v1.3.4 — security hardening (XSS invariants + dep audit)
Security
- Restored the
textContent-only invariant documented in THREAT_MODEL.md §C. Two webview callsites that were using static-stringinnerHTML(the empty-state heading atmedia/main.js:186and the pin-button SVG atmedia/main.js:236) now build their DOM viacreateElement/createElementNS. Neither was an exploitable XSS — both strings were literals — but the invariant matters for static analysis and future-proofing. - Documented the markdown-preview rendering surface as new THREAT_MODEL.md §F. The preview pane introduced in 1.3.0 sends
marked.parse(body)intoinnerHTML, which is safe under the existing CSP (script-src 'nonce-X' webview.cspSource;default-src 'none';img-src webview.cspSource data:) — that CSP blocks every JavaScript sink raw markdown HTML could expose (inline<script>,on*handlers,javascript:URIs, remote<img>,<iframe>). Added an inline comment atmedia/main.js:478so future contributors don't add a sanitizer reflexively or weaken the CSP without re-evaluating §F. - Bumped
@typescript-eslint/eslint-pluginand@typescript-eslint/parserfrom ^6.0.0 to ^8.0.0. Resolves all 6 high-severitynpm auditfindings (transitive on@typescript-eslint/typescript-estree). v8 requires ESLint ≥8.57 and Node ≥18.18, both satisfied. - Hardened
.gitignorewith patterns for.env,.env.*,credentials.json,serviceAccountKey*.json,*.pem,*.key. The extension stores no credentials, so this is purely defense-in-depth against accidental check-ins of unrelated files in dev workspaces.
Notes (not changed)
The remaining 5 moderate npm audit findings (@vscode/vsce → @azure/identity → @azure/msal-node → uuid, plus ovsx) are dev-only and never ship in the VSIX. npm audit fix --force would downgrade ovsx from 0.10.11 to 0.9.4, losing features. Accepted risk.