@mclean-capital/neura 2.1.1 → 2.1.2

package/core/version.txt

@@ -1 +1 @@
-2.1.1
+2.1.2

package/dist/commands/update.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"update.d.ts","sourceRoot":"","sources":["../../src/commands/update.ts"],"names":[],"mappings":"AAuCA;;;;;GAKG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CA6GnD"}
+{"version":3,"file":"update.d.ts","sourceRoot":"","sources":["../../src/commands/update.ts"],"names":[],"mappings":"AAqDA;;;;;GAKG;AACH,wBAAsB,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC,CA+GnD"}

package/dist/commands/update.js

@@ -1,5 +1,5 @@
 import chalk from 'chalk';
-import { spawnSync } from 'child_process';
+import { execSync, spawnSync } from 'child_process';
 import { existsSync } from 'fs';
 import { join } from 'path';
 import { CLI_VERSION } from '../version.js';
@@ -22,19 +22,33 @@ const PACKAGE_NAME = '@mclean-capital/neura';
  * install layout); the caller falls back to printing a manual instruction.
  */
 function resolveFreshCliEntrypoint() {
+    // We use execSync rather than spawnSync here to avoid DEP0190. The npm
+    // CLI on Windows is `npm.cmd` (a shell-script wrapper), and spawning
+    // `.cmd`/`.bat` files on Windows requires `shell: true` (CVE-2024-27980).
+    // But `spawnSync(cmd, args, { shell: true })` is deprecated in Node 22+
+    // because the args are concatenated into the shell command string
+    // without escaping. execSync with a single pre-joined command string
+    // sidesteps both problems — and because every token in this command is
+    // a hardcoded constant, there's no injection surface.
     const npmCmd = process.platform === 'win32' ? 'npm.cmd' : 'npm';
-    const result = spawnSync(npmCmd, ['root', '-g'], {
-        encoding: 'utf-8',
-        shell: process.platform === 'win32',
-    });
-    if (result.status !== 0 || !result.stdout)
-        return null;
-    const globalRoot = result.stdout.trim();
-    if (!globalRoot)
+    try {
+        const stdout = execSync(`${npmCmd} root -g`, {
+            encoding: 'utf-8',
+            stdio: ['ignore', 'pipe', 'ignore'],
+        });
+        const globalRoot = stdout.trim();
+        if (!globalRoot)
+            return null;
+        // npm packages with scopes live at <root>/@scope/name/
+        const candidate = join(globalRoot, PACKAGE_NAME, 'dist', 'index.js');
+        return existsSync(candidate) ? candidate : null;
+    }
+    catch {
+        // `npm` not on PATH, `npm root -g` exited non-zero, or the candidate
+        // path isn't where we expected — caller falls back to manual
+        // instructions.
         return null;
-    // npm packages with scopes live at <root>/@scope/name/
-    const candidate = join(globalRoot, PACKAGE_NAME, 'dist', 'index.js');
-    return existsSync(candidate) ? candidate : null;
+    }
 }
 /**
  * Update Neura by reinstalling the npm package and restarting the core service.
@@ -77,13 +91,17 @@ export async function updateCommand() {
     // want to run `npm install -g` and re-register the service below. Both
     // operations are idempotent and fast when nothing actually changes.
     const npmCmd = process.platform === 'win32' ? 'npm.cmd' : 'npm';
-    console.log(chalk.dim(`  Running: ${npmCmd} install -g ${PACKAGE_NAME}@latest`));
+    const installCmd = `${npmCmd} install -g ${PACKAGE_NAME}@latest`;
+    console.log(chalk.dim(`  Running: ${installCmd}`));
     console.log();
-    const result = spawnSync(npmCmd, ['install', '-g', `${PACKAGE_NAME}@latest`], {
-        stdio: 'inherit',
-        shell: process.platform === 'win32',
-    });
-    if (result.status !== 0) {
+    // Same DEP0190 reasoning as `resolveFreshCliEntrypoint` above: use
+    // execSync with a single pre-joined command string rather than
+    // `spawnSync(cmd, args, { shell: true })`. All three tokens in this
+    // string are hardcoded constants — no injection surface.
+    try {
+        execSync(installCmd, { stdio: 'inherit' });
+    }
+    catch {
         console.log();
         console.log(chalk.red('  ✗ npm install failed. Check your network connection and try running the\n' +
             '    command above manually.'));

