@codyswann/lisa 1.43.5 → 1.43.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/cdk/create-only/.github/workflows/ci.yml +1 -0
- package/expo/create-only/.github/workflows/ci.yml +1 -0
- package/nestjs/create-only/.github/workflows/ci.yml +1 -0
- package/package.json +1 -1
- package/typescript/copy-contents/.husky/pre-push +29 -1
- package/typescript/copy-overwrite/.github/workflows/create-github-issue-on-failure.yml +1 -1
- package/typescript/copy-overwrite/.github/workflows/create-jira-issue-on-failure.yml +1 -1
- package/typescript/copy-overwrite/.github/workflows/create-sentry-issue-on-failure.yml +1 -1
- package/typescript/copy-overwrite/.github/workflows/quality.yml +29 -1
- package/typescript/create-only/.github/workflows/ci.yml +1 -0
package/package.json
CHANGED
|
@@ -95,7 +95,7 @@
|
|
|
95
95
|
"axios": ">=1.13.5"
|
|
96
96
|
},
|
|
97
97
|
"name": "@codyswann/lisa",
|
|
98
|
-
"version": "1.43.
|
|
98
|
+
"version": "1.43.7",
|
|
99
99
|
"description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
|
|
100
100
|
"main": "dist/index.js",
|
|
101
101
|
"bin": {
|
|
@@ -102,7 +102,35 @@ elif [ "$PACKAGE_MANAGER" = "bun" ]; then
|
|
|
102
102
|
# breaking test-exclude (used by Jest coverage). No production code path is affected.
|
|
103
103
|
# Risk: None - only devDependency tooling, never processes untrusted user input
|
|
104
104
|
|
|
105
|
-
|
|
105
|
+
# Excluding GHSA-jmr7-xgp7-cmfj: fast-xml-parser DoS through entity expansion in DOCTYPE
|
|
106
|
+
# Transitive dependency via AWS SDK (@aws-sdk/xml-builder) and snowflake-sdk
|
|
107
|
+
# Resolution to >=5.3.6 set in package.json but bun audit still flags intermediate ranges
|
|
108
|
+
# Risk: Low - XML parsing of untrusted DOCTYPE content not in our code paths
|
|
109
|
+
|
|
110
|
+
# Excluding GHSA-m7jm-9gc2-mpf2: fast-xml-parser entity encoding bypass via regex injection
|
|
111
|
+
# Same transitive path as GHSA-jmr7-xgp7-cmfj (AWS SDK, snowflake-sdk)
|
|
112
|
+
# Resolution to >=5.3.6 set in package.json but bun audit still flags intermediate ranges
|
|
113
|
+
# Risk: Low - no untrusted XML with DOCTYPE entity names processed
|
|
114
|
+
|
|
115
|
+
# Excluding GHSA-r6q2-hw4h-h46w: node-tar race condition via Unicode Ligature Collisions on macOS APFS
|
|
116
|
+
# Transitive via @nestjs/apollo > @apollo/gateway > make-fetch-happen > cacache > tar
|
|
117
|
+
# Resolution to ^7.5.8 set in package.json but bun audit still flags intermediate ranges
|
|
118
|
+
# Risk: None - tar extraction not used in production runtime
|
|
119
|
+
|
|
120
|
+
# Excluding GHSA-34x7-hfp2-rc4v: node-tar arbitrary file creation via hardlink path traversal
|
|
121
|
+
# Same transitive path as GHSA-r6q2-hw4h-h46w
|
|
122
|
+
# Risk: None - tar extraction not used in production runtime
|
|
123
|
+
|
|
124
|
+
# Excluding GHSA-83g3-92jg-28cx: node-tar arbitrary file read/write via hardlink target escape
|
|
125
|
+
# Same transitive path as GHSA-r6q2-hw4h-h46w
|
|
126
|
+
# Risk: None - tar extraction not used in production runtime
|
|
127
|
+
|
|
128
|
+
# Excluding GHSA-3h5v-q93c-6h6q: ws DoS when handling request with many HTTP headers
|
|
129
|
+
# Transitive via @nestjs/graphql, graphql-ws, openai, serverless-offline, serverless-esbuild
|
|
130
|
+
# Resolution to ^8.17.1 set in package.json but bun audit still flags intermediate ranges
|
|
131
|
+
# Risk: Low - WebSocket servers behind API Gateway which limits headers
|
|
132
|
+
|
|
133
|
+
if ! bun audit --audit-level=high --ignore GHSA-5j98-mcp5-4vw2 --ignore GHSA-8qq5-rm4j-mr97 --ignore GHSA-37qj-frw5-hhjh --ignore GHSA-3ppc-4f35-3m26 --ignore GHSA-jmr7-xgp7-cmfj --ignore GHSA-m7jm-9gc2-mpf2 --ignore GHSA-r6q2-hw4h-h46w --ignore GHSA-34x7-hfp2-rc4v --ignore GHSA-83g3-92jg-28cx --ignore GHSA-3h5v-q93c-6h6q; then
|
|
106
134
|
echo "⚠️ Security audit failed. Please fix high/critical vulnerabilities before pushing."
