vrr/spawn
2
0
Fork 0
mirror of https://github.com/OpenRouterTeam/spawn.git synced 2026-05-10 20:39:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9
spawn/packages/cli/src
History
A 0c4dc613b2
Some checks are pending
CLI Release / Build and release CLI (push) Waiting to run
Details
Lint / ShellCheck (push) Waiting to run
Details
Lint / Biome Lint (push) Waiting to run
Details
Lint / macOS Compatibility (push) Waiting to run
Details
fix(security): sanitize control characters in prompt file error messages (#3141) 
Reject file paths containing ASCII control characters (ANSI escape
sequences, null bytes, etc.) in validatePromptFilePath() to prevent
terminal injection. Also strip control chars in handlePromptFileError()
as defense-in-depth for error paths before validation.

Fixes #3138

Agent: security-auditor

Co-authored-by: B <6723574+louisgv@users.noreply.github.com>
Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-04-01 20:38:43 +07:00
..
__tests__ fix(security): sanitize control characters in prompt file error messages (#3141) 2026-04-01 20:38:43 +07:00
aws fix(security): expand $HOME before path validation in downloadFile (#3080) 2026-03-30 19:56:05 +00:00
commands feat: add --beta sandbox for Docker-based local agent sandboxing (#3127) 2026-03-31 17:00:49 -07:00
digitalocean fix(zeroclaw): remove broken zeroclaw agent (repo 404) (#3107) 2026-03-30 15:35:40 -07:00
gcp fix(security): expand $HOME before path validation in downloadFile (#3080) 2026-03-30 19:56:05 +00:00
hetzner fix(security): expand $HOME before path validation in downloadFile (#3080) 2026-03-30 19:56:05 +00:00
local fix(security): validate paths and agent names to prevent traversal/injection (#3139) 2026-04-01 11:28:03 +00:00
shared fix(security): validate script templates before base64 encoding (#3132) 2026-04-01 10:15:20 +07:00
sprite fix(security): expand $HOME before path validation in downloadFile (#3080) 2026-03-30 19:56:05 +00:00
flags.ts fix(cli): add --flat to KNOWN_FLAGS so spawn list --flat works (#3137) 2026-04-01 16:33:45 +07:00
guidance-data.ts refactor: remove dead exports only used within their own files (#2431) 2026-03-10 08:51:15 -04:00
history.ts feat: recursive spawn (--beta recursive) (#2978) 2026-03-25 10:42:09 -07:00
index.ts fix(security): sanitize control characters in prompt file error messages (#3141) 2026-04-01 20:38:43 +07:00
manifest.ts fix: temporarily disable Cursor CLI agent (#3055) 2026-03-27 02:08:04 -07:00
picker.ts refactor: remove dead exported types from picker.ts and spawn-config.ts (#2553) 2026-03-12 21:43:05 -04:00
security.ts fix(security): sanitize control characters in prompt file error messages (#3141) 2026-04-01 20:38:43 +07:00
unicode-detect.ts feat: Bun workspace monorepo — packages/cli + packages/shared (#1853) 2026-02-23 22:07:05 -08:00
update-check.ts fix(update-check): redirect install script stdout to stderr in --output json mode (#2919) 2026-03-24 03:18:50 +07:00