@hienlh/ppm 0.13.17 → 0.13.18

package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## [0.13.18] - 2026-04-25
+
+### Fixed
+- **Windows path traversal rejection**: File tree lazy-loading and zip downloads failed on Windows hosts — `assertWithinProject` hardcoded `/` separator instead of `path.sep`
+- **Upload response backslash paths**: Upload endpoint returned `input\file.jpg` on Windows instead of `input/file.jpg`, breaking frontend path matching
+
 ## [0.13.17] - 2026-04-25
 
 ### Fixed

package/assets/skills/ppm/SKILL.md

@@ -71,4 +71,4 @@ This skill covers the `ppm` CLI, its HTTP API, and its config DB. It does **not*
 - Third-party extensions (inspect via `ppm ext list`).
 - The Claude Agent SDK internals (separate skill).
 
-<!-- Generated for PPM v0.13.17 at build time. Re-run `ppm export skill --install` to refresh. -->
+<!-- Generated for PPM v0.13.18 at build time. Re-run `ppm export skill --install` to refresh. -->

package/assets/skills/ppm/references/http-api.md

@@ -201,4 +201,4 @@ _Base URL: `http://localhost:8080` (default; override via `ppm config set port <
 - `ws://<host>/ws/terminal` — PTY terminal multiplexer
 - `ws://<host>/ws/extensions` — extension host channel
 
-<!-- Generated from src/server/routes/ for PPM v0.13.17 -->
+<!-- Generated from src/server/routes/ for PPM v0.13.18 -->

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hienlh/ppm",
-  "version": "0.13.17",
+  "version": "0.13.18",
   "description": "Personal Project Manager — mobile-first web IDE with AI assistance",
   "author": "hienlh",
   "license": "MIT",

package/src/server/routes/file-download.ts

@@ -1,5 +1,5 @@
 import { Hono } from "hono";
-import { resolve, basename } from "node:path";
+import { resolve, basename, sep } from "node:path";
 import { existsSync, statSync } from "node:fs";
 import archiver from "archiver";
 import { createDownloadToken } from "../../services/download-token.service.ts";
@@ -24,7 +24,7 @@ downloadRoutes.get("/zip", async (c) => {
     if (!dirPath) return c.json(err("Missing query parameter: path"), 400);
 
     const absPath = resolve(projectPath, dirPath);
-    if (!absPath.startsWith(projectPath + "/") && absPath !== projectPath) {
+    if (!absPath.startsWith(projectPath + sep) && absPath !== projectPath) {
       return c.json(err("Access denied"), 403);
     }
     if (!existsSync(absPath)) return c.json(err("Directory not found"), 404);

package/src/server/routes/files.ts

@@ -164,7 +164,7 @@ fileRoutes.post("/upload", async (c) => {
       const absPath = resolve(absTargetDir, safeName);
       if (!absPath.startsWith(projectPath)) return c.json(err("Access denied"), 403);
       await Bun.write(absPath, file);
-      uploaded.push({ name: safeName, path: absPath.slice(projectPath.length + 1), size: file.size });
+      uploaded.push({ name: safeName, path: absPath.slice(projectPath.length + 1).split("\\").join("/"), size: file.size });
     }
 
     return c.json(ok({ uploaded }), 201);

package/src/services/file-list-index.service.ts

@@ -6,7 +6,7 @@
  */
 
 import { existsSync, readdirSync, readFileSync } from "node:fs";
-import { resolve, relative, join } from "node:path";
+import { resolve, relative, join, sep } from "node:path";
 import ignore, { type Ignore } from "ignore";
 import type { FileEntry, FileDirEntry } from "../types/project.ts";
 import { matchesGlob, resolveFilter } from "./file-filter.service.ts";
@@ -50,7 +50,7 @@ function loadGitignore(projectPath: string): Ignore {
 
 function assertWithinProject(relPath: string, projectPath: string): void {
   const abs = resolve(projectPath, relPath);
-  if (!abs.startsWith(projectPath + "/") && abs !== projectPath) {
+  if (!abs.startsWith(projectPath + sep) && abs !== projectPath) {
     throw new SecurityError("Path traversal not allowed");
   }
 }