fix: resolve double-escaping vulnerability and picomatch alerts#35
Merged
fix: resolve double-escaping vulnerability and picomatch alerts#35
Conversation
- Single-pass regex replacer in parseDotenv() prevents double-unescape of backslash sequences (CodeQL js/double-escaping alert #14) - Add picomatch >=4.0.4 override to web/package.json (Dependabot #3, #5) - Remove stale package-lock.json + add to .gitignore (Dependabot #2) - Add 8 parseDotenv unit tests covering escape edge cases Made-with: Cursor
I4cTime
added a commit
that referenced
this pull request
Mar 26, 2026
* Add Vitest test suite and Homebrew tap automation (#30) - Install vitest, add test/test:ci scripts and vitest.config.ts - 125 tests across 17 files covering core modules, CLI, and MCP - Add test step to CI workflow - Create update-homebrew.yml to auto-update I4cTime/homebrew-tap on release Made-with: Cursor * chore: bump version to v0.9.4 (#31) Made-with: Cursor * feat: Cursor marketplace plugin + Homebrew/plugin docs (#33) * feat: add Cursor marketplace plugin and update README/web with Homebrew + plugin info - Create cursor-plugin/ with plugin.json manifest, 3 rules, 4 skills, 2 agents, 5 commands, hooks.json, .mcp.json, and README - Add .cursor-plugin/marketplace.json at repo root for monorepo discovery - Update README.md with Homebrew install option and Cursor Plugin section - Add Homebrew tab to web Hero and docs install commands - Create CursorPlugin.tsx homepage section component - Add Plugin nav link, update Footer version to v0.9.4 - Add Cursor Plugin step to docs page - Remove beforeShellExecution hook (causes circular block with Cursor metadata) Made-with: Cursor * fix: resolve picomatch audit + update changelogs for v0.9.5 - Add pnpm override for picomatch >=4.0.4 (ReDoS + method injection) - Add v0.9.5 entry to CHANGELOG.md (Cursor plugin, Homebrew docs, audit fix) - Sync web changelog with v0.9.2–v0.9.5 entries Made-with: Cursor * chore: bump version to v0.9.5 Made-with: Cursor * fix: resolve double-escaping vulnerability and picomatch alerts (#35) - Single-pass regex replacer in parseDotenv() prevents double-unescape of backslash sequences (CodeQL js/double-escaping alert #14) - Add picomatch >=4.0.4 override to web/package.json (Dependabot #3, #5) - Remove stale package-lock.json + add to .gitignore (Dependabot #2) - Add 8 parseDotenv unit tests covering escape edge cases Made-with: Cursor * chore: bump version to v0.9.6 Made-with: Cursor
I4cTime
added a commit
that referenced
this pull request
Mar 26, 2026
* Add Vitest test suite and Homebrew tap automation (#30) - Install vitest, add test/test:ci scripts and vitest.config.ts - 125 tests across 17 files covering core modules, CLI, and MCP - Add test step to CI workflow - Create update-homebrew.yml to auto-update I4cTime/homebrew-tap on release Made-with: Cursor * chore: bump version to v0.9.4 (#31) Made-with: Cursor * feat: Cursor marketplace plugin + Homebrew/plugin docs (#33) * feat: add Cursor marketplace plugin and update README/web with Homebrew + plugin info - Create cursor-plugin/ with plugin.json manifest, 3 rules, 4 skills, 2 agents, 5 commands, hooks.json, .mcp.json, and README - Add .cursor-plugin/marketplace.json at repo root for monorepo discovery - Update README.md with Homebrew install option and Cursor Plugin section - Add Homebrew tab to web Hero and docs install commands - Create CursorPlugin.tsx homepage section component - Add Plugin nav link, update Footer version to v0.9.4 - Add Cursor Plugin step to docs page - Remove beforeShellExecution hook (causes circular block with Cursor metadata) Made-with: Cursor * fix: resolve picomatch audit + update changelogs for v0.9.5 - Add pnpm override for picomatch >=4.0.4 (ReDoS + method injection) - Add v0.9.5 entry to CHANGELOG.md (Cursor plugin, Homebrew docs, audit fix) - Sync web changelog with v0.9.2–v0.9.5 entries Made-with: Cursor * chore: bump version to v0.9.5 Made-with: Cursor * fix: resolve double-escaping vulnerability and picomatch alerts (#35) - Single-pass regex replacer in parseDotenv() prevents double-unescape of backslash sequences (CodeQL js/double-escaping alert #14) - Add picomatch >=4.0.4 override to web/package.json (Dependabot #3, #5) - Remove stale package-lock.json + add to .gitignore (Dependabot #2) - Add 8 parseDotenv unit tests covering escape edge cases Made-with: Cursor * chore: bump version to v0.9.6 Made-with: Cursor * fix: nav anchor links now route back to homepage from /docs and /changelog (#37) Replace plain <a> tags with Next.js <Link> for all nav items so /#hash links perform client-side navigation to / before scrolling to the target section, instead of looking for anchors on the current page. Made-with: Cursor * chore: bump version to v0.9.7 Made-with: Cursor
