Skip to content

Release v0.9.8#40

Merged
I4cTime merged 13 commits intomainfrom
develop
Mar 28, 2026
Merged

Release v0.9.8#40
I4cTime merged 13 commits intomainfrom
develop

Conversation

@I4cTime
Copy link
Copy Markdown
Owner

@I4cTime I4cTime commented Mar 28, 2026

Release v0.9.8 — OWASP Security Remediation

Comprehensive OWASP vulnerability remediation addressing 11 security findings from SCA, SAST, and web security scans.

Security Fixes

  • SSRF protection — shared guard in src/core/ssrf.ts applied to validate.ts and provision.ts
  • Shell injectionpgrep uses spawn() with argument array instead of exec()
  • Dashboard XSS — audit action field escaped in renderAudit
  • MCP policy bypass — all keyring read operations enforce checkKeyReadPolicy for MCP source
  • Tunnel ID crypto — CSPRNG via crypto.randomBytes() replaces Math.random()
  • Memory key hardening — AES key stored in OS keyring with legacy migration/fallback
  • Glob-to-regex escaping — metacharacters escaped in pattern conversion
  • Exec profile — word-boundary regex for denyCommands
  • Dependency overridepath-to-regexp >=8.4.0
  • CSP meta tag — defense-in-depth for GitHub Pages

Version Confirmation

  • package.json: 0.9.8
  • server.json: 0.9.8

Tests

  • 150 tests pass across 19 files
  • All 4 CI checks green (build, check, CodeQL, analyze)

Squash-merge recommended.

Made with Cursor

I4cTime added 13 commits March 25, 2026 20:09
@I4cTime
Add Vitest test suite and Homebrew tap automation (#30)
83e3521 
- Install vitest, add test/test:ci scripts and vitest.config.ts
- 125 tests across 17 files covering core modules, CLI, and MCP
- Add test step to CI workflow
- Create update-homebrew.yml to auto-update I4cTime/homebrew-tap on release

Made-with: Cursor
@I4cTime
chore: bump version to v0.9.4 (#31)
36d0bf3 
Made-with: Cursor
@I4cTime
Merge remote-tracking branch 'origin/main' into develop
f1ed4c3
@I4cTime
feat: Cursor marketplace plugin + Homebrew/plugin docs (#33)
d740e1d 
* feat: add Cursor marketplace plugin and update README/web with Homebrew + plugin info

- Create cursor-plugin/ with plugin.json manifest, 3 rules, 4 skills,
  2 agents, 5 commands, hooks.json, .mcp.json, and README
- Add .cursor-plugin/marketplace.json at repo root for monorepo discovery
- Update README.md with Homebrew install option and Cursor Plugin section
- Add Homebrew tab to web Hero and docs install commands
- Create CursorPlugin.tsx homepage section component
- Add Plugin nav link, update Footer version to v0.9.4
- Add Cursor Plugin step to docs page
- Remove beforeShellExecution hook (causes circular block with Cursor metadata)

Made-with: Cursor

* fix: resolve picomatch audit + update changelogs for v0.9.5

- Add pnpm override for picomatch >=4.0.4 (ReDoS + method injection)
- Add v0.9.5 entry to CHANGELOG.md (Cursor plugin, Homebrew docs, audit fix)
- Sync web changelog with v0.9.2–v0.9.5 entries

Made-with: Cursor
@I4cTime
chore: bump version to v0.9.5
1d1d34f 
Made-with: Cursor
@I4cTime
Merge remote-tracking branch 'origin/main' into develop
e430f5a
@I4cTime
fix: resolve double-escaping vulnerability and picomatch alerts (#35)
ea3e3f4 
- Single-pass regex replacer in parseDotenv() prevents double-unescape
  of backslash sequences (CodeQL js/double-escaping alert #14)
- Add picomatch >=4.0.4 override to web/package.json (Dependabot #3, #5)
- Remove stale package-lock.json + add to .gitignore (Dependabot #2)
- Add 8 parseDotenv unit tests covering escape edge cases

Made-with: Cursor
@I4cTime
chore: bump version to v0.9.6
35a3347 
Made-with: Cursor
@I4cTime
Merge remote-tracking branch 'origin/main' into develop
ddf119e
@I4cTime
fix: nav anchor links now route back to homepage from /docs and /chan…
6e004e7 
…gelog (#37)

Replace plain <a> tags with Next.js <Link> for all nav items so /#hash
links perform client-side navigation to / before scrolling to the target
section, instead of looking for anchors on the current page.

Made-with: Cursor
@I4cTime
chore: bump version to v0.9.7
1242d37 
Made-with: Cursor
@I4cTime
Merge remote-tracking branch 'origin/main' into develop
e86d464
@I4cTime
OWASP Full Remediation — v0.9.8 Security Release (#39)
c05d01f 
* security: OWASP full remediation for v0.9.8

- Extract SSRF guard into shared src/core/ssrf.ts, apply to validate.ts and provision.ts
- Fix shell injection in hooks.ts: spawn("pgrep") replaces exec("pgrep -f ...")
- Fix dashboard XSS: escape e.action in renderAudit
- Enforce checkKeyReadPolicy on listSecrets, exportSecrets, hasSecret, deleteSecret, getEnvelope
- Replace Math.random with crypto.randomBytes for tunnel IDs
- Store memory encryption key in OS keyring with legacy migration/fallback
- Escape regex metacharacters in glob-to-regex (server.ts, hooks.ts)
- Use word-boundary regex for exec profile denyCommands
- Add path-to-regexp and brace-expansion pnpm overrides
- Add CSP meta tag to web layout
- Add SSRF test suite (12 tests) and tunnel ID uniqueness test
- Version bump to 0.9.8, update CHANGELOG and web changelog

Made-with: Cursor

* fix: remove brace-expansion override — incompatible with minimatch@3 API

brace-expansion v5 breaks minimatch@3.1.5 (used by ESLint) which expects
the v1.x API. This is an upstream transitive dependency that cannot be
overridden without breaking the linter.

Made-with: Cursor
@I4cTime I4cTime merged commit df1377b into main Mar 28, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@I4cTime