Skip to content

v0.1.18 — security hardening

Choose a tag to compare

View all tags
@bart-turczynski bart-turczynski released this 29 May 21:43
· 88 commits to main since this release
v0.1.18
25f9dd4

Security hardening for the status-line engine and installer.

Security

  • Strip terminal control bytes (ESC/BEL/DEL, C0/C1) from status-line text, so escape sequences in model.display_name, session_name, or effort.level can't reach the terminal.
  • Reject __proto__/constructor/prototype as session_id keys.

Fixed

  • Atomic writes to settings.json and the state file (temp + rename), so an interrupted write can't truncate user config.
  • Quote the node binary path in the plugin auto-update command.

Changed

  • Cap the session-state map at 50 entries (LRU by timestamp).

See CHANGELOG for details. Published to npm via OIDC trusted publishing.

Assets 2
Loading