cimisy@2.0.1
Patch Changes
-
0698df8: Security hardening pass: fixes a TOCTOU race in the local storage adapter, closes a media-upload gap, adds login rate limiting, and enforces a minimum session-secret length.
Breaking for existing deployments — action required before upgrading:
githubSource({ sessionSecret })now throwsWEAK_SESSION_SECRETat construction time ifsessionSecretis shorter than 32 characters (or missing). This is the key that signs the admin session cookie — a short one is brute-forceable. Generate a proper one withopenssl rand -base64 32and update your deployment'sCIMISY_SESSION_SECRET(or equivalent) before upgrading, or the app will fail to start.Other fixes:
- TOCTOU race in
LocalStorageAdapter.list()(CodeQL CWE-367): replaced thestat()-then-readFile()pattern, where a file could change or disappear between the two calls, with a directreadFile()per entry that skipsENOENT/EISDIR— the same check-free idiom already used byread(). - Unvalidated
targetKeyon media upload:POST /api/cimisy/medianow 404s iftargetKeydoesn't match a declared collection or singleton, closing a gap where a writer could mint draft branches/PRs for content keys that don't exist in config. /auth/loginnow rate-limited, the same IP-keyed limiter already applied to/auth/callback.- Dev/example dependency bumps clearing ~60 Dependabot alerts (none were in the package's published runtime dependencies):
nextto^15.5.16,vitestto^3.2.6, pluspostcss/esbuild/vitepinned viapnpm.overrideswhere transitive resolution still lagged. Thenextpeer range is unchanged (>=14.0.0). The two example apps' route handlers and internal library types were updated for Next 15's Promise-based routeparams, and a couple of internal nav links were switched tonext/linkto satisfyeslint-config-next'sno-html-link-for-pagesrule.
- TOCTOU race in