|
|
107
135
|
exit 1
|
|
108
136
|
fi
|
|
@@ -70,7 +70,7 @@ jobs:
|
|
|
70
70
|
uses: actions/setup-node@v4
|
|
71
71
|
with:
|
|
72
72
|
node-version: ${{ inputs.node_version }}
|
|
73
|
-
cache: ${{ inputs.package_manager }}
|
|
73
|
+
cache: ${{ inputs.package_manager != 'bun' && inputs.package_manager || '' }}
|
|
74
74
|
|
|
75
75
|
- name: 🔖 Create Issue
|
|
76
76
|
uses: actions/github-script@v7
|
|
@@ -90,7 +90,7 @@ jobs:
|
|
|
90
90
|
uses: actions/setup-node@v4
|
|
91
91
|
with:
|
|
92
92
|
node-version: ${{ inputs.node_version }}
|
|
93
|
-
cache: ${{ inputs.package_manager }}
|
|
93
|
+
cache: ${{ inputs.package_manager != 'bun' && inputs.package_manager || '' }}
|
|
94
94
|
|
|
95
95
|
- name: 🔖 Create Jira Issue
|
|
96
96
|
id: create_jira_issue
|
|
@@ -90,7 +90,7 @@ jobs:
|
|
|
90
90
|
uses: actions/setup-node@v4
|
|
91
91
|
with:
|
|
92
92
|
node-version: ${{ inputs.node_version }}
|
|
93
|
-
cache: ${{ inputs.package_manager }}
|
|
93
|
+
cache: ${{ inputs.package_manager != 'bun' && inputs.package_manager || '' }}
|
|
94
94
|
|
|
95
95
|
- name: 🔴 Create Sentry Issue
|
|
96
96
|
id: create_sentry_issue
|
|
@@ -1034,7 +1034,35 @@ jobs:
|
|
|
1034
1034
|
# breaking test-exclude (used by Jest coverage). No production code path is affected.
|
|
1035
1035
|
# Risk: None - only devDependency tooling, never processes untrusted user input
|
|
1036
1036
|
|
|
1037
|
-
|
|
1037
|
+
# Excluding GHSA-jmr7-xgp7-cmfj: fast-xml-parser DoS through entity expansion in DOCTYPE
|
|
1038
|
+
# Transitive dependency via AWS SDK (@aws-sdk/xml-builder) and snowflake-sdk
|
|
1039
|
+
# Resolution to >=5.3.6 set in package.json but bun audit still flags intermediate ranges
|
|
1040
|
+
# Risk: Low - XML parsing of untrusted DOCTYPE content not in our code paths
|
|
1041
|
+
|
|
1042
|
+
# Excluding GHSA-m7jm-9gc2-mpf2: fast-xml-parser entity encoding bypass via regex injection
|
|
1043
|
+
# Same transitive path as GHSA-jmr7-xgp7-cmfj (AWS SDK, snowflake-sdk)
|
|
1044
|
+
# Resolution to >=5.3.6 set in package.json but bun audit still flags intermediate ranges
|
|
1045
|
+
# Risk: Low - no untrusted XML with DOCTYPE entity names processed
|
|
1046
|
+
|
|
1047
|
+
# Excluding GHSA-r6q2-hw4h-h46w: node-tar race condition via Unicode Ligature Collisions on macOS APFS
|
|
1048
|
+
# Transitive via @nestjs/apollo > @apollo/gateway > make-fetch-happen > cacache > tar
|
|
1049
|
+
# Resolution to ^7.5.8 set in package.json but bun audit still flags intermediate ranges
|
|
1050
|
+
# Risk: None - tar extraction not used in production runtime
|
|
1051
|
+
|
|
1052
|
+
# Excluding GHSA-34x7-hfp2-rc4v: node-tar arbitrary file creation via hardlink path traversal
|
|
1053
|
+
# Same transitive path as GHSA-r6q2-hw4h-h46w
|
|
1054
|
+
# Risk: None - tar extraction not used in production runtime
|
|
1055
|
+
|
|
1056
|
+
# Excluding GHSA-83g3-92jg-28cx: node-tar arbitrary file read/write via hardlink target escape
|
|
1057
|
+
# Same transitive path as GHSA-r6q2-hw4h-h46w
|
|
1058
|
+
# Risk: None - tar extraction not used in production runtime
|
|
1059
|
+
|
|
1060
|
+
# Excluding GHSA-3h5v-q93c-6h6q: ws DoS when handling request with many HTTP headers
|
|
1061
|
+
# Transitive via @nestjs/graphql, graphql-ws, openai, serverless-offline, serverless-esbuild
|
|
1062
|
+
# Resolution to ^8.17.1 set in package.json but bun audit still flags intermediate ranges
|
|
1063
|
+
# Risk: Low - WebSocket servers behind API Gateway which limits headers
|
|
1064
|
+
|
|
1065
|
+
if ! bun audit --audit-level=high --ignore GHSA-5j98-mcp5-4vw2 --ignore GHSA-8qq5-rm4j-mr97 --ignore GHSA-37qj-frw5-hhjh --ignore GHSA-3ppc-4f35-3m26 --ignore GHSA-jmr7-xgp7-cmfj --ignore GHSA-m7jm-9gc2-mpf2 --ignore GHSA-r6q2-hw4h-h46w --ignore GHSA-34x7-hfp2-rc4v --ignore GHSA-83g3-92jg-28cx --ignore GHSA-3h5v-q93c-6h6q; then
|
|
1038
1066
|
echo "::warning::Found high or critical vulnerabilities"
|
|
1039
1067
|
exit 1
|
|
1040
1068
|
fi
|