@claude-flow/cli 3.7.0-alpha.79 → 3.7.0-alpha.80

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/.claude/helpers/github-safe.js +9 -7
  2. package/package.json +1 -1
package/.claude/helpers/github-safe.js CHANGED
@@ -19,7 +19,7 @@
19
19
  * ./github-safe.js pr create --title "Title" --body "Complex body"
20
20
  */
21
21
 
22
- import { execSync } from 'child_process';
22
+ import { execSync, execFileSync } from 'child_process';
23
23
  import { writeFileSync, unlinkSync } from 'fs';
24
24
  import { tmpdir } from 'os';
25
25
  import { join } from 'path';
@@ -111,10 +111,12 @@ if ((command === 'issue' || command === 'pr') &&
111
111
  process.exit(0);
112
112
  }
113
113
 
114
- const ghCommand = `gh ${command} ${subcommand} ${newArgs.join(' ')}`;
115
- console.log(`Executing: ${ghCommand}`);
114
+ const ghArgv = [command, subcommand, ...newArgs];
115
+ console.log(`Executing: gh ${ghArgv.join(' ')}`);
116
116
 
117
- execSync(ghCommand, {
117
+ // Use execFileSync to avoid shell interpolation — args are passed as an
118
+ // array so shell metacharacters in tmpFile path cannot be exploited.
119
+ execFileSync('gh', ghArgv, {
118
120
  stdio: 'inherit',
119
121
  timeout: 30000,
120
122
  });
@@ -127,13 +129,13 @@ if ((command === 'issue' || command === 'pr') &&
127
129
  try { unlinkSync(tmpFile); } catch (_) { /* ignore cleanup errors */ }
128
130
  }
129
131
  } else {
130
- // No body content — execute normally (no injection risk).
132
+ // No body content — execute normally (no injection risk for args).
131
133
  if (process.env.GITHUB_SAFE_DRY_RUN === '1') {
132
134
  console.log(`[DRY-RUN] gh ${args.join(' ')}`);
133
135
  process.exit(0);
134
136
  }
135
137
  try {
136
- execSync(`gh ${args.join(' ')}`, { stdio: 'inherit' });
138
+ execFileSync('gh', args, { stdio: 'inherit' });
137
139
  } catch (error) {
138
140
  console.error('[ERROR]', error.message);
139
141
  process.exit(1);
@@ -146,7 +148,7 @@ if ((command === 'issue' || command === 'pr') &&
146
148
  process.exit(0);
147
149
  }
148
150
  try {
149
- execSync(`gh ${args.join(' ')}`, { stdio: 'inherit' });
151
+ execFileSync('gh', args, { stdio: 'inherit' });
150
152
  } catch (error) {
151
153
  console.error('[ERROR]', error.message);
152
154
  process.exit(1);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@claude-flow/cli",
3
- "version": "3.7.0-alpha.79",
3
+ "version": "3.7.0-alpha.80",
4
4
  "type": "module",
5
5
  "description": "Ruflo CLI - Enterprise AI agent orchestration with 60+ specialized agents, swarm coordination, MCP server, self-learning hooks, and vector memory for Claude Code",
6
6
  "main": "dist/src/index.js",