@codewithdan/zingit 0.16.0 → 0.16.1

package/CHANGELOG.md

@@ -0,0 +1,26 @@
+# Changelog
+
+All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
+
+### [0.16.1](https://github.com/danwahlin/zingit/compare/v0.16.0...v0.16.1) (2026-01-29)
+
+
+### Features
+
+* integrate standard-version for versioning and changelog management ([69c9f4e](https://github.com/danwahlin/zingit/commit/69c9f4ee5a025d845c4ea6bfb9185c8cee306a2f))
+
+## [0.16.0](https://github.com/danwahlin/zingit/compare/v0.15.0...v0.16.0) (2026-01-28)
+
+### Bug Fixes
+
+* **security**: Fix command injection vulnerability in git operations ([server/src/services/git-manager.ts](server/src/services/git-manager.ts))
+  * Replaced `execAsync` with `execFileAsync` using array arguments to prevent shell injection
+  * Affected commands: git diff, git reset --hard
+* **security**: Fix XSS vulnerability in agent response rendering ([client/src/components/agent-response-panel.ts](client/src/components/agent-response-panel.ts))
+  * Implemented safe Lit templating instead of `.innerHTML`
+  * All user content is now automatically HTML-escaped by Lit's template system
+  * Markdown formatting (bold, italic, code) preserved while preventing script injection
+
+### Features
+
+* Add 'prompts' keyword to package.json for improved discoverability

package/client/dist/zingit-client.js

@@ -1442,7 +1442,7 @@
             <div class="spinner"></div>
             <div>Waiting for response${A}...</div>
           </div>
-        `}return $`<div class="text-block" style="color: #6b7280;">Add annotations or type a message below to get started.</div>`}return this._parseContent(this.content).map(A=>"code"===A.type?$`<div class="code-block">${A.content}</div>`:this._renderTextAsSteps(A.content))}_renderTextAsSteps(A){const e=A.split(/(?<=\.)\s+(?=[A-Z][a-z])|(?=\n##\s)/).map(A=>A.trim()).filter(A=>A.length>0);return 0===e.length?$``:e.map(A=>{const e=this._classifyStep(A),t=this._parseMarkdown(A);return $`<div class="action-step ${e}" .innerHTML=${t}></div>`})}_parseMarkdown(A){return A.replace(/\*\*(.+?)\*\*/g,"<strong>$1</strong>").replace(/(?<!\*)\*(?!\*)(.+?)(?<!\*)\*(?!\*)/g,"<em>$1</em>").replace(/`([^`]+)`/g,'<code style="background: rgba(59, 130, 246, 0.15); padding: 2px 6px; border-radius: 3px; font-family: monospace;">$1</code>').replace(/\n/g,"<br>")}_classifyStep(A){const e=A.toLowerCase();return e.startsWith("let me check")||e.startsWith("let me look")||e.startsWith("let me run")||e.startsWith("let me also")||e.startsWith("looking at")||e.startsWith("checking")?"check":e.startsWith("added")||e.startsWith("updated")||e.startsWith("created")||e.startsWith("removed")||e.startsWith("fixed")||e.startsWith("changed")?"result":e.startsWith("i don't see")||e.startsWith("i can see")||e.startsWith("there's no")||e.startsWith("there is no")||e.startsWith("the ")||e.startsWith("it's possible")||e.startsWith("perhaps")||e.startsWith("however")?"observation":""}_stopPropagation(A){A.stopPropagation()}_handleClose(A){A.preventDefault(),A.stopPropagation(),this.dispatchEvent(new CustomEvent("close",{bubbles:!0,composed:!0}))}_handleStop(A){A.preventDefault(),A.stopPropagation(),this.dispatchEvent(new CustomEvent("stop",{bubbles:!0,composed:!0}))}_handleRefresh(){window.location.reload()}_handleInputChange(A){this.followUpMessage=A.target.value}_handleInputKeydown(A){"Enter"!==A.key||A.shiftKey||(A.preventDefault(),this._handleSendFollowUp())}_handleSendFollowUp(){this.followUpMessage.trim()&&!this.processing&&(this.dispatchEvent(new CustomEvent("followup",{bubbles:!0,composed:!0,detail:{message:this.followUpMessage}})),this.followUpMessage="")}};$a.styles=o`
+        `}return $`<div class="text-block" style="color: #6b7280;">Add annotations or type a message below to get started.</div>`}return this._parseContent(this.content).map(A=>"code"===A.type?$`<div class="code-block">${A.content}</div>`:this._renderTextAsSteps(A.content))}_renderTextAsSteps(A){const e=A.split(/(?<=\.)\s+(?=[A-Z][a-z])|(?=\n##\s)/).map(A=>A.trim()).filter(A=>A.length>0);return 0===e.length?$``:e.map(A=>{const e=this._classifyStep(A);return $`<div class="action-step ${e}">${this._parseMarkdownToTemplate(A)}</div>`})}_parseMarkdownToTemplate(A){const e=[];let t=0;const n=/(\*\*(.+?)\*\*)|(?<!\*)\*(?!\*)(.+?)(?<!\*)\*(?!\*)|`([^`]+)`/g;let s;for(;null!==(s=n.exec(A));)s.index>t&&e.push(this._textWithLineBreaks(A.slice(t,s.index))),s[2]?e.push($`<strong>${s[2]}</strong>`):s[3]?e.push($`<em>${s[3]}</em>`):s[4]&&e.push($`<code style="background: rgba(59, 130, 246, 0.15); padding: 2px 6px; border-radius: 3px; font-family: monospace;">${s[4]}</code>`),t=s.index+s[0].length;return t<A.length&&e.push(this._textWithLineBreaks(A.slice(t))),e}_textWithLineBreaks(A){const e=A.split("\n"),t=[];return e.forEach((A,n)=>{t.push(A),n<e.length-1&&t.push($`<br>`)}),t}_classifyStep(A){const e=A.toLowerCase();return e.startsWith("let me check")||e.startsWith("let me look")||e.startsWith("let me run")||e.startsWith("let me also")||e.startsWith("looking at")||e.startsWith("checking")?"check":e.startsWith("added")||e.startsWith("updated")||e.startsWith("created")||e.startsWith("removed")||e.startsWith("fixed")||e.startsWith("changed")?"result":e.startsWith("i don't see")||e.startsWith("i can see")||e.startsWith("there's no")||e.startsWith("there is no")||e.startsWith("the ")||e.startsWith("it's possible")||e.startsWith("perhaps")||e.startsWith("however")?"observation":""}_stopPropagation(A){A.stopPropagation()}_handleClose(A){A.preventDefault(),A.stopPropagation(),this.dispatchEvent(new CustomEvent("close",{bubbles:!0,composed:!0}))}_handleStop(A){A.preventDefault(),A.stopPropagation(),this.dispatchEvent(new CustomEvent("stop",{bubbles:!0,composed:!0}))}_handleRefresh(){window.location.reload()}_handleInputChange(A){this.followUpMessage=A.target.value}_handleInputKeydown(A){"Enter"!==A.key||A.shiftKey||(A.preventDefault(),this._handleSendFollowUp())}_handleSendFollowUp(){this.followUpMessage.trim()&&!this.processing&&(this.dispatchEvent(new CustomEvent("followup",{bubbles:!0,composed:!0,detail:{message:this.followUpMessage}})),this.followUpMessage="")}};$a.styles=o`
     :host {
       display: block;
       font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@codewithdan/zingit",
-  "version": "0.16.0",
+  "version": "0.16.1",
   "description": "AI-powered UI annotation tool - point, annotate, and let AI fix it",
   "type": "module",
   "engines": {
@@ -15,6 +15,7 @@
     "client/dist",
     "README.md",
     "AGENTS.md",
+    "CHANGELOG.md",
     "LICENSE"
   ],
   "main": "client/dist/zingit-client.js",
@@ -29,7 +30,7 @@
     "test": "cd client && npm run test",
     "test:watch": "cd client && npm run test:watch",
     "test:ui": "cd client && npm run test:ui",
-    "release": "npm version minor && npm run build && npm publish --access public"
+    "release": "standard-version && npm run build && npm publish --access public"
   },
   "keywords": [
     "ui",
@@ -69,6 +70,7 @@
     "@types/ws": "^8.18.1",
     "concurrently": "^9.1.2",
     "gh-pages": "^6.3.0",
+    "standard-version": "^9.5.0",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3"
   }

