Full-codebase-audit 2026-05-30 outputs: - Audit report: 09 - Audits/Full Codebase Audit - 2026-05-30.md - 81 issue files ISSUE-055..135 (decisions + 1 skipped no-brainer). - Scanner docs from scratch (was zero): architecture, data model, API ref, payment flow, operations runbook + repo README. - Doc-sync updates across API reference, data models, flows, design system. - Secret Rotation Runbook (08 - Operations) for the exposed credentials. - Reusable workflow guide (07 - Development) + .claude/workflows/full-codebase-audit.js. Issues remain status:open intentionally — the code fixes are uncommitted-then-committed working-tree changes per repo and aren't "resolved" until merged/deployed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1.2 KiB
1.2 KiB
issue, title, severity, domain, labels, status, created, source
| issue | title | severity | domain | labels | status | created | source | |||
|---|---|---|---|---|---|---|---|---|---|---|
| 100 | Backend: updatePurchaseRequest does findById then findByIdAndUpdate — non-atomic race | medium | Marketplace |
|
open | 2026-05-30 | Full Codebase Audit 2026-05-30 |
Backend: updatePurchaseRequest does findById then findByIdAndUpdate — non-atomic race
Severity: medium Domain: Marketplace Labels: bug, backend, concurrency
Description
PurchaseRequestService.ts:413 reads the document first (findById) to check allowed status transitions, then writes it (findByIdAndUpdate). Between the read and the write, another request can change the status, defeating the transition guard.
Options
- Use
findOneAndUpdatewithstatus:{$in:allowedCurrentStatuses}condition — atomic. - Keep two queries but wrap in a transaction.
- Leave as-is.
Recommendation
Use a single conditional findOneAndUpdate to make the transition atomic and halve round-trips.
Affected Files
backend/src/services/marketplace/PurchaseRequestService.ts:413
References
- Full Codebase Audit 2026-05-30 — DEC-46