Skip to content

v0.9.3 — Security pass

Choose a tag to compare

View all tags
@TheLeePriest TheLeePriest released this 03 Jun 13:45
· 26 commits to main since this release
v0.9.3
800ff01

Addresses every actionable finding from the v0.9.2 security + privacy review. All 723 tests pass; tsc + biome clean.

Findings closed

  • H1 javascript: URLs in <a href> — new safeHref helper at all 9 emission sites.
  • H2 Trusted-HTML XSS via prompt injection — wizard build-time allowlist on spotlight + tip code fields.
  • M1 Regex-DoS — wizard stress-tests every product regex pre-flight.
  • M2 Markdown link scheme in mdToHtml — covered by H1.
  • M3 Build-time SSRF — fetch-feeds.ts rejects loopback / link-local / RFC1918.
  • L1 escHtml backtick — added; digest mdToHtml restores before parsing.
  • L2 Digest filename slug — digest-save.md rejects .., /, \\, null bytes.

Dependencies

  • vitest 2.1.4 → 4.1.8. Clears all 5 npm audit advisories (4 moderate + 1 critical). All dev-tooling vulns — never shipped in the .plugin.

Deferred to v0.10

  • Tokenised structure for spotlight code (deeper H2).
  • safe-regex2 static analysis (deeper M1).
  • README paragraph on localStorage storage (informational I1).

See PR #13 for the full diff.

Assets 3
Loading