package/server/dist/services/git-manager.js

@@ -145,7 +145,7 @@ export class GitManager {
         // Get list of changed files since checkpoint
         let diffStat = '';
         try {
-            const result = await execAsync(`git diff --name-status ${checkpoint.commitHash}`, {
+            const result = await execFileAsync('git', ['diff', '--name-status', checkpoint.commitHash], {
                 cwd: this.projectDir,
             });
             diffStat = result.stdout;
@@ -166,7 +166,7 @@ export class GitManager {
             let linesAdded = 0;
             let linesRemoved = 0;
             try {
-                const { stdout: numstat } = await execAsync(`git diff --numstat ${checkpoint.commitHash} -- "${filePath}"`, { cwd: this.projectDir });
+                const { stdout: numstat } = await execFileAsync('git', ['diff', '--numstat', checkpoint.commitHash, '--', filePath], { cwd: this.projectDir });
                 const parts = numstat.trim().split('\t');
                 linesAdded = parseInt(parts[0]) || 0;
                 linesRemoved = parseInt(parts[1]) || 0;
@@ -222,7 +222,7 @@ export class GitManager {
             throw new GitManagerError('Checkpoint is not in applied state', 'INVALID_CHECKPOINT_STATE');
         }
         // Reset to the checkpoint's original commit
-        await execAsync(`git reset --hard ${checkpoint.commitHash}`, { cwd: this.projectDir });
+        await execFileAsync('git', ['reset', '--hard', checkpoint.commitHash], { cwd: this.projectDir });
         // Get files that were reverted
         const filesReverted = [];
         // We could compute this but for now just return empty - the checkpoint has the info
@@ -245,7 +245,7 @@ export class GitManager {
             throw new GitManagerError(`Checkpoint not found: ${checkpointId}`, 'CHECKPOINT_NOT_FOUND');
         }
         // Reset to that commit
-        await execAsync(`git reset --hard ${checkpoint.commitHash}`, { cwd: this.projectDir });
+        await execFileAsync('git', ['reset', '--hard', checkpoint.commitHash], { cwd: this.projectDir });
         // Mark all checkpoints after this one as reverted
         const checkpointIndex = history.checkpoints.findIndex((c) => c.id === checkpointId);
         for (let i = checkpointIndex + 1; i < history.checkpoints.length; i++) {