nvuillam
commented
1 month ago hi @mbyio ,
Don't be shocked for so little, it's bad for your heart :)
Checking urls is indeed the default behavior of lychee lnter
If you want to skip some checks, you can:
- ignore urls by defining a .lycheeignore, as described in the documentation:
- ignore full files by using SPELL_LYCHEE_FILTER_REGEX_EXCLUDE (also described in the documentation :) )
- you can also fully disable the linter by adding SPELL_LYCHEE in DISABLE_LINTERS
Lychee doc in MegaLinter: https://megalinter.io/latest/descriptors/spell_lychee/
Describe the bug
I was testing out megalinter on a project for the first time. I got it running correctly in GitHub Actions... and then when "lychee" ran, I was shocked to see it making what look like real HTTP requests to any links it finds in the codebase.
I think it misinterpreted the contents of some integration tests, which use recorded HTTP sessions with some private APIs. Fortunately, the APIs do require authentication, and the keys aren't stored in the codebase, so all the requests failed with 403.
This is shocking default behavior for a linter. Typically a linter is only checking your code, maybe downloading a few extra dependencies to help it check. It is not typical for a linter to make HTTP requests like this.
I really think this is a mistake that could cause big problems for some people. What if they are logged into a VPN, run MegaLinter locally, and it makes requests to some internal service? Even if the requests are blocked due to missing credentials, if there are a lot of links then it could slam the service with requests, or it could trigger rate limiting.
To Reproduce Steps to reproduce the behavior:
VALIDATE_ALL_CODEBASE=trueandAPPLY_FIXES=all)Expected behavior Don't follow external links, or ask the user before following them, or warn the user that the link checker is "opt in".