@yemi33/minions 0.1.1548 → 0.1.1550

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,14 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.1.1550 (2026-04-24)
4
+
5
+ ### Fixes
6
+ - escape </script> literal in utils.js (closes #1746) (#1751)
7
+
8
+ ### Other
9
+ - test(engine): add unit tests for isWorktreeRetryableError, removeStaleIndexLock, _maxTurnsForType, buildProjectContext, normalizeAc (#1752)
10
+ - test(timeout): add unit tests for checkIdleThreshold, checkSteering, checkTimeouts (#1748)
11
+
3
12
  ## 0.1.1548 (2026-04-23)
4
13
 
5
14
  ### Other
@@ -98,9 +98,15 @@ function toggleModalPin() {
98
98
 
99
99
  // Canonical HTML-escape helper (SEC-03). Use this in all new code and for any user-controlled
100
100
  // field that reaches `.innerHTML` / a template literal. Escapes the 6 HTML metacharacters
101
- // (& < > " ' /) — the `/` escape closes the `</script>` break-out path that a 5-char escape
101
+ // (& < > " ' /) — the `/` escape closes the `<\/script>` break-out path that a 5-char escape
102
102
  // leaves open. Returns '' for null/undefined so missing fields never render the literal strings
103
103
  // "null"/"undefined". Idempotent for non-metacharacter input (double-escaping only expands `&`).
104
+ // NOTE: the `<\/script>` spelling above is deliberate. dashboard.js inlines every module in
105
+ // dashboard/js/ into a single inline <script> block; a raw closing-script-tag literal in any
106
+ // comment or string closes that block early and spills the rest as document text (issue #1746).
107
+ // The HTML5 tokenizer's script-data end-tag match is byte-level and ignores JS comment/string
108
+ // boundaries, so the only safe way to reference the token in-source is to break the match —
109
+ // `<` followed by `\/` works because after `<` only `/` (not `\`) triggers end-tag-open state.
104
110
  function escapeHtml(str) {
105
111
  if (str === null || str === undefined) return '';
106
112
  return String(str)
package/engine.js CHANGED
@@ -3759,6 +3759,8 @@ module.exports = {
3759
3759
  // Shared helpers (used by lifecycle.js and tests)
3760
3760
  reconcileItemsWithPrs, detectDependencyCycles,
3761
3761
  parseConflictFiles, pruneAncestorDeps, preflightMergeSimulation, // exported for testing
3762
+ isWorktreeRetryableError, removeStaleIndexLock, // exported for testing
3763
+ _maxTurnsForType, buildProjectContext, normalizeAc, // exported for testing
3762
3764
 
3763
3765
  // Playbooks
3764
3766
  renderPlaybook, validatePlaybookVars, PLAYBOOK_REQUIRED_VARS, buildWorkItemDispatchVars,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@yemi33/minions",
3
- "version": "0.1.1548",
3
+ "version": "0.1.1550",
4
4
  "description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
5
5
  "bin": {
6
6
  "minions": "bin/minions.js"