@ipation/specbridge 1.1.0 → 1.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +32 -1
- package/dist/cli.js +3 -3
- package/dist/cli.js.map +1 -1
- package/dist/index.js +3 -3
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,36 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [1.1.1] - 2026-02-01
|
|
11
|
+
|
|
12
|
+
### Security
|
|
13
|
+
|
|
14
|
+
#### Fixed Vulnerabilities
|
|
15
|
+
|
|
16
|
+
- **🔒 Polynomial ReDoS (3 instances)** - `src/verification/verifiers/dependencies.ts`
|
|
17
|
+
- Fixed unbounded regex quantifiers in `parseMaxImportDepth()`, `parseBannedDependency()`, `parseLayerRule()`
|
|
18
|
+
- Changed `\s+` to bounded `\s{1,5}` to prevent catastrophic backtracking
|
|
19
|
+
- Prevents denial-of-service attacks via malicious input strings
|
|
20
|
+
- Resolves GitHub CodeQL alerts #7, #8, #9
|
|
21
|
+
|
|
22
|
+
- **🔒 Incomplete Sanitization** - `src/integrations/github.ts`
|
|
23
|
+
- Enhanced markdown escaping to cover all special characters
|
|
24
|
+
- Now escapes: backslash, pipe, brackets, asterisk, underscore, backtick
|
|
25
|
+
- Prevents markdown table breaking and potential injection
|
|
26
|
+
- Resolves GitHub CodeQL alert #6
|
|
27
|
+
|
|
28
|
+
- **🔒 Shell Command Injection (3 instances)** - `tests/integration/dogfooding.test.ts`
|
|
29
|
+
- Replaced `execSync` with `execFileSync` for safer command execution
|
|
30
|
+
- Uses array form for arguments to prevent shell interpretation
|
|
31
|
+
- Eliminates risk of command injection in test environment
|
|
32
|
+
- Resolves GitHub CodeQL alerts #3, #4, #5
|
|
33
|
+
|
|
34
|
+
### Testing
|
|
35
|
+
|
|
36
|
+
- ✅ All 893 tests passing
|
|
37
|
+
- ✅ No functional regressions
|
|
38
|
+
- ✅ Test coverage maintained at 92%+
|
|
39
|
+
|
|
10
40
|
## [1.1.0] - 2026-02-01
|
|
11
41
|
|
|
12
42
|
### 🚀 Major Feature Release
|
|
@@ -641,7 +671,8 @@ This release adopts a **pragmatic testing approach**:
|
|
|
641
671
|
- Vitest for testing
|
|
642
672
|
- tsup for building
|
|
643
673
|
|
|
644
|
-
[Unreleased]: https://github.com/nouatzi/specbridge/compare/v1.1.
|
|
674
|
+
[Unreleased]: https://github.com/nouatzi/specbridge/compare/v1.1.1...HEAD
|
|
675
|
+
[1.1.1]: https://github.com/nouatzi/specbridge/compare/v1.1.0...v1.1.1
|
|
645
676
|
[1.1.0]: https://github.com/nouatzi/specbridge/compare/v1.0.6...v1.1.0
|
|
646
677
|
[1.0.0]: https://github.com/nouatzi/specbridge/compare/v0.2.1...v1.0.0
|
|
647
678
|
[0.2.1]: https://github.com/nouatzi/specbridge/compare/v0.2.0...v0.2.1
|
package/dist/cli.js
CHANGED
|
@@ -2190,17 +2190,17 @@ function tarjanScc(graph) {
|
|
|
2190
2190
|
return result;
|
|
2191
2191
|
}
|
|
2192
2192
|
function parseMaxImportDepth(rule) {
|
|
2193
|
-
const m = rule.match(/maximum\s
|
|
2193
|
+
const m = rule.match(/maximum\s{1,5}import\s{1,5}depth\s{0,5}[:=]?\s{0,5}(\d+)/i);
|
|
2194
2194
|
return m ? Number.parseInt(m[1], 10) : null;
|
|
2195
2195
|
}
|
|
2196
2196
|
function parseBannedDependency(rule) {
|
|
2197
|
-
const m = rule.match(/no\s
|
|
2197
|
+
const m = rule.match(/no\s{1,5}dependencies?\s{1,5}on\s{1,5}(?:package\s{1,5})?(.+?)(?:\.|$)/i);
|
|
2198
2198
|
if (!m) return null;
|
|
2199
2199
|
const value = m[1].trim();
|
|
2200
2200
|
return value.length > 0 ? value : null;
|
|
2201
2201
|
}
|
|
2202
2202
|
function parseLayerRule(rule) {
|
|
2203
|
-
const m = rule.match(/(\w+)\s
|
|
2203
|
+
const m = rule.match(/(\w+)\s{1,5}layer\s{1,5}cannot\s{1,5}depend\s{1,5}on\s{1,5}(\w+)\s{1,5}layer/i);
|
|
2204
2204
|
if (!m) return null;
|
|
2205
2205
|
return { fromLayer: m[1].toLowerCase(), toLayer: m[2].toLowerCase() };
|
|
2206
2206
|
}
|