package/dist/commands/update.js.map

@@ -1 +1 @@
-{"version":3,"file":"update.js","sourceRoot":"","sources":["../../src/commands/update.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC1C,OAAO,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAChC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AAEzD,MAAM,YAAY,GAAG,uBAAuB,CAAC;AAE7C;;;;;;;;;;;;;;;GAeG;AACH,SAAS,yBAAyB;IAChC,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC;IAChE,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,EAAE;QAC/C,QAAQ,EAAE,OAAO;QACjB,KAAK,EAAE,OAAO,CAAC,QAAQ,KAAK,OAAO;KACpC,CAAC,CAAC;IACH,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IACvD,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IACxC,IAAI,CAAC,UAAU;QAAE,OAAO,IAAI,CAAC;IAC7B,uDAAuD;IACvD,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,EAAE,YAAY,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;IACrE,OAAO,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;AAClD,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAC5C,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,cAAc,WAAW,UAAU,uBAAuB,EAAE,IAAI,SAAS,GAAG,CAAC,CAAC;IAC1F,OAAO,CAAC,GAAG,EAAE,CAAC;IAEd,gDAAgD;IAChD,IAAI,MAAM,GAAkB,IAAI,CAAC;IACjC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,8BAA8B,YAAY,SAAS,EAAE;YAC3E,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;SACpC,CAAC,CAAC;QACH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;YACX,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyB,CAAC;YACxD,MAAM,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC;QAChC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,6EAA6E;IAC/E,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,EAAE,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAC,CAAC;YACxF,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;IACH,CAAC;IACD,0EAA0E;IAC1E,0EAA0E;IAC1E,wEAAwE;IACxE,uEAAuE;IACvE,oEAAoE;IAEpE,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC;IAChE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,MAAM,eAAe,YAAY,SAAS,CAAC,CAAC,CAAC;IACjF,OAAO,CAAC,GAAG,EAAE,CAAC;IAEd,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,SAAS,EAAE,IAAI,EAAE,GAAG,YAAY,SAAS,CAAC,EAAE;QAC5E,KAAK,EAAE,SAAS;QAChB,KAAK,EAAE,OAAO,CAAC,QAAQ,KAAK,OAAO;KACpC,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CACP,6EAA6E;YAC3E,6BAA6B,CAChC,CACF,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAEhD,mEAAmE;IACnE,EAAE;IACF,kEAAkE;IAClE,oEAAoE;IACpE,8DAA8D;IAC9D,EAAE;IACF,wEAAwE;IACxE,wEAAwE;IACxE,wEAAwE;IACxE,sEAAsE;IACtE,sEAAsE;IACtE,iDAAiD;IACjD,EAAE;IACF,wEAAwE;IACxE,kEAAkE;IAClE,qEAAqE;IACrE,sEAAsE;IACtE,uEAAuE;IACvE,qEAAqE;IACrE,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC,CAAC;IAC1E,MAAM,UAAU,GAAG,yBAAyB,EAAE,CAAC;IAC/C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,MAAM,CACV,kEAAkE;YAChE,gEAAgE;YAChE,uBAAuB,CAC1B,CACF,CAAC;QACF,OAAO;IACT,CAAC;IAED,MAAM,aAAa,GAAG,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE;QAClF,KAAK,EAAE,SAAS;KACjB,CAAC,CAAC;IAEH,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,MAAM,CACV,yDAAyD;YACvD,uDAAuD,CAC1D,CACF,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,GAAG,EAAE,CAAC;AAChB,CAAC"}
