mirror of
https://github.com/OpenRouterTeam/spawn.git
synced 2026-04-28 03:49:31 +00:00
15e4715555
status.ts passed server_id from history directly into Hetzner/DO API URLs without calling validateServerIdentifier(). Both delete.ts and connect.ts validate first; status.ts was the only gap. A tampered ~/.spawn/history.json could craft a server_id with path traversal characters (e.g. "../v2/account") causing the Bearer token to be sent to an unintended API endpoint (SSRF via URL path manipulation). Fix: call validateServerIdentifier() after extracting serverId, returning "unknown" gracefully on failure. Agent: code-health Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
26 lines
664 B
JSON
26 lines
664 B
JSON
{
|
|
"name": "@openrouter/spawn",
|
|
"version": "0.15.37",
|
|
"type": "module",
|
|
"bin": {
|
|
"spawn": "cli.js"
|
|
},
|
|
"scripts": {
|
|
"dev": "bun run src/index.ts",
|
|
"build": "bun build src/index.ts --outfile cli.js --target bun --minify --packages bundle",
|
|
"compile": "bun build src/index.ts --compile --outfile spawn",
|
|
"lint": "biome lint src/",
|
|
"test": "bun test",
|
|
"test:watch": "bun test --watch"
|
|
},
|
|
"dependencies": {
|
|
"@clack/prompts": "1.0.0",
|
|
"@openrouter/spawn-shared": "workspace:*",
|
|
"picocolors": "1.1.1",
|
|
"valibot": "1.2.0"
|
|
},
|
|
"devDependencies": {
|
|
"@biomejs/biome": "2.4.3",
|
|
"@types/bun": "1.3.8"
|
|
}
|
|
}
|