Warden Scheduled Scan Results
Run: 2026-06-22T08:04:45.242Z
Commit: 5127139
Summary
| Severity |
Count |
| High |
2 |
| Medium |
1 |
| Low |
3 |
Findings
Y9G-94H process.chdir in async download causes global CWD race condition (L104-L117) · high
Using process.chdir(tempDir) before unzip mutates the global process working directory; concurrent template downloads (or any other concurrent async operation using relative paths or process.cwd()) will race and may run in the wrong directory. Use unzip -q -d tempDir zipPath instead to scope extraction without touching the global CWD.
QXE-HDK xcodemake auto-installs an unpinned script from GitHub main with no integrity check (L62-L73) · high
The installXcodemake function fetches xcodemake from the main branch of an external GitHub repo, writes it to a temp directory, marks it executable, and runs it — with no commit pin and no checksum verification. A compromised upstream repo would result in arbitrary code execution on the developer's machine.
Suggested fix: Pin the download URL to a specific release tag or commit SHA, and verify the downloaded content against a known SHA-256 checksum before writing or executing it.
JEY-VDL Unescaped user-derived filename used in glob pattern (L214-L220) · medium
A filename extracted from raw compiler output is interpolated directly into a glob pattern (**/${filePath}) without sanitizing glob metacharacters — a filename like * or [a-z].swift will match unintended files, silently resolving the wrong path.
Suggested fix: Escape glob metacharacters in filePath before interpolating into the pattern. The glob package exports an escape helper for this purpose.8FC-B44 Module-level diagnostic path cache grows without bound (L180) · low
The module-level resolvedDiagnosticPathCache Map is never evicted or capped, so in a long-running MCP server process it will accumulate one entry per unique (baseDir, filename) pair seen across all builds, leaking memory indefinitely.
Q2W-CHS resolveExecutablePath invoked unconditionally before checking executor success (L195-L200) · low
In the background branch of createSwiftPackageRunExecutor, resolveExecutablePath is awaited immediately after the background executor(...) call and before the !result.success guard. Because resolveExecutablePath itself spawns a swift build --show-bin-path subprocess, a failed background build still triggers this extra subprocess, whose return value is then discarded by the early-return on failure. Reordering so the resolution runs only after the success check (or only when result.process?.pid is set, where executablePath is actually consumed) avoids the spurious invocation.
X3V-9R4 Inconsistent .ts import extension among .js-style imports (L31) · low
Line 31 of src/utils/xcodebuild-domain-results.ts imports ./xcresult-test-failures.ts while all other imports in the file use the project's .js ESM-redirect convention. The build pipeline (tsup.config.ts) explicitly rewrites .ts imports to .js in the emitted output, so this is not a runtime failure — but it is a stylistic inconsistency that should be normalized to .js to match the rest of the file and the project convention.
Generated by Warden
Warden Scheduled Scan Results
Run: 2026-06-22T08:04:45.242Z
Commit:
5127139Summary
Findings
src/utils/template-manager.tsY9G-94Hprocess.chdirin async download causes global CWD race condition (L104-L117) · highUsing
process.chdir(tempDir)beforeunzipmutates the global process working directory; concurrent template downloads (or any other concurrent async operation using relative paths orprocess.cwd()) will race and may run in the wrong directory. Useunzip -q -d tempDir zipPathinstead to scope extraction without touching the global CWD.src/utils/xcodemake.tsQXE-HDKxcodemake auto-installs an unpinned script from GitHub main with no integrity check (L62-L73) · highThe
installXcodemakefunction fetchesxcodemakefrom themainbranch of an external GitHub repo, writes it to a temp directory, marks it executable, and runs it — with no commit pin and no checksum verification. A compromised upstream repo would result in arbitrary code execution on the developer's machine.Suggested fix: Pin the download URL to a specific release tag or commit SHA, and verify the downloaded content against a known SHA-256 checksum before writing or executing it.
src/utils/renderers/event-formatting.tsJEY-VDLUnescaped user-derived filename used in glob pattern (L214-L220) · mediumA filename extracted from raw compiler output is interpolated directly into a glob pattern (
**/${filePath}) without sanitizing glob metacharacters — a filename like*or[a-z].swiftwill match unintended files, silently resolving the wrong path.Suggested fix: Escape glob metacharacters in
filePathbefore interpolating into the pattern. Theglobpackage exports anescapehelper for this purpose.8FC-B44Module-level diagnostic path cache grows without bound (L180) · lowThe module-level
resolvedDiagnosticPathCacheMap is never evicted or capped, so in a long-running MCP server process it will accumulate one entry per unique(baseDir, filename)pair seen across all builds, leaking memory indefinitely.src/mcp/tools/swift-package/swift_package_run.tsQ2W-CHSresolveExecutablePathinvoked unconditionally before checking executor success (L195-L200) · lowIn the background branch of
createSwiftPackageRunExecutor,resolveExecutablePathis awaited immediately after the backgroundexecutor(...)call and before the!result.successguard. BecauseresolveExecutablePathitself spawns aswift build --show-bin-pathsubprocess, a failed background build still triggers this extra subprocess, whose return value is then discarded by the early-return on failure. Reordering so the resolution runs only after the success check (or only whenresult.process?.pidis set, whereexecutablePathis actually consumed) avoids the spurious invocation.src/utils/xcodebuild-domain-results.tsX3V-9R4Inconsistent.tsimport extension among.js-style imports (L31) · lowLine 31 of
src/utils/xcodebuild-domain-results.tsimports./xcresult-test-failures.tswhile all other imports in the file use the project's.jsESM-redirect convention. The build pipeline (tsup.config.ts) explicitly rewrites.tsimports to.jsin the emitted output, so this is not a runtime failure — but it is a stylistic inconsistency that should be normalized to.jsto match the rest of the file and the project convention.Generated by Warden