I4cTime
added a commit
that referenced
this pull request
Mar 28, 2026
* Add Vitest test suite and Homebrew tap automation (#30) - Install vitest, add test/test:ci scripts and vitest.config.ts - 125 tests across 17 files covering core modules, CLI, and MCP - Add test step to CI workflow - Create update-homebrew.yml to auto-update I4cTime/homebrew-tap on release Made-with: Cursor * chore: bump version to v0.9.4 (#31) Made-with: Cursor * feat: Cursor marketplace plugin + Homebrew/plugin docs (#33) * feat: add Cursor marketplace plugin and update README/web with Homebrew + plugin info - Create cursor-plugin/ with plugin.json manifest, 3 rules, 4 skills, 2 agents, 5 commands, hooks.json, .mcp.json, and README - Add .cursor-plugin/marketplace.json at repo root for monorepo discovery - Update README.md with Homebrew install option and Cursor Plugin section - Add Homebrew tab to web Hero and docs install commands - Create CursorPlugin.tsx homepage section component - Add Plugin nav link, update Footer version to v0.9.4 - Add Cursor Plugin step to docs page - Remove beforeShellExecution hook (causes circular block with Cursor metadata) Made-with: Cursor * fix: resolve picomatch audit + update changelogs for v0.9.5 - Add pnpm override for picomatch >=4.0.4 (ReDoS + method injection) - Add v0.9.5 entry to CHANGELOG.md (Cursor plugin, Homebrew docs, audit fix) - Sync web changelog with v0.9.2–v0.9.5 entries Made-with: Cursor * chore: bump version to v0.9.5 Made-with: Cursor * fix: resolve double-escaping vulnerability and picomatch alerts (#35) - Single-pass regex replacer in parseDotenv() prevents double-unescape of backslash sequences (CodeQL js/double-escaping alert #14) - Add picomatch >=4.0.4 override to web/package.json (Dependabot #3, #5) - Remove stale package-lock.json + add to .gitignore (Dependabot #2) - Add 8 parseDotenv unit tests covering escape edge cases Made-with: Cursor * chore: bump version to v0.9.6 Made-with: Cursor * fix: nav anchor links now route back to homepage from /docs and /changelog (#37) Replace plain <a> tags with Next.js <Link> for all nav items so /#hash links perform client-side navigation to / before scrolling to the target section, instead of looking for anchors on the current page. Made-with: Cursor * chore: bump version to v0.9.7 Made-with: Cursor * OWASP Full Remediation — v0.9.8 Security Release (#39) * security: OWASP full remediation for v0.9.8 - Extract SSRF guard into shared src/core/ssrf.ts, apply to validate.ts and provision.ts - Fix shell injection in hooks.ts: spawn("pgrep") replaces exec("pgrep -f ...") - Fix dashboard XSS: escape e.action in renderAudit - Enforce checkKeyReadPolicy on listSecrets, exportSecrets, hasSecret, deleteSecret, getEnvelope - Replace Math.random with crypto.randomBytes for tunnel IDs - Store memory encryption key in OS keyring with legacy migration/fallback - Escape regex metacharacters in glob-to-regex (server.ts, hooks.ts) - Use word-boundary regex for exec profile denyCommands - Add path-to-regexp and brace-expansion pnpm overrides - Add CSP meta tag to web layout - Add SSRF test suite (12 tests) and tunnel ID uniqueness test - Version bump to 0.9.8, update CHANGELOG and web changelog Made-with: Cursor * fix: remove brace-expansion override — incompatible with minimatch@3 API brace-expansion v5 breaks minimatch@3.1.5 (used by ESLint) which expects the v1.x API. This is an upstream transitive dependency that cannot be overridden without breaking the linter. Made-with: Cursor
I4cTime
added a commit
that referenced
this pull request
Apr 9, 2026
