zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-06-26 18:11:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): discord bot SSRF/log-injection/DoS hardening + bump markdown-it/js-yaml

Browse Source 
- ecc-bot.mjs: validate interaction id (snowflake) and token before building the
  callback fetch URL (clears CodeQL js/request-forgery #239/#240/#241); clamp the
  remote heartbeat_interval to [1s,10m] (js/resource-exhaustion #242); strip CR/LF
  from log args (js/log-injection #246).
- Bump transitive dev deps via overrides/resolutions to patch quadratic-complexity
  DoS: markdown-it >=14.2.0 (Dependabot #45/#46), js-yaml >=4.2.0 (#42/#43).
  Both lockfiles regenerated; npm reports 0 vulnerabilities.
This commit is contained in:
Affaan Mustafa
2026-06-18 19:50:15 -04:00
parent a03d63cba0
commit 5e4f5533d7
4 changed files with 161 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files
package.json
+8
View File
@@ -374,5 +374,13 @@
"engines": {
"node": ">=18"
},
"overrides": {
"markdown-it": ">=14.2.0",
"js-yaml": ">=4.2.0"
},
"resolutions": {
"markdown-it": ">=14.2.0",
"js-yaml": ">=4.2.0"
},
"packageManager": "yarn@4.9.2+sha512.1fc009bc09d13cfd0e19efa44cbfc2b9cf6ca61482725eb35bbc5e257e093ebf4130db6dfe15d604ff4b79efd8e1e8e99b25fa7d0a6197c9f9826358d4d65c3c"
}