test: add a bunch of tests

[MarshallOfSound]

At one point this module had really good test coverage, then we added a bunch of stuff to it 😆 These are mostly claude generated test cases but I've gone through them and they all seem like in/out samples

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​vitest/​coverage-v8@​3.0.5
	markdown-it@​14.1.1 ⏵ 14.1.0		-1

View full report

[dsanders11]

This needs some work before we should land it.

First and foremost it fails type checking, see #158 which enforces type checking going forward.

I've left a handful of inline comments, but overall I think these tests can be cleaned up a decent amount. Using assert from vitest would remove the need for a lot of the type assertions and null-coalescing operators (e.g. assert(result.innerTypes?.length === 1) instead of expect(result.innerTypes).toHaveLength(1)).

Some of these tests have expect calls inside conditional branches, which is a code smell. I'm guessing that was Claude trying to make the code pass type checking, but it can lead to those expect calls never running and the tests passing if something subtle changes. Those can be refactored using assert to both pass type checking and not be in a conditional branch that could get skipped.

[MarshallOfSound]

Some of these tests have expect calls inside conditional branches, which is a code smell. I'm guessing that was Claude trying to make the code pass type checking, but it can lead to those expect calls never running and the tests passing if something subtle changes. Those can be refactored using assert to both pass type checking and not be in a conditional branch that could get skipped.

This is a good call out that I missed 🙇 I updated all these to use type assertions instead as these are frequently code patterns of "assert foo -> assert foo.bar" where typescript doesn't understand vitests "expect" syntax is actually a typecheck.

Things looking a bit better now and typecheck now passing

[dsanders11]

Looking better, but see inline comments about replacing the type assertions with type inference via assert(...).

[dsanders11]

Suggested change

	const appModule = result.find((m) => m.name === 'app');
	expect(appModule).toBeDefined();
	expect(appModule?.type).toBe('Module');
	// Just check that process information is present
	expect((appModule as ModuleDocumentationContainer).process).toBeDefined();
	expect((appModule as ModuleDocumentationContainer).process.main).toBe(true);
	expect(appModule?.description).toContain('Control your application');
	const module = appModule as ModuleDocumentationContainer;
	expect(module.events).toHaveLength(1);
	expect(module.events[0].name).toBe('ready');
	expect(module.methods).toHaveLength(1);
	expect(module.methods[0].name).toBe('quit');
	expect(module.properties).toHaveLength(1);
	expect(module.properties[0].name).toBe('name');
	const appModule = result.find((m) => m.name === 'app');
	assert(appModule?.type === 'Module');
	// Just check that process information is present
	expect(appModule.process).toBeDefined();
	expect(appModule.process.main).toBe(true);
	expect(appModule.description).toContain('Control your application');
	expect(appModule.events).toHaveLength(1);
	expect(appModule.events[0].name).toBe('ready');
	expect(appModule.methods).toHaveLength(1);
	expect(appModule.methods[0].name).toBe('quit');
	expect(appModule.properties).toHaveLength(1);
	expect(appModule.properties[0].name).toBe('name');

The type assertions can be removed by using assert from vitest and letting tsc infer types. The line assert(appModule?.type === 'Module') will automatically infer ModuleDocumentationContainer for the following lines and we don't need to use type assertions.

[dsanders11]

Suggested change

	const menuClass = result.find((c) => c.name === 'Menu');
	expect(menuClass).toBeDefined();
	const cls = menuClass as ClassDocumentationContainer;
	expect(cls.staticMethods).toHaveLength(1);
	expect(cls.staticMethods[0].name).toBe('buildFromTemplate');
	expect(cls.staticMethods[0].returns).toBeDefined();
	expect(cls.staticProperties).toHaveLength(1);
	expect(cls.staticProperties[0].name).toBe('applicationMenu');
	const menuClass = result.find((c) => c.name === 'Menu');
	assert(menuClass?.type === 'Class');
	expect(menuClass.staticMethods).toHaveLength(1);
	expect(menuClass.staticMethods[0].name).toBe('buildFromTemplate');
	expect(menuClass.staticMethods[0].returns).toBeDefined();
	expect(menuClass.staticProperties).toHaveLength(1);
	expect(menuClass.staticProperties[0].name).toBe('applicationMenu');

Same as above, just another example of the assert removing the need for a type assertion.

[MarshallOfSound]

Does assert have a useful error message? Sorry the reason I've not used assert in the past is because the error is normally. "Expected true to be false" which isn't helpful

[dsanders11]

assert takes a second optional argument for message, so you can easily set a more useful error message. Just tested, without one set, if the assert fails you get a somewhat ugly object dump, but in both cases, Vitest shows you the exact line which failed, so you can see the condition easily. Passing a message does make for a nicer experience, so let's do that. 👍

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		High CVE: npm minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments CVE: GHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments (HIGH) Affected versions: >= 10.0.0 < 10.2.3; >= 9.0.0 < 9.0.7; >= 8.0.0 < 8.0.6; >= 7.0.0 < 7.4.8; >= 6.0.0 < 6.2.2; >= 5.0.0 < 5.1.8; >= 4.0.0 < 4.2.5; < 3.1.3 Patched version: 9.0.7 From: ? → npm/vitest@4.0.18 → npm/@vitest/coverage-v8@3.0.5 → npm/minimatch@9.0.5 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimatch@9.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions CVE: GHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions (HIGH) Affected versions: >= 10.0.0 < 10.2.3; >= 9.0.0 < 9.0.7; >= 8.0.0 < 8.0.6; >= 7.0.0 < 7.4.8; >= 6.0.0 < 6.2.2; >= 5.0.0 < 5.1.8; >= 4.0.0 < 4.2.5; < 3.1.4 Patched version: 9.0.7 From: ? → npm/vitest@4.0.18 → npm/@vitest/coverage-v8@3.0.5 → npm/minimatch@9.0.5 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimatch@9.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern CVE: GHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern (HIGH) Affected versions: >= 10.0.0 < 10.2.1; >= 9.0.0 < 9.0.6; >= 8.0.0 < 8.0.5; >= 7.0.0 < 7.4.7; >= 6.0.0 < 6.2.1; >= 5.0.0 < 5.1.7; >= 4.0.0 < 4.2.4; < 3.1.3 Patched version: 9.0.6 From: ? → npm/vitest@4.0.18 → npm/@vitest/coverage-v8@3.0.5 → npm/minimatch@9.0.5 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimatch@9.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm tar Reason: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me From: ? → npm/vitest@4.0.18 → npm/tar@7.5.2 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@7.5.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report