v1.5.19
Patch Changes
-
#1115
92bd86cThanks @RhysSullivan! - Google media downloads (Drive file contents, exports, and other binary
endpoints) are now returned as binary responses instead of being decoded as
text, so files come back intact. Emit them withemit(result.data). -
#1115
92bd86cThanks @RhysSullivan! - The CLI now validates that a URL ishttp/httpsbefore handing it to the
operating system's browser opener, and on Windows opens it via
rundll32 url.dll,FileProtocolHandlerinstead ofcmd /c start. This removes a
path where a crafted URL could be interpreted as a shell command.executor loginand the "open in browser" prompts behave the same for normal URLs. -
#1115
92bd86cThanks @RhysSullivan! - Hardened the hosted egress guard. Outbound requests from OAuth token exchanges,
MCP transports, and GraphQL/Google/Microsoft discovery now all route through the
guard, and the guard resolves DNS before connecting so a hostname that points at
a private or loopback address is blocked rather than only literal private IPs.
This tightens SSRF protection for hosted and cloud execution. -
Updated dependencies []:
- @executor-js/sdk@1.5.19
- @executor-js/runtime-quickjs@1.5.19
- @executor-js/local@1.4.4
- @executor-js/api@1.4.39