+{"version":3,"file":"update.js","sourceRoot":"","sources":["../../src/commands/update.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAChC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC5C,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AAEzD,MAAM,YAAY,GAAG,uBAAuB,CAAC;AAE7C;;;;;;;;;;;;;;;GAeG;AACH,SAAS,yBAAyB;IAChC,uEAAuE;IACvE,qEAAqE;IACrE,0EAA0E;IAC1E,wEAAwE;IACxE,kEAAkE;IAClE,qEAAqE;IACrE,uEAAuE;IACvE,sDAAsD;IACtD,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC;IAChE,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,MAAM,UAAU,EAAE;YAC3C,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC;SACpC,CAAC,CAAC;QACH,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QACjC,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAC7B,uDAAuD;QACvD,MAAM,SAAS,GAAG,IAAI,CAAC,UAAU,EAAE,YAAY,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;QACrE,OAAO,UAAU,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;IAClD,CAAC;IAAC,MAAM,CAAC;QACP,qEAAqE;QACrE,6DAA6D;QAC7D,gBAAgB;QAChB,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa;IACjC,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC;IAC5C,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,cAAc,WAAW,UAAU,uBAAuB,EAAE,IAAI,SAAS,GAAG,CAAC,CAAC;IAC1F,OAAO,CAAC,GAAG,EAAE,CAAC;IAEd,gDAAgD;IAChD,IAAI,MAAM,GAAkB,IAAI,CAAC;IACjC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,8BAA8B,YAAY,SAAS,EAAE;YAC3E,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;SACpC,CAAC,CAAC;QACH,IAAI,GAAG,CAAC,EAAE,EAAE,CAAC;YACX,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyB,CAAC;YACxD,MAAM,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC;QAChC,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,6EAA6E;IAC/E,CAAC;IAED,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,EAAE,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,IAAI,MAAM,KAAK,WAAW,EAAE,CAAC;YAC3B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAC,CAAC;YACxF,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC;IACH,CAAC;IACD,0EAA0E;IAC1E,0EAA0E;IAC1E,wEAAwE;IACxE,uEAAuE;IACvE,oEAAoE;IAEpE,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC;IAChE,MAAM,UAAU,GAAG,GAAG,MAAM,eAAe,YAAY,SAAS,CAAC;IACjE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,UAAU,EAAE,CAAC,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,EAAE,CAAC;IAEd,mEAAmE;IACnE,+DAA+D;IAC/D,oEAAoE;IACpE,yDAAyD;IACzD,IAAI,CAAC;QACH,QAAQ,CAAC,UAAU,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;IAC7C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,GAAG,CACP,6EAA6E;YAC3E,6BAA6B,CAChC,CACF,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAAC;IAEhD,mEAAmE;IACnE,EAAE;IACF,kEAAkE;IAClE,oEAAoE;IACpE,8DAA8D;IAC9D,EAAE;IACF,wEAAwE;IACxE,wEAAwE;IACxE,wEAAwE;IACxE,sEAAsE;IACtE,sEAAsE;IACtE,iDAAiD;IACjD,EAAE;IACF,wEAAwE;IACxE,kEAAkE;IAClE,qEAAqE;IACrE,sEAAsE;IACtE,uEAAuE;IACvE,qEAAqE;IACrE,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC,CAAC;IAC1E,MAAM,UAAU,GAAG,yBAAyB,EAAE,CAAC;IAC/C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,MAAM,CACV,kEAAkE;YAChE,gEAAgE;YAChE,uBAAuB,CAC1B,CACF,CAAC;QACF,OAAO;IACT,CAAC;IAED,MAAM,aAAa,GAAG,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE;QAClF,KAAK,EAAE,SAAS;KACjB,CAAC,CAAC;IAEH,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO,CAAC,GAAG,EAAE,CAAC;QACd,OAAO,CAAC,GAAG,CACT,KAAK,CAAC,MAAM,CACV,yDAAyD;YACvD,uDAAuD,CAC1D,CACF,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,CAAC,GAAG,EAAE,CAAC;AAChB,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mclean-capital/neura",
-  "version": "2.1.1",
+  "version": "2.1.2",
   "description": "Neura — CLI for installing and managing the Neura AI assistant core service. Includes text chat and voice listen clients.",
   "keywords": [
     "neura",