@lh8ppl/claude-memory-kit 0.4.1 → 0.4.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
File without changes
|
package/bin/cmk-guard-memory.mjs
CHANGED
|
File without changes
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@lh8ppl/claude-memory-kit",
|
|
3
|
-
"version": "0.4.
|
|
3
|
+
"version": "0.4.2",
|
|
4
4
|
"description": "cmk — the CLI for claude-memory-kit. Per-project, in-repo memory system for Claude Code.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|
|
@@ -33,7 +33,7 @@
|
|
|
33
33
|
"dependencies": {
|
|
34
34
|
"@lh8ppl/cmk-canonicalize": "0.1.0",
|
|
35
35
|
"@modelcontextprotocol/sdk": "^1.29.0",
|
|
36
|
-
"better-sqlite3": "^12.
|
|
36
|
+
"better-sqlite3": "^12.11.1",
|
|
37
37
|
"chokidar": "^5.0.0",
|
|
38
38
|
"commander": "^15.0.0",
|
|
39
39
|
"js-yaml": "^4.2.0",
|
package/src/config-core.mjs
CHANGED
|
@@ -96,7 +96,21 @@ function coerce(raw) {
|
|
|
96
96
|
return raw;
|
|
97
97
|
}
|
|
98
98
|
|
|
99
|
-
|
|
99
|
+
// Exported for a direct unit test: this guard holds a security invariant
|
|
100
|
+
// (prototype-pollution resistance) and is analyzed by CodeQL in isolation, so
|
|
101
|
+
// it's tested at its own boundary, not only through configSet.
|
|
102
|
+
export function setDeep(obj, dottedKey, value) {
|
|
103
|
+
// Defense-in-depth: refuse prototype-polluting segments INSIDE the walker
|
|
104
|
+
// itself, not only at the public entry points (configGet/Set/ShowOrigin all
|
|
105
|
+
// pre-check via hasForbiddenSegment). A self-guarding utility stays safe even
|
|
106
|
+
// if a future caller forgets the guard — and it closes the CodeQL
|
|
107
|
+
// js/prototype-pollution-utility finding. Reuses the same helper as the entry
|
|
108
|
+
// points so the forbidden-segment set can't drift.
|
|
109
|
+
if (hasForbiddenSegment(dottedKey)) {
|
|
110
|
+
throw new Error(
|
|
111
|
+
`setDeep: forbidden key segment (${[...FORBIDDEN_KEYS].join('/')}) — prototype-pollution guard`,
|
|
112
|
+
);
|
|
113
|
+
}
|
|
100
114
|
const parts = dottedKey.split('.');
|
|
101
115
|
let cur = obj;
|
|
102
116
|
for (let i = 0; i < parts.length - 1; i++) {
|