JS/TS codebase, while keeping `@emnapi/core` and `@emnapi/runtime` described as
unused imports. Use the existing “Unused Dependency Removal” bullet to locate
and reword the claim without implying Rust crate metadata.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/evaluator.ts`:
- Around line 37-43: The numeric token handling in parseExpression/related
evaluator logic is too permissive and allows partial parses to be treated as
valid numbers. Tighten the NUMBER parsing path so only fully valid numeric
literals are emitted or converted, and reject malformed inputs like 1..2 instead
of falling back to parseFloat behavior. Update the affected evaluator flow and
any downstream conversion points used by VariableScope and useVariables so
invalid expressions remain strings/invalid rather than being coerced into a
number.
- Around line 154-170: Update the expression parsing in evaluator.ts so
exponentiation is right-associative and binds tighter than unary signs. The
current factor() loop and unary() ordering in the parser cause 2^3^2 and -2^2 to
be parsed incorrectly; refactor the parsing flow so power is parsed recursively
(right-associative) before unary operators are applied. Use the existing
factor(), unary(), and primary() methods as the main touchpoints, and add
regression tests covering both 2^3^2 and -2^2.

---

Nitpick comments:
In `@AUDIT_LOG.md`:
- Line 12: The dependency removal note is misleading because it references
Cargo.toml for npm packages; update the “Unused Dependency Removal” entry in
AUDIT_LOG.md to clearly state that `@tauri-apps/plugin-fs` and
`@tauri-apps/plugin-shell` were removed from package.json and were unused in the
JS/TS codebase, while keeping `@emnapi/core` and `@emnapi/runtime` described as
unused imports. Use the existing “Unused Dependency Removal” bullet to locate
and reword the claim without implying Rust crate metadata.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9c342086-43e4-4431-b747-b9c30610e6a6

📥 Commits

Reviewing files that changed from the base of the PR and between 646acb1 and 94dc0c5.

⛔ Files ignored due to path filters (2)
  • package-lock.json is excluded by !**/package-lock.json
  • src-tauri/Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (14)
  • AUDIT_LOG.md
  • CHANGELOG.md
  • notes/New Features in v0.5.8.md
  • package.json
  • src-tauri/Cargo.toml
  • src-tauri/tauri.conf.json
  • src/api.ts
  • src/hooks/useVariables.ts
  • src/lib/editor/MathEvaluator.ts
  • src/lib/editor/VariableScope.ts
  • src/lib/evaluator.test.ts
  • src/lib/evaluator.ts
  • tsconfig.app.json
  • vite.config.ts

Comment thread src/lib/evaluator.ts
Comment thread src/lib/evaluator.ts Outdated
@VariableThe VariableThe merged commit 848285c into main Jun 29, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant