Problem
While integrating the CLI in automation, I noticed numeric args are validated with /^\\d+$/ and then converted using Number(...) in src/commands/_db.ts and src/commands/observation.ts. That accepts values larger than Number.MAX_SAFE_INTEGER and silently rounds them.
Example:
node -e "console.log(Number('9007199254740993'))"
# -> 9007199254740992parseId("9007199254740993") currently returns a different value than what the user passed.
Why this matters
SQLite IDs are 64-bit integers. The CLI currently lets users pass a value that cannot be represented safely in JS, which can target the wrong record in large datasets.
Affected paths
src/commands/_db.ts (parseId)src/commands/observation.ts (parseOptionalInt)- Any command using those helpers
Suggested fix
- Reject numeric strings above
Number.MAX_SAFE_INTEGER
- Use
Number.isSafeInteger(parsed) after parsing
- Return a clear error when value is out of safe range
Problem
While integrating the CLI in automation, I noticed numeric args are validated with
/^\\d+$/and then converted usingNumber(...)insrc/commands/_db.tsandsrc/commands/observation.ts. That accepts values larger thanNumber.MAX_SAFE_INTEGERand silently rounds them.Example:
parseId("9007199254740993")currently returns a different value than what the user passed.Why this matters
SQLite IDs are 64-bit integers. The CLI currently lets users pass a value that cannot be represented safely in JS, which can target the wrong record in large datasets.
Affected paths
src/commands/_db.ts(parseId)src/commands/observation.ts(parseOptionalInt)Suggested fix
Number.MAX_SAFE_INTEGERNumber.isSafeInteger(parsed)after parsing