DEV Community

CrabPascal
CrabPascal

Posted on

The v2.8 Hotfix Story: Security and Stability | História dos hotfixes v2.8

#pascal #opensource #devops #security

Bilingual post · Post bilíngue

Jump to: English · Português

English {#english}

The v2.8 Hotfix Story: Security and Stability

Series — Part 2: Previous: Mapping the Delphi Bible to CrabPascal (056-delphi-bible-analysis). Release notes: releases/release-v2-8-3-hotfix-critico, releases/release-v2-8-4-hotfix-seguranca.

Before sprint governance and Mintlify audits, CrabPascal shipped v2.8.x — a turbulent week that fixed eight parser/runtime blockers and exposed a credential leak in the VS Code extension pipeline. This post tells that story transparently: what broke, what we fixed, and why it still matters for contributors in 2026.

v2.8.3 — When executables finally stayed open

The VS Code extension promised native builds. Reality: generated .exe files opened and closed instantly. Loops using ReadLn spun forever because input was simulated. Enums, multi-field declarations, constructors in implementation sections, and inherited — all parser failures blocking real projects.

v2.8.3 (October 27, 2025) addressed eight critical bugs:

Area Symptom Fix
Enums inline Expected type, found LeftParen parse_enum_type()
Multi-fields Expected Colon, found Comma Multi-name field parsing
Constructors Expected End, found Constructor Implementation section tokens
Inherited Statement parse failure inherited; support
Grouping parens Double advance skipped and Remove redundant advance()
While loops Double advance on do Same class of bug
ReadLn Infinite loops Real stdin read
Executable lifetime Immediate exit Runtime entry fix

This was the first truly usable extension build for many Windows users — a stability milestone predating the 2026 sprint wave.

v2.8.4–v2.8.6 — Security hotfix chain

Publishing v2.8.3 triggered the VS Code Marketplace secret scanner. An Azure DevOps Personal Access Token appeared in vscode-extension/SEGURANCA_TOKEN.md line 48 — bundled inside the .vsix.

Risk: Anyone with the token could publish malicious extension versions under our publisher identity.

Timeline

  • v2.8.3 — Token exposed in documentation shipped with package
  • v2.8.4 — Token redacted; .env* files still packaged incorrectly
  • v2.8.5 — Real token accidentally placed in .env.example (user error during rotation)
  • v2.8.6 — Definitive fix: .vscodeignore excludes secrets; token revoked and rotated

Marketplace rejection message (paraphrased):

Your package contains secrets...
'…DO1XJv' is an apparent Azure DevOps PAT
in extension/SEGURANCA_TOKEN.md (Line 48)
Enter fullscreen mode Exit fullscreen mode

Lessons learned (still enforced)

  1. Never commit tokens — even in "internal" markdown. Use placeholders and secret stores.
  2. .vscodeignore is security boundary — audit what enters .vsix like production artifacts.
  3. Automated scanners help — Marketplace blocked a bad publish before wide distribution.
  4. Document hotfixes — Mintlify release pages preserve context when git history is noisy.

These lessons feed Rafael's CI/docs audit (TD-DOCS, release governance) and squad release checklist.

Relationship to 2026 sprints

v2.8.x predates v2.9.9+ sprint releases but explains parser hardening debt Bruno closed in Sprint 11 (v2.19.0). Many v2.8.3 fixes were point patches; sprints systematized them with fixtures and reviews.

Security practices from v2.8.6 carry forward: extension publishing docs now assume rotation, ignore rules, and no PATs in tree.

For users on old extension versions

If you still run a pre-v2.8.6 VS Code extension:

  1. Update to current marketplace build
  2. Revoke any tokens you may have copied from old docs
  3. Prefer CLI crab-pascal from project releases for reproducible builds

For contributors shipping extensions

Before vsce package:

# Verify no secrets in package contents
vsce ls | Select-String -Pattern "env|token|SEGURANCA"
Enter fullscreen mode Exit fullscreen mode

Cross-check usage/guia-publicacao-vscode-marketplace for current workflow.

Why blog about old hotfixes?

Transparency builds trust. Delphi developers evaluating CrabPascal ask: "Will this team hide production issues?" v2.8 shows we ship fixes fast and document failures — including embarrassing leaks.

The 2026 audit series continues that honesty at compiler depth; v2.8 is the shipping and security chapter.

Next: From Delphi Developer to CrabPascal (058-delphi-dev-migration-guide).

Português {#portugus}

História dos hotfixes v2.8

Série — Parte 2: Anterior: Mapeando a Bíblia Delphi no CrabPascal (056-delphi-bible-analysis). Release notes: releases/release-v2-8-3-hotfix-critico, releases/release-v2-8-4-hotfix-seguranca.

Antes da governança por sprints e auditorias Mintlify, CrabPascal shipou v2.8.x — semana turbulenta que corrigiu oito blockers parser/runtime e expôs vazamento de credencial no pipeline da extensão VS Code. Este post conta essa história com transparência: o que quebrou, o que corrigimos e por que ainda importa para contribuidores em 2026.

v2.8.3 — Quando executáveis finalmente ficaram abertos

A extensão VS Code prometia builds nativos. Realidade: .exe gerados abriam e fechavam na hora. Loops com ReadLn rodavam forever porque input era simulado. Enums, multi-fields, constructors na implementation e inherited — falhas de parser bloqueando projetos reais.

v2.8.3 (27/out/2025) endereçou oito bugs críticos:

Área Sintoma Correção
Enums inline Expected type, found LeftParen parse_enum_type()
Multi-fields Expected Colon, found Comma Parsing multi-nome
Constructors Expected End, found Constructor Tokens na implementation
Inherited Falha no parse de statement Suporte a inherited;
Parênteses grouping Double advance pulava and Remover advance() redundante
While loops Double advance no do Mesma classe de bug
ReadLn Loops infinitos Leitura real de stdin
Lifetime do exe Exit imediato Fix de entry no runtime

Foi o primeiro build de extensão verdadeiramente usável para muitos usuários Windows — marco de estabilidade anterior à onda de sprints 2026.

v2.8.4–v2.8.6 — Cadeia de hotfix de segurança

Publicar v2.8.3 disparou o scanner de secrets do VS Code Marketplace. Personal Access Token do Azure DevOps apareceu em vscode-extension/SEGURANCA_TOKEN.md linha 48 — empacotado dentro do .vsix.

Risco: Qualquer um com o token poderia publicar versões maliciosas da extensão sob nossa identidade de publisher.

Timeline

  • v2.8.3 — Token exposto em documentação shipped com pacote
  • v2.8.4 — Token redigido; arquivos .env* ainda empacotados errado
  • v2.8.5 — Token real colocado acidentalmente em .env.example (erro humano na rotação)
  • v2.8.6 — Correção definitiva: .vscodeignore exclui secrets; token revogado e rotacionado

Mensagem de rejeição do Marketplace (parafraseada):

Your package contains secrets...
'…DO1XJv' is an apparent Azure DevOps PAT
in extension/SEGURANCA_TOKEN.md (Line 48)
Enter fullscreen mode Exit fullscreen mode

Lições aprendidas (ainda enforced)

  1. Nunca commitar tokens — mesmo em markdown "interno". Use placeholders e secret stores.
  2. .vscodeignore é boundary de segurança — audite o que entra no .vsix como artefato de produção.
  3. Scanners automáticos ajudam — Marketplace bloqueou publish ruim antes de distribuição ampla.
  4. Documentar hotfixes — páginas de release Mintlify preservam contexto quando histórico git é ruidoso.

Essas lições alimentam auditoria CI/docs do Rafael (TD-DOCS, governança de release) e checklist de release da squad.

Relação com sprints 2026

v2.8.x é anterior a releases sprint v2.9.9+, mas explica débito de parser hardening que Bruno fechou na Sprint 11 (v2.19.0). Muitos fixes v2.8.3 foram patches pontuais; sprints sistematizaram com fixtures e reviews.

Práticas de segurança de v2.8.6 seguem: docs de publicação da extensão assumem rotação, ignore rules e zero PATs na árvore.

Para usuários em versões antigas da extensão

Se ainda roda extensão VS Code pré-v2.8.6:

  1. Atualize para build atual do marketplace
  2. Revogue tokens que possam ter copiado de docs antigos
  3. Prefira CLI crab-pascal dos releases do projeto para builds reproduzíveis

Para contribuidores publicando extensão

Antes de vsce package:

# Verifique ausência de secrets no conteúdo do pacote
vsce ls | Select-String -Pattern "env|token|SEGURANCA"
Enter fullscreen mode Exit fullscreen mode

Confira usage/guia-publicacao-vscode-marketplace para workflow atual.

Por que blogar hotfixes antigos?

Transparência constrói confiança. Desenvolvedores Delphi avaliando CrabPascal perguntam: "Esse time esconde issues de produção?" v2.8 mostra que shipamos fixes rápido e documentamos falhas — incluindo leaks embaraçosos.

A série de auditoria 2026 continua essa honestidade em profundidade de compilador; v2.8 é o capítulo shipping e segurança.

Próximo: Do desenvolvedor Delphi ao CrabPascal (058-delphi-dev-migration-guide).

Published on dev.to/@crabpascal · Código em CrabPascal

Top comments (0)