v0.9.74 -- Security Hardening
What's Changed
Security audit and hardening release. 16 findings addressed across the full stack.
- Plugins are now verified before loading -- untrusted plugins can no longer execute code during discovery
- Resumable uploads validate the session URI origin to prevent server-side request forgery
- All API path parameters are URL-encoded to prevent path injection
- Sensitive values (purchase tokens, proxy credentials, service account paths) are redacted from all error output, diagnostic commands, and webhook payloads
--dry-runnow respected by image upload and image delete- Vitals gate checks crash/ANR thresholds before increasing rollout, not after
- CSV review exports are hardened against spreadsheet formula injection
- AI changelog generation is hardened against prompt injection via commit messages
- Rate limiter race condition under concurrent requests fixed
- deepsec scanning added to CI pipeline
- Dependency install scripts restricted to turbo and esbuild only
- Lockfile integrity verification on install
- GitHub Actions template scopes secrets to individual steps
Install/Upgrade
```
npm install -g @gpc-cli/cli
```
Full Changelog: v0.9.73...v0.9.74