* Add Vitest test suite and Homebrew tap automation (#30) - Install vitest, add test/test:ci scripts and vitest.config.ts - 125 tests across 17 files covering core modules, CLI, and MCP - Add test step to CI workflow - Create update-homebrew.yml to auto-update I4cTime/homebrew-tap on release Made-with: Cursor * chore: bump version to v0.9.4 (#31) Made-with: Cursor * feat: Cursor marketplace plugin + Homebrew/plugin docs (#33) * feat: add Cursor marketplace plugin and update README/web with Homebrew + plugin info - Create cursor-plugin/ with plugin.json manifest, 3 rules, 4 skills, 2 agents, 5 commands, hooks.json, .mcp.json, and README - Add .cursor-plugin/marketplace.json at repo root for monorepo discovery - Update README.md with Homebrew install option and Cursor Plugin section - Add Homebrew tab to web Hero and docs install commands - Create CursorPlugin.tsx homepage section component - Add Plugin nav link, update Footer version to v0.9.4 - Add Cursor Plugin step to docs page - Remove beforeShellExecution hook (causes circular block with Cursor metadata) Made-with: Cursor * fix: resolve picomatch audit + update changelogs for v0.9.5 - Add pnpm override for picomatch >=4.0.4 (ReDoS + method injection) - Add v0.9.5 entry to CHANGELOG.md (Cursor plugin, Homebrew docs, audit fix) - Sync web changelog with v0.9.2–v0.9.5 entries Made-with: Cursor * chore: bump version to v0.9.5 Made-with: Cursor * fix: resolve double-escaping vulnerability and picomatch alerts (#35) - Single-pass regex replacer in parseDotenv() prevents double-unescape of backslash sequences (CodeQL js/double-escaping alert #14) - Add picomatch >=4.0.4 override to web/package.json (Dependabot #3, #5) - Remove stale package-lock.json + add to .gitignore (Dependabot #2) - Add 8 parseDotenv unit tests covering escape edge cases Made-with: Cursor * chore: bump version to v0.9.6 Made-with: Cursor * fix: nav anchor links now route back to homepage from /docs and /changelog (#37) Replace plain <a> tags with Next.js <Link> for all nav items so /#hash links perform client-side navigation to / before scrolling to the target section, instead of looking for anchors on the current page. Made-with: Cursor * chore: bump version to v0.9.7 Made-with: Cursor * OWASP Full Remediation — v0.9.8 Security Release (#39) * security: OWASP full remediation for v0.9.8 - Extract SSRF guard into shared src/core/ssrf.ts, apply to validate.ts and provision.ts - Fix shell injection in hooks.ts: spawn("pgrep") replaces exec("pgrep -f ...") - Fix dashboard XSS: escape e.action in renderAudit - Enforce checkKeyReadPolicy on listSecrets, exportSecrets, hasSecret, deleteSecret, getEnvelope - Replace Math.random with crypto.randomBytes for tunnel IDs - Store memory encryption key in OS keyring with legacy migration/fallback - Escape regex metacharacters in glob-to-regex (server.ts, hooks.ts) - Use word-boundary regex for exec profile denyCommands - Add path-to-regexp and brace-expansion pnpm overrides - Add CSP meta tag to web layout - Add SSRF test suite (12 tests) and tunnel ID uniqueness test - Version bump to 0.9.8, update CHANGELOG and web changelog Made-with: Cursor * fix: remove brace-expansion override — incompatible with minimatch@3 API brace-expansion v5 breaks minimatch@3.1.5 (used by ESLint) which expects the v1.x API. This is an upstream transitive dependency that cannot be overridden without breaking the linter. Made-with: Cursor * security: fix hono, @hono/node-server, and vite vulnerabilities (#41) Add pnpm overrides to resolve 9 Dependabot alerts: - hono >=4.12.12 (5 medium: cookie bypass, IP matching, serveStatic traversal, toSSG path traversal) - @hono/node-server >=1.19.13 (1 medium: serveStatic bypass) - vite >=8.0.5 (2 high: fs.deny bypass, WebSocket file read; 1 medium: optimized deps .map traversal) All are transitive dependencies (hono via @modelcontextprotocol/sdk, vite via vitest). Fresh lockfile regenerated. Made-with: Cursor * chore: bump version to v0.9.9 (#42) Security patch release — hono, @hono/node-server, and vite pnpm overrides to resolve 9 Dependabot alerts. Made-with: Cursor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Fixes
CodeQL — js/double-escaping (High, Alert #14)
src/core/import.ts:49-53.replace()calls processed\\after\n/\r/\t, causing double-unescape on inputs like\\nDependabot — picomatch
package-lock.json(project uses pnpm) + added to.gitignorepnpm.overridestoweb/package.json→ picomatch 4.0.4Tests
parseDotenvunit tests covering escape edge cases (133 total, all passing)pnpm audit— 0 vulnerabilities (root + web)Made with Cursor