A da07fd4031 fix(security): prevent command injection in sprite uploadFile (#2889) ... Replace shell string interpolation with array-based exec arguments in uploadFileSprite. Previously, remotePath and tempRemote were interpolated into a bash -c string (`mkdir -p $(dirname '${normalizedRemote}') && mv '${tempRemote}' '${normalizedRemote}'`), which is inherently unsafe even with regex validation. Now uses two separate sprite exec calls with paths passed as discrete array arguments after `--`, and computes dirname in TypeScript using node:path/posix instead of shell command substitution. Also fixes the mockBunSpawn test helper to return fresh ReadableStream instances per call, preventing "ReadableStream already used" errors. Fixes #2880 Agent: security-auditor Co-authored-by: B <6723574+louisgv@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>		2026-03-22 18:51:51 -07:00
..
cli	fix(security): prevent command injection in sprite uploadFile (#2889)	2026-03-22 18:51:51 -07:00
shared	feat: enforce CI coverage thresholds + colocate billing guidance (#2811)	2026-03-19 22:52:45 -07:00