Skip to content

Improve Source Compatibility Suite#4428

Merged
turbolent merged 4 commits into
masterfrom
bastian/improve-compat
Feb 10, 2026
Merged

Improve Source Compatibility Suite#4428
turbolent merged 4 commits into
masterfrom
bastian/improve-compat

Conversation

@turbolent

@turbolent turbolent commented Feb 4, 2026
edited
Loading

Copy link
Copy Markdown
Member

Description

  • Targeted PR against master branch
  • Linked to Github issue with discussion and accepted design OR link to spec that describes this work
  • Code follows the standards mentioned here
  • Updated relevant documentation
  • Re-reviewed Files changed in the Github PR explorer
  • Added appropriate labels

@turbolent turbolent self-assigned this Feb 4, 2026
@github-actions

github-actions Bot commented Feb 4, 2026
edited
Loading

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ✅ 0 package(s) with unknown licenses.
  • ⚠️ 1 packages with OpenSSF Scorecard issues.
See the Details below.

OpenSSF Scorecard

PackageVersionScoreDetails
pip/click 8.3.1 🟢 6.3
Details
CheckScoreReason
Maintained🟢 1030 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 5Found 7/13 approved changesets -- score normalized to 5
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Pinned-Dependencies🟢 8dependency not pinned by hash detected -- score normalized to 8
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing🟢 10project is fuzzed
License🟢 10license file detected
Vulnerabilities🟢 46 existing vulnerabilities detected
Packaging🟢 10packaging workflow detected
Signed-Releases🟢 42 out of the last 5 releases have a total of 2 signed artifacts.
Branch-Protection🟢 3branch protection is not maximal on development and all release branches
Security-Policy🟢 9security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/colorama 0.4.6 🟢 4.4
Details
CheckScoreReason
Security-Policy🟢 10security policy file detected
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review🟢 4Found 6/13 approved changesets -- score normalized to 4
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Vulnerabilities🟢 100 existing vulnerabilities detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/coloredlogs 15.0.1 ⚠️ 2.8
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Token-Permissions⚠️ -1No tokens found
Code-Review⚠️ 0Found 1/27 approved changesets -- score normalized to 0
Dangerous-Workflow⚠️ -1no workflows found
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Vulnerabilities🟢 100 existing vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/dacite 1.9.2 🟢 4.1
Details
CheckScoreReason
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Code-Review🟢 3Found 5/14 approved changesets -- score normalized to 3
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Vulnerabilities🟢 100 existing vulnerabilities detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Packaging🟢 10packaging workflow detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
pip/humanfriendly 10.0 UnknownUnknown
pip/pyreadline3 3.5.4 UnknownUnknown
pip/pyyaml 6.0.3 🟢 5.4
Details
CheckScoreReason
Security-Policy🟢 10security policy file detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Code-Review⚠️ 2Found 6/30 approved changesets -- score normalized to 2
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Maintained⚠️ 00 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Binary-Artifacts🟢 10no binaries found in the repo
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing🟢 10project is fuzzed
License🟢 10license file detected
Vulnerabilities🟢 100 existing vulnerabilities detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • compat/uv.lock

@github-actions

github-actions Bot commented Feb 5, 2026
edited
Loading

Copy link
Copy Markdown

Benchstat comparison

  • Base branch: onflow:master
  • Base commit: e9c99db
Results

old.txtnew.txt
time/opdelta
pkg:github.com/onflow/cadence/runtime goos:linux goarch:amd64
ContractFunctionInvocation-4430µs ± 0%433µs ± 0%~(p=1.000 n=1+1)
pkg:github.com/onflow/cadence/interpreter goos:linux goarch:amd64
Emit-44.67ms ± 0%4.72ms ± 0%~(p=1.000 n=1+1)
pkg:github.com/onflow/cadence/runtime goos:linux goarch:amd64
ExportType/composite_type-4263ns ± 0%273ns ± 0%~(p=1.000 n=1+1)
ExportType/simple_type-479.2ns ± 0%77.8ns ± 0%~(p=1.000 n=1+1)
pkg:github.com/onflow/cadence/interpreter goos:linux goarch:amd64
ImperativeFib-423.6µs ± 0%23.2µs ± 0%~(p=1.000 n=1+1)
InterpretRecursionFib-42.27ms ± 0%2.24ms ± 0%~(p=1.000 n=1+1)
NewInterpreter/new_interpreter-4838ns ± 0%851ns ± 0%~(p=1.000 n=1+1)
NewInterpreter/new_sub-interpreter-4335ns ± 0%327ns ± 0%~(p=1.000 n=1+1)
pkg:github.com/onflow/cadence/runtime goos:linux goarch:amd64
RuntimeFungibleTokenTransferInterpreter-4635µs ± 0%656µs ± 0%~(p=1.000 n=1+1)
RuntimeFungibleTokenTransferVM-4723µs ± 0%714µs ± 0%~(p=1.000 n=1+1)
RuntimeResourceDictionaryValues-42.77ms ± 0%2.79ms ± 0%~(p=1.000 n=1+1)
RuntimeResourceTracking-411.9ms ± 0%12.1ms ± 0%~(p=1.000 n=1+1)
RuntimeScriptNoop-415.5µs ± 0%15.0µs ± 0%~(p=1.000 n=1+1)
RuntimeVMInvokeContractImperativeFib-441.2µs ± 0%40.6µs ± 0%~(p=1.000 n=1+1)
pkg:github.com/onflow/cadence/interpreter goos:linux goarch:amd64
ValueIsSubtypeOfSemaType-461.6ns ± 0%62.6ns ± 0%~(p=1.000 n=1+1)
 
