Skip to content

v0.9.74 -- Security Hardening

Choose a tag to compare

@yasserstudio yasserstudio released this 15 May 20:56

What's Changed

Security audit and hardening release. 16 findings addressed across the full stack.

  • Plugins are now verified before loading -- untrusted plugins can no longer execute code during discovery
  • Resumable uploads validate the session URI origin to prevent server-side request forgery
  • All API path parameters are URL-encoded to prevent path injection
  • Sensitive values (purchase tokens, proxy credentials, service account paths) are redacted from all error output, diagnostic commands, and webhook payloads
  • --dry-run now respected by image upload and image delete
  • Vitals gate checks crash/ANR thresholds before increasing rollout, not after
  • CSV review exports are hardened against spreadsheet formula injection
  • AI changelog generation is hardened against prompt injection via commit messages
  • Rate limiter race condition under concurrent requests fixed
  • deepsec scanning added to CI pipeline
  • Dependency install scripts restricted to turbo and esbuild only
  • Lockfile integrity verification on install
  • GitHub Actions template scopes secrets to individual steps

Install/Upgrade

```
npm install -g @gpc-cli/cli
```

Full Changelog: v0.9.73...v0.9.74