@checkstack/backend-api 0.15.2 → 0.15.3

package/CHANGELOG.md

@@ -1,5 +1,50 @@
 # @checkstack/backend-api
 
+## 0.15.3
+
+### Patch Changes
+
+- 1909a61: Address open CodeQL code-scanning findings:
+
+  - **`@checkstack/ui` (`LinksEditor`)**: validate URL scheme on render and on
+    add; only `http:` / `https:` URLs are accepted, defeating stored XSS via
+    `javascript:` / `data:` schemes in user-supplied hotlinks
+    (`js/xss-through-dom`).
+  - **`@checkstack/backend-api` (`markdownToPlainText`)**: decode HTML entities
+    before stripping tags, then strip tags in a loop until the output
+    stabilizes. Decoding `&` last avoids reintroducing tag delimiters
+    via `<` round-trips (`js/double-escaping`,
+    `js/incomplete-multi-character-sanitization`).
+  - **`@checkstack/backend` (`createScopedWsRegistry`)**: drop the
+    identity-replacement on the path suffix; the leading-slash invariant
+    is documented on `WebSocketRouteRegistry` (`js/identity-replacement`).
+
+- b33fb4d: Refresh `bun.lock` to clear MEDIUM-severity Trivy advisories on transitive
+  runtime dependencies. No public API change — bumping every workspace
+  package that lists `@orpc/server` as a direct dep so consumers re-resolve
+  the optional `ws` peer to the patched release on their next install.
+
+  - `ws` `8.20.0` → `8.20.1` (CVE-2026-45736). Pulled into the install tree
+    as `@orpc/server`'s optional WebSocket peer; Bun auto-installs it into
+    every backend package that depends on `@orpc/server`, so a stale 8.20.0
+    ships in the consumer's `node_modules` until the parent package
+    re-resolves.
+  - `brace-expansion` `5.0.5` → `5.0.6` (CVE-2026-45149). Pulled in only
+    through dev tooling (`minimatch@10` via `@typescript-eslint` and
+    `storybook`'s `glob@13`), so it does not ship to consumers and no
+    workspace `package.json` lists it; the lockfile bump alone clears the
+    finding for the Docker image and the local dev tree. No version bump
+    is attributed to this advisory.
+
+  The fix lives entirely in `bun.lock` — no `package.json`, `overrides`, or
+  `resolutions` change is needed because both parent ranges (`minimatch@10
+→ brace-expansion@^5.0.5`, `@orpc/server / storybook / happy-dom →
+ws@>=8.18.x`) already accept the patched releases, and `bun install`
+  keeps the resolved versions sticky after the initial `bun update`.
+
+  - @checkstack/cache-api@0.3.2
+  - @checkstack/queue-api@0.3.2
+
 ## 0.15.2
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/backend-api",
-  "version": "0.15.2",
+  "version": "0.15.3",
   "license": "Elastic-2.0",
   "type": "module",
   "main": "./src/index.ts",
@@ -10,11 +10,11 @@
     "lint:code": "eslint . --max-warnings 0"
   },
   "dependencies": {
-    "@checkstack/common": "0.9.0",
-    "@checkstack/healthcheck-common": "1.0.2",
-    "@checkstack/cache-api": "0.3.0",
-    "@checkstack/queue-api": "0.3.0",
-    "@checkstack/signal-common": "0.2.2",
+    "@checkstack/common": "0.10.0",
+    "@checkstack/healthcheck-common": "1.1.0",
+    "@checkstack/cache-api": "0.3.1",
+    "@checkstack/queue-api": "0.3.1",
+    "@checkstack/signal-common": "0.2.3",
     "@orpc/client": "^1.13.14",
     "@orpc/contract": "^1.13.14",
     "@orpc/openapi": "^1.13.2",
@@ -28,7 +28,7 @@
   "devDependencies": {
     "@types/bun": "latest",
     "@checkstack/tsconfig": "0.0.7",
-    "@checkstack/scripts": "0.3.1"
+    "@checkstack/scripts": "0.3.2"
   },
   "peerDependencies": {
     "hono": "^4.12.14",

package/src/markdown.test.ts

@@ -76,6 +76,21 @@ describe("markdownToPlainText", () => {
     const result = markdownToPlainText("A & B");
     expect(result).toBe("A & B");
   });
+
+  it("does not double-unescape < back into a tag delimiter", () => {
+    // Without ordering the &amp; decode last, `&amp;lt;` would become `<`
+    // after entity decoding, reintroducing a control character.
+    const result = markdownToPlainText("A &amp;lt; B");
+    expect(result).toBe("A &lt; B");
+  });
+
+  it("strips nested tag attempts in raw HTML", () => {
+    // marked passes raw HTML through; the tag stripper must loop until
+    // stable so nested constructs cannot leak through.
+    const result = markdownToPlainText("<<script>script>alert(1)</script>");
+    expect(result).not.toContain("<script");
+    expect(result).not.toContain("</script");
+  });
 });
 
 describe("markdownToSlackMrkdwn", () => {

package/src/markdown.ts

@@ -47,17 +47,26 @@ export function markdownToPlainText(markdown: string): string {
   // Convert to HTML first, then strip tags
   const html = markdownToHtml(markdown);
 
-  // Strip HTML tags
-  let text = html.replaceAll(/<[^>]*>/g, "");
-
-  // Decode common HTML entities
-  text = text
-    .replaceAll("&amp;", "&")
+  // Decode HTML entities FIRST so any escaped markup like `&lt;script&gt;`
+  // is exposed to the tag stripper in the next pass. `&amp;` must be
+  // decoded last; otherwise `&amp;lt;` would round-trip to `<` and
+  // reintroduce a control character (CodeQL js/double-escaping).
+  let text = html
     .replaceAll("&lt;", "<")
     .replaceAll("&gt;", ">")
     .replaceAll("&quot;", '"')
     .replaceAll("&#39;", "'")
-    .replaceAll("&nbsp;", " ");
+    .replaceAll("&nbsp;", " ")
+    .replaceAll("&amp;", "&");
+
+  // Strip HTML tags. Loop until the output stabilizes so adversarial inputs
+  // like `<scr<script>ipt>` cannot leave a residual `<script>` substring
+  // after a single pass (CodeQL js/incomplete-multi-character-sanitization).
+  let previous: string;
+  do {
+    previous = text;
+    text = text.replaceAll(/<[^>]*>/g, "");
+  } while (text !== previous);
 
   // Collapse multiple whitespace/newlines
   text = text.replaceAll(/\n\s*\n/g, "\n").trim();