alloc/opdelta
pkg:github.com/onflow/cadence/runtime goos:linux goarch:amd64
ContractFunctionInvocation-4152kB ± 0%153kB ± 0%~(p=1.000 n=1+1)
pkg:github.com/onflow/cadence/interpreter goos:linux goarch:amd64
Emit-41.50MB ± 0%1.50MB ± 0%~(p=1.000 n=1+1)
pkg:github.com/onflow/cadence/runtime goos:linux goarch:amd64
ExportType/composite_type-4120B ± 0%120B ± 0%~(all equal)
ExportType/simple_type-40.00B 0.00B ~(all equal)
pkg:github.com/onflow/cadence/interpreter goos:linux goarch:amd64
ImperativeFib-48.30kB ± 0%8.30kB ± 0%~(all equal)
InterpretRecursionFib-41.19MB ± 0%1.19MB ± 0%~(p=1.000 n=1+1)
NewInterpreter/new_interpreter-4976B ± 0%976B ± 0%~(all equal)
NewInterpreter/new_sub-interpreter-4232B ± 0%232B ± 0%~(all equal)
pkg:github.com/onflow/cadence/runtime goos:linux goarch:amd64
RuntimeFungibleTokenTransferInterpreter-4170kB ± 0%171kB ± 0%~(p=1.000 n=1+1)
RuntimeFungibleTokenTransferVM-4192kB ± 0%192kB ± 0%~(p=1.000 n=1+1)
RuntimeResourceDictionaryValues-41.77MB ± 0%1.76MB ± 0%~(p=1.000 n=1+1)
RuntimeResourceTracking-48.59MB ± 0%8.58MB ± 0%~(p=1.000 n=1+1)
RuntimeScriptNoop-48.06kB ± 0%8.06kB ± 0%~(p=1.000 n=1+1)
RuntimeVMInvokeContractImperativeFib-413.3kB ± 0%13.3kB ± 0%~(all equal)
pkg:github.com/onflow/cadence/interpreter goos:linux goarch:amd64
ValueIsSubtypeOfSemaType-432.0B ± 0%32.0B ± 0%~(all equal)
 
allocs/opdelta
pkg:github.com/onflow/cadence/runtime goos:linux goarch:amd64
ContractFunctionInvocation-42.47k ± 0%2.47k ± 0%~(all equal)
pkg:github.com/onflow/cadence/interpreter goos:linux goarch:amd64
Emit-440.0k ± 0%40.0k ± 0%~(all equal)
pkg:github.com/onflow/cadence/runtime goos:linux goarch:amd64
ExportType/composite_type-43.00 ± 0%3.00 ± 0%~(all equal)
ExportType/simple_type-40.00 0.00 ~(all equal)
pkg:github.com/onflow/cadence/interpreter goos:linux goarch:amd64
ImperativeFib-4176 ± 0%176 ± 0%~(all equal)
InterpretRecursionFib-417.7k ± 0%17.7k ± 0%~(all equal)
NewInterpreter/new_interpreter-415.0 ± 0%15.0 ± 0%~(all equal)
NewInterpreter/new_sub-interpreter-44.00 ± 0%4.00 ± 0%~(all equal)
pkg:github.com/onflow/cadence/runtime goos:linux goarch:amd64
RuntimeFungibleTokenTransferInterpreter-43.27k ± 0%3.27k ± 0%~(all equal)
RuntimeFungibleTokenTransferVM-43.72k ± 0%3.72k ± 0%~(all equal)
RuntimeResourceDictionaryValues-436.7k ± 0%36.7k ± 0%~(p=1.000 n=1+1)
RuntimeResourceTracking-4144k ± 0%144k ± 0%~(p=1.000 n=1+1)
RuntimeScriptNoop-4114 ± 0%114 ± 0%~(all equal)
RuntimeVMInvokeContractImperativeFib-4424 ± 0%424 ± 0%~(all equal)
pkg:github.com/onflow/cadence/interpreter goos:linux goarch:amd64
ValueIsSubtypeOfSemaType-41.00 ± 0%1.00 ± 0%~(all equal)
 

@turbolent turbolent merged commit 3d3a08b into master Feb 10, 2026
17 checks passed
@turbolent turbolent deleted the bastian/improve-compat branch February 10, 2026 17:49
@BrewTestBot BrewTestBot mentioned this pull request Mar 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SupunS SupunS SupunS approved these changes

@RZhang05 RZhang05 Awaiting requested review from RZhang05

Assignees

@turbolent turbolent

Labels

Improvement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@turbolent @SupunS