Skip to content

chore: use the extracted stringify-package module#21

Merged
zkat merged 1 commit intonpm:release-nextfrom
dpogue:stringify-package
Jul 19, 2018
Merged

chore: use the extracted stringify-package module#21
zkat merged 1 commit intonpm:release-nextfrom
dpogue:stringify-package

Conversation

@dpogue
Copy link
Copy Markdown
Contributor

@dpogue dpogue commented Jul 18, 2018

stringify-package has been extracted into its own module.

Not sure if I should be committing the stringify-package folder under node_modules and adding it to bundledDependencies as well?

@dpogue dpogue requested a review from a team as a code owner July 18, 2018 18:45
@zkat
Copy link
Copy Markdown
Contributor

zkat commented Jul 18, 2018

@dpogue In order to add a dependency, you need to:

  1. npm install -B <dep> (-B bundles it)
  2. git add -A node_modules package.json package-lock.json
  3. git commit

We keep all our deps in the repo.

@dpogue dpogue force-pushed the stringify-package branch from 3df0d1c to 340e34f Compare July 18, 2018 22:34
@dpogue
Copy link
Copy Markdown
Contributor Author

dpogue commented Jul 18, 2018

Thanks @zkat. Updated to bundle the dependency and now all the CI tests are green :)

zkat
zkat approved these changes Jul 19, 2018
View reviewed changes
Copy link
Copy Markdown
Contributor

@zkat zkat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Thanks for taking care of that. This lgtm and I think we're gtg!

@zkat zkat changed the base branch from latest to release-next July 19, 2018 00:54
@zkat zkat merged commit a9ac871 into npm:release-next Jul 19, 2018
@dpogue dpogue deleted the stringify-package branch July 19, 2018 06:37
@tlbdk tlbdk mentioned this pull request Feb 19, 2024
Closed
2 tasks
koralle pushed a commit to koralle/npm-cli that referenced this pull request Feb 11, 2026
@yusukebe
chore: add publint (npm#21)
3bce6c1
Jah-yee pushed a commit to Jah-yee/cli that referenced this pull request Apr 16, 2026
@jpoehnelt @jpoehnelt-bot
fix: harden URL encoding and input validation for AI/LLM callers (npm#21
90adcb4 
)

* refactor: replace manual urlencoded() with reqwest .query() builder

Remove duplicate hand-rolled urlencoded() functions from workflows.rs
and calendar.rs. All query parameters are now passed via reqwest's
.query() API, which handles percent-encoding correctly and completely.

* fix: percent-encode path parameters to prevent path traversal

Use percent_encoding::utf8_percent_encode for calendar_id, cal.id,
message_id, and file_id before interpolating into URL path segments.
Addresses code review feedback on security regression.

* fix: add shared URL safety helpers for path params

Add encode_path_segment() for single-segment IDs and
validate_resource_name() for multi-segment resource names.

encode_path_segment: percent-encodes all non-alphanumeric chars,
used for calendar IDs, file IDs, and message IDs.

validate_resource_name: rejects path traversal (..) and control
chars while preserving intentional / structure, used for Chat
space names, task list IDs, and subscription names. Returns clear
error messages for LLM callers.

* test: add AI edge case tests for URL safety helpers

Cover query/fragment injection, double-encoding, unicode, spaces,
path traversal via encoding, control chars (CR/tab), and clear
error message assertions for LLM callers.

* fix: warn on stderr when API calls fail silently

- Daily briefing calendar events fetch
- Daily briefing tasks fetch
- Daily summary calendar events fetch
- Daily summary unread email count fetch

Addresses PR review feedback about confusing silent failures,
especially for LLM callers that cannot see visual cues.

* fix: harden input validation for AI/LLM callers

- Add src/validate.rs with validate_safe_output_dir, validate_msg_format,
  and validate_safe_dir_path helpers
- Validate --output-dir against path traversal in gmail +watch and
  events +subscribe
- Validate --msg-format against allowlist in gmail +watch
- Validate --dir against path traversal in script +push
- Add clap value_parser constraint for --msg-format
- Document input validation patterns in AGENTS.md

Closes npm#23

* chore: add changesets for PR npm#21 commits

* test: add comprehensive test coverage for input validation handlers

* docs: document input validation and URL safety patterns in AGENTS.md and CONTRIBUTING.md

* fix: address PR review comments — reject ?/# in resource names, validate subscription arg, remove redundant validate_msg_format

* fix: store validated PathBuf, remove dead code, delete duplicate SubscribeConfig

Addresses review comments:
- Store validated PathBuf from validate_safe_output_dir instead of
  discarding it (output_dir is now Option<PathBuf>)
- Remove duplicate SubscribeConfig from events/mod.rs
- Delete unused validate_msg_format (clap value_parser handles this)
- Remove all #[allow(dead_code)] annotations

* fix: per-segment traversal check in validate_resource_name, fix docs

* fix: harden security validation and deduplicate logic

---------

Co-authored-by: jpoehnelt-bot <jpoehnelt-bot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@zkat zkat zkat approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dpogue @zkat