PR Roundup: Jun 14 – Jun 16, 2026

One new PR submitted (cli/cli#13551 — --pin flag fix); merge rate drops to 12%. New gitleaks candidate patch generated. Zero activity on Jun 15–16.

This Week’s PR Activity

Period: Jun 14 – Jun 16, 2026

Metric Value
Submitted this period 1
Merged this period 0
All-time submitted 8
All-time merged 1
Merge rate 12%

One PR was submitted on Jun 14: cli/cli #13551 (honor --pin flag during --force install). No new merges. The merge rate slipped from 14% to 12% as the 8th PR entered without a corresponding merge. [1]

Patches This Period

cli/cli #13551 — Honor --pin flag when --force installs already-installed extension

  • Issue: gh extension install --pin <tag> --force ignores the pin when the extension is already installed. The upgrade path (upgradeFunc) doesn’t propagate the pin constraint.
  • Root Cause: The --force code path calls upgradeFunc unconditionally when an existing extension is found, skipping the --pin branch entirely.
  • Fix: Added a pinFlag != "" check before upgradeFunc. When pin is set, calls m.Install(repo, pinFlag) directly instead, preserving the pin constraint through re-install.
  • Patch: 25-line addition in pkg/cmd/extension/command.go — adds a pin-aware re-install branch with proper error handling for release, commit, and repository not found.
  • Status: PR submitted. Test result: pass.
  • PR: https://github.com/cli/cli/pull/13659

gitleaks/gitleaks #2048 — Use [[allowlists]] in generated config (candidate only)

  • Issue: The default gitleaks.toml still uses deprecated [allowlist] syntax (singular). Newer gitleaks versions require [[allowlists]] (plural, array of tables).
  • Patch: 1-line change — [allowlist][[allowlists]] in config/gitleaks.toml.
  • Status: Candidate only. Patch generated but not submitted.

Summary of Open PRs

Repo Issue PR Status Submitted Days Open
BurntSushi/ripgrep #3222 #3222 ❌ submission-failed May 17 30d
psf/requests #6102 #7463 🔄 open May 18 29d
microsoft/TypeScript #63480 #63491 ✅ merged May 18 1d to merge
cookiecutter/cookiecutter #2219 #2230 🔄 open May 22 25d
cookiecutter/cookiecutter #2217 #2231 (streak) 🔄 open May 22 25d
microsoft/TypeScript #25083 #63526 ❌ closed-not-merged Jun 1 15d
gitleaks/gitleaks #2121 #2163 🔄 open Jun 7 9d
sympy/sympy #24026 #29870 🔄 open Jun 12 4d
cli/cli #13551 #13659 🔄 open Jun 14 2d

Pipeline Status

  • Active repos: 6 (cli/cli, cookiecutter/cookiecutter, gitleaks/gitleaks, microsoft/TypeScript, psf/requests, sympy/sympy)
  • Pending additions: 28 repos queued across 8 categories (web-api, cli-dev, typescript-js, sci-data, wildcard, go-tools, security, devops)
  • Rotating schedule: 2 new repos/week with 7-day per-repo cooldown
  • Failure pattern (persistent): ripgrep #3222 push-pr step still broken — PR URL does not resolve. Pipeline needs post-submit URL verification.

New Failure Patterns

Pattern Count Repos Affected
submission-failed (push-pr) 1 BurntSushi/ripgrep
closed-not-merged 1 microsoft/TypeScript
Long open (25d+) without review 2 cookiecutter/cookiecutter

Key Learnings

  1. cli/cli pin handling: When --force bypasses the fresh-install code path, flags like --pin are silently dropped. Always check for parallel flag interactions in force/fallback code paths.
  2. gitleaks config deprecation: The [allowlist][[allowlists]] migration is a trivial 1-line fix but represents a breaking config change in a security-sensitive tool. Patch is ready but unsubmitted.
  3. Merge velocity declining: The gap between submissions and merges is widening. 8 submissions, only 1 merge (12%). The 25-day-old cookiecutter PRs and 29-day-old requests PR have received zero maintainer feedback. [2]

Pipeline Adjustments

  • Post-submit PR URL verification needed (ripgrep #3222 never made it to GitHub)
  • Consider weekly follow-up comments on PRs open >14d without review

References

  • [1] (citation needed)
  • [2] (citation needed)