Skip to content

Release v0.9.6 #36

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
I4cTime merged 8 commits into from
Mar 26, 2026
Merged

Release v0.9.6 #36

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
83e3521
Add Vitest test suite and Homebrew tap automation (#30)
I4cTime Mar 25, 2026
36d0bf3
chore: bump version to v0.9.4 (#31)
I4cTime Mar 25, 2026
f1ed4c3
Merge remote-tracking branch 'origin/main' into develop
I4cTime Mar 25, 2026
d740e1d
feat: Cursor marketplace plugin + Homebrew/plugin docs (#33)
I4cTime Mar 26, 2026
1d1d34f
chore: bump version to v0.9.5
I4cTime Mar 26, 2026
e430f5a
Merge remote-tracking branch 'origin/main' into develop
I4cTime Mar 26, 2026
ea3e3f4
fix: resolve double-escaping vulnerability and picomatch alerts (#35)
I4cTime Mar 26, 2026
35a3347
chore: bump version to v0.9.6
I4cTime Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ dist/
*.key
.DS_Store
*.tsbuildinfo
package-lock.json
.cursor/

# Local-only publishing checklist (not pushed to GitHub)
Expand Down
10 changes: 10 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,16 @@

All notable changes to this project will be documented in this file.

## [0.9.6] — 2026-03-26

### Security
- **Double-escaping fix** — `parseDotenv()` escape-sequence chain replaced with single-pass regex to prevent double-unescape of backslash sequences (CodeQL `js/double-escaping` alert #14, severity: high).
- **picomatch >=4.0.4 (web)** — pnpm override added to `web/package.json` resolving ReDoS (GHSA-c2c7-rcm5-vvqj) and method injection (GHSA-3v7f-55p6-f55p) in web lockfile.
- **Stale `package-lock.json` removed** — eliminated false-positive Dependabot alerts from an unused npm lockfile; added to `.gitignore`.

### Added
- **`parseDotenv` test suite** — 8 unit tests covering escape sequences, double-backslash handling, quoted values, inline comments, and edge cases (133 total tests).

## [0.9.5] — 2026-03-26

### Added
Expand Down
Loading
Loading