@involvex/youtube-music-cli 0.0.21 → 0.0.23

package/CHANGELOG.md

@@ -1,3 +1,11 @@
+## [0.0.23](https://github.com/involvex/youtube-music-cli/compare/v0.0.22...v0.0.23) (2026-02-20)
+
+## [0.0.22](https://github.com/involvex/youtube-music-cli/compare/v0.0.21...v0.0.22) (2026-02-20)
+
+### Features
+
+- add Homebrew and Winget publish workflows with Snyk security rules ([cff659b](https://github.com/involvex/youtube-music-cli/commit/cff659b2775fd50bb898fbf9b552e0fa413ff0fa))
+
 ## [0.0.21](https://github.com/involvex/youtube-music-cli/compare/v0.0.20...v0.0.21) (2026-02-20)
 
 ## [0.0.20](https://github.com/involvex/youtube-music-cli/compare/v0.0.19...v0.0.20) (2026-02-20)

package/dist/source/services/scrobbling/scrobbling.service.js

@@ -38,7 +38,7 @@ function buildLastfmSignature(params, secret) {
         .sort()
         .map(k => `${k}${params[k]}`)
         .join('');
-    return createHash('md5')
+    return createHash('sha256')
         .update(sorted + secret)
         .digest('hex');
 }

package/dist/source/services/web/static-file.service.d.ts

@@ -7,6 +7,7 @@ declare class StaticFileService {
      * Get MIME type for a file extension
      */
     private getMimeType;
+    private resolveSafeFilePath;
     /**
      * Load index.html into memory
      */

package/dist/source/services/web/static-file.service.js

@@ -1,7 +1,7 @@
 // Static file serving service for web UI
 import { readFile } from 'node:fs/promises';
 import { existsSync } from 'node:fs';
-import { extname, join, dirname } from 'node:path';
+import { extname, join, dirname, normalize, resolve, sep } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { logger } from "../logger/logger.service.js";
 const MIME_TYPES = {
@@ -55,6 +55,23 @@ class StaticFileService {
         const ext = extname(filePath).toLowerCase();
         return MIME_TYPES[ext] || 'application/octet-stream';
     }
+    resolveSafeFilePath(urlPath) {
+        let decodedPath;
+        try {
+            decodedPath = decodeURIComponent(urlPath);
+        }
+        catch {
+            return null;
+        }
+        const relativePath = normalize(decodedPath).replace(/^[\\/]+/, '');
+        const rootPath = resolve(this.webDistDir);
+        const resolvedPath = resolve(rootPath, relativePath);
+        const rootPrefix = rootPath.endsWith(sep) ? rootPath : `${rootPath}${sep}`;
+        if (resolvedPath !== rootPath && !resolvedPath.startsWith(rootPrefix)) {
+            return null;
+        }
+        return resolvedPath;
+    }
     /**
      * Load index.html into memory
      */
@@ -111,7 +128,12 @@ class StaticFileService {
             return;
         }
         // Serve static files
-        const filePath = join(this.webDistDir, urlPath);
+        const filePath = this.resolveSafeFilePath(urlPath);
+        if (!filePath) {
+            res.writeHead(400, { 'Content-Type': 'text/plain' });
+            res.end('Bad Request');
+            return;
+        }
         try {
             // Check if file exists
             if (!existsSync(filePath)) {

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@involvex/youtube-music-cli",
-	"version": "0.0.21",
+	"version": "0.0.23",
 	"description": "- A Commandline music player for youtube-music",
 	"repository": {
 		"type": "git",

package/readme.md

@@ -93,6 +93,20 @@ npm install -g @involvex/youtube-music-cli
 bun install -g @involvex/youtube-music-cli
 ```
 
+### Homebrew
+
+```bash
+brew install involvex/youtube-music-cli/youtube-music-cli
+```
+
+### Winget
+
+```bash
+winget install Involvex.YoutubeMusicCLI
+```
+
+> Maintainers: tag pushes trigger `.github/workflows/homebrew-publish.yml` and `.github/workflows/winget-publish.yml`. Homebrew uses the tap format `involvex/youtube-music-cli/youtube-music-cli`, so ensure the formula file exists on the default branch at `Formula/youtube-music-cli.rb` for the tap installation to work. Set `WINGETCREATE_TOKEN` and make sure `Involvex.YoutubeMusicCLI` exists in winget-pkgs for automated updates.
+
 ### From Source
 
 ```bash