@lh8ppl/claude-memory-kit 0.4.1 → 0.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
File without changes
File without changes
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@lh8ppl/claude-memory-kit",
3
- "version": "0.4.1",
3
+ "version": "0.4.2",
4
4
  "description": "cmk — the CLI for claude-memory-kit. Per-project, in-repo memory system for Claude Code.",
5
5
  "type": "module",
6
6
  "bin": {
@@ -33,7 +33,7 @@
33
33
  "dependencies": {
34
34
  "@lh8ppl/cmk-canonicalize": "0.1.0",
35
35
  "@modelcontextprotocol/sdk": "^1.29.0",
36
- "better-sqlite3": "^12.10.0",
36
+ "better-sqlite3": "^12.11.1",
37
37
  "chokidar": "^5.0.0",
38
38
  "commander": "^15.0.0",
39
39
  "js-yaml": "^4.2.0",
@@ -96,7 +96,21 @@ function coerce(raw) {
96
96
  return raw;
97
97
  }
98
98
 
99
- function setDeep(obj, dottedKey, value) {
99
+ // Exported for a direct unit test: this guard holds a security invariant
100
+ // (prototype-pollution resistance) and is analyzed by CodeQL in isolation, so
101
+ // it's tested at its own boundary, not only through configSet.
102
+ export function setDeep(obj, dottedKey, value) {
103
+ // Defense-in-depth: refuse prototype-polluting segments INSIDE the walker
104
+ // itself, not only at the public entry points (configGet/Set/ShowOrigin all
105
+ // pre-check via hasForbiddenSegment). A self-guarding utility stays safe even
106
+ // if a future caller forgets the guard — and it closes the CodeQL
107
+ // js/prototype-pollution-utility finding. Reuses the same helper as the entry
108
+ // points so the forbidden-segment set can't drift.
109
+ if (hasForbiddenSegment(dottedKey)) {
110
+ throw new Error(
111
+ `setDeep: forbidden key segment (${[...FORBIDDEN_KEYS].join('/')}) — prototype-pollution guard`,
112
+ );
113
+ }
100
114
  const parts = dottedKey.split('.');
101
115
  let cur = obj;
102
116
  for (let i = 0; i < parts.length - 1; i++) {