@alibaba-group/open-code-review 1.1.12 → 1.1.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +10 -0
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -275,6 +275,16 @@ ocr viewer
275
275
  ocr viewer --addr :3000
276
276
  ```
277
277
 
278
+ ### Viewer security
279
+
280
+ The viewer serves session JSONL contents (LLM request messages and responses) over HTTP. It enforces a Host-header allowlist on every request: loopback names (`localhost`, `127.0.0.0/8`, `::1`) and the concrete bind host are always allowed. Wildcard binds (`--addr :3000`, `--addr 0.0.0.0:3000`) and other non-loopback Hostnames must be added via the `OCR_VIEWER_ALLOWED_HOSTS` environment variable (comma-separated):
281
+
282
+ ```bash
283
+ OCR_VIEWER_ALLOWED_HOSTS=review.internal,ocr.lan ocr viewer --addr :3000
284
+ ```
285
+
286
+ This blocks DNS-rebinding attacks against the local viewer.
287
+
278
288
  ## Review Rules
279
289
 
280
290
  OCR resolves review rules using a four-layer priority chain. Each layer uses first-match-wins: if a file path matches a pattern, that rule is used; otherwise it falls through to the next layer.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@alibaba-group/open-code-review",
3
- "version": "1.1.12",
3
+ "version": "1.1.14",
4
4
  "description": "OpenCodeReview CLI — AI-powered code review tool",
5
5
  "bin": {
6
6
  "ocr": "bin/ocr.js"