npm - @evomap/evolver - Versions diffs - 1.69.0 → 1.69.3 - Mend

@evomap/evolver 1.69.0 → 1.69.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

package/index.js +24 -3
package/package.json +1 -1
package/src/evolve.js +1 -1
package/src/gep/.integrity +0 -0
package/src/gep/a2aProtocol.js +1 -1
package/src/gep/candidateEval.js +1 -1
package/src/gep/candidates.js +1 -1
package/src/gep/contentHash.js +1 -1
package/src/gep/crypto.js +1 -1
package/src/gep/curriculum.js +1 -1
package/src/gep/deviceId.js +1 -1
package/src/gep/envFingerprint.js +1 -1
package/src/gep/explore.js +1 -1
package/src/gep/hubReview.js +1 -1
package/src/gep/hubSearch.js +1 -1
package/src/gep/hubVerify.js +1 -1
package/src/gep/integrityCheck.js +1 -1
package/src/gep/learningSignals.js +1 -1
package/src/gep/memoryGraph.js +1 -1
package/src/gep/memoryGraphAdapter.js +1 -1
package/src/gep/mutation.js +1 -1
package/src/gep/narrativeMemory.js +1 -1
package/src/gep/personality.js +1 -1
package/src/gep/policyCheck.js +1 -1
package/src/gep/prompt.js +1 -1
package/src/gep/reflection.js +1 -1
package/src/gep/selector.js +1 -1
package/src/gep/shield.js +1 -1
package/src/gep/signals.js +13 -11
package/src/gep/skillDistiller.js +1 -1
package/src/gep/solidify.js +1 -1
package/src/gep/strategy.js +1 -1
package/src/proxy/mailbox/store.js +32 -3

package/index.js CHANGED Viewed

@@ -787,9 +787,30 @@ async function main() {
       const data = await resp.json();
       const outFlag = args.find(a => typeof a === 'string' && a.startsWith('--out='));
       const safeId = String(data.skill_id || skillId).replace(/[^a-zA-Z0-9_\-\.]/g, '_');
-      const outDir = outFlag
-        ? outFlag.slice('--out='.length)
-        : path.join('.', 'skills', safeId);
+      let outDir;
+      if (outFlag) {
+        const rawOut = outFlag.slice('--out='.length);
+        if (!rawOut || rawOut.trim() === '') {
+          console.error('[fetch] --out= value cannot be empty');
+          process.exit(1);
+        }
+        const resolvedOut = path.resolve(process.cwd(), rawOut);
+        const cwd = path.resolve(process.cwd());
+        const rel = path.relative(cwd, resolvedOut);
+        // Reject paths that escape the current working directory or are
+        // absolute on a different volume/root. This prevents --out=../../etc
+        // from writing outside the project tree.
+        if (rel.startsWith('..') || path.isAbsolute(rel)) {
+          console.error('[fetch] --out= must resolve to a path inside the current working directory');
+          console.error('  Provided:  ' + rawOut);
+          console.error('  Resolved:  ' + resolvedOut);
+          console.error('  Workdir:   ' + cwd);
+          process.exit(1);
+        }
+        outDir = resolvedOut;
+      } else {
+        outDir = path.join('.', 'skills', safeId);
+      }
       if (!fs.existsSync(outDir)) fs.mkdirSync(outDir, { recursive: true });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@evomap/evolver",
-  "version": "1.69.0",
+  "version": "1.69.3",
   "description": "A GEP-powered self-evolution engine for AI agents. Features automated log analysis and Genome Evolution Protocol (GEP) for auditable, reusable evolution assets.",
   "main": "index.js",
   "bin": {