Skip to content

v2.4.3

Choose a tag to compare

View all tags
@openwong2kim openwong2kim released this 05 Apr 06:04
· 409 commits to main since this release
v2.4.3
bb99774

Security Hardening

  • Timing-safe token comparison: PipeServer now uses crypto.timingSafeEqual (matches DaemonPipeServer)
  • TCP port file permissions: Set 0o600 to restrict access
  • Prototype pollution defense: Added JSON.parse reviver to McpRegistrar
  • Shell injection prevention: Replaced execSync with execFileSync for PID lookups
  • CSPRNG for CDP port: Use crypto.randomInt() instead of Math.random()
  • Ref parameter sanitization: Validate ref params against ^[a-zA-Z0-9_-]+$ before CSS selector insertion
  • Reproducible release builds: Changed npm install to npm ci in release workflow
  • Lockfile sync: Aligned package-lock.json version with package.json

Full Changelog: v2.4.2...v2.4.3

Assets 5
Loading