Closed
Conversation
Author
|
Closing because I think this does not work right. If I test with my local version of npm with this change included: I get the following output: npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
/Users/brodybits/.nvs/node/10.7.0-test1/x64/bin/cordova -> /Users/brodybits/.nvs/node/10.7.0-test1/x64/lib/node_modules/cordova/bin/cordova
+ cordova@7.1.0
added 628 packages from 792 contributors in 70.187s
found 0 vulnerabilitiesBut cordova@7.1.0 (cordova-cli@7.10.0) uses cordova-lib@7.1.0 which has known vulnerabilities in its dependencies. I continue to think that npm should check audit upon |
koralle
pushed a commit
to koralle/npm-cli
that referenced
this pull request
Feb 11, 2026
* feat: add optimize command Build a optimized Hono class. * chore: add esbuild to dependencies * feat(optimize): try to find entry files from default candidates if not specified * refactor(optimize): sourcemap is not needed * refactor(optimize): Assign the serialized code to a variable once, even in JavaScript * chore: add "vitest/globals" to types in tsconfig.json * test(optimize): add tests * test(optimize): import vitest explicitly * feat(optimize): changed specifications to export bundled files. * Update README.md * refactor(optimize): Remove unused code * refactor(optimize): write files directly from `esbuild.build` * Update README.md * feat(optimize): add minify option * feat(optimize): add stat to output * refactor(optimize): improve output messages * refactor(optimize): improve output messages Co-authored-by: Yusuke Wada <yusuke@kamawada.com> --------- Co-authored-by: Yusuke Wada <yusuke@kamawada.com>
Jah-yee
pushed a commit
to Jah-yee/cli
that referenced
this pull request
Apr 16, 2026
) * refactor: replace manual urlencoded() with reqwest .query() builder Remove duplicate hand-rolled urlencoded() functions from workflows.rs and calendar.rs. All query parameters are now passed via reqwest's .query() API, which handles percent-encoding correctly and completely. * fix: percent-encode path parameters to prevent path traversal Use percent_encoding::utf8_percent_encode for calendar_id, cal.id, message_id, and file_id before interpolating into URL path segments. Addresses code review feedback on security regression. * fix: add shared URL safety helpers for path params Add encode_path_segment() for single-segment IDs and validate_resource_name() for multi-segment resource names. encode_path_segment: percent-encodes all non-alphanumeric chars, used for calendar IDs, file IDs, and message IDs. validate_resource_name: rejects path traversal (..) and control chars while preserving intentional / structure, used for Chat space names, task list IDs, and subscription names. Returns clear error messages for LLM callers. * test: add AI edge case tests for URL safety helpers Cover query/fragment injection, double-encoding, unicode, spaces, path traversal via encoding, control chars (CR/tab), and clear error message assertions for LLM callers. * fix: warn on stderr when API calls fail silently - Daily briefing calendar events fetch - Daily briefing tasks fetch - Daily summary calendar events fetch - Daily summary unread email count fetch Addresses PR review feedback about confusing silent failures, especially for LLM callers that cannot see visual cues. * fix: harden input validation for AI/LLM callers - Add src/validate.rs with validate_safe_output_dir, validate_msg_format, and validate_safe_dir_path helpers - Validate --output-dir against path traversal in gmail +watch and events +subscribe - Validate --msg-format against allowlist in gmail +watch - Validate --dir against path traversal in script +push - Add clap value_parser constraint for --msg-format - Document input validation patterns in AGENTS.md Closes npm#23 * chore: add changesets for PR npm#21 commits * test: add comprehensive test coverage for input validation handlers * docs: document input validation and URL safety patterns in AGENTS.md and CONTRIBUTING.md * fix: address PR review comments — reject ?/# in resource names, validate subscription arg, remove redundant validate_msg_format * fix: store validated PathBuf, remove dead code, delete duplicate SubscribeConfig Addresses review comments: - Store validated PathBuf from validate_safe_output_dir instead of discarding it (output_dir is now Option<PathBuf>) - Remove duplicate SubscribeConfig from events/mod.rs - Delete unused validate_msg_format (clap value_parser handles this) - Remove all #[allow(dead_code)] annotations * fix: per-segment traversal check in validate_resource_name, fix docs * fix: harden security validation and deduplicate logic --------- Co-authored-by: jpoehnelt-bot <jpoehnelt-bot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I think
npm i -gshould show if there are any possible security vulnerabilities from the dependencies, if I would donpm i -g cordova@7for example.(In comparison:
npm i cordova@7shows the following message at the end:found 55 vulnerabilities (4 low, 45 moderate, 6 high))These changes pass Travis CI on my fork. I wonder if this behavior should be covered more deeply?