@yemi33/minions 0.1.1549 → 0.1.1550
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +5 -1
- package/dashboard/js/utils.js +7 -1
- package/engine.js +2 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,8 +1,12 @@
|
|
|
1
1
|
# Changelog
|
|
2
2
|
|
|
3
|
-
## 0.1.
|
|
3
|
+
## 0.1.1550 (2026-04-24)
|
|
4
|
+
|
|
5
|
+
### Fixes
|
|
6
|
+
- escape </script> literal in utils.js (closes #1746) (#1751)
|
|
4
7
|
|
|
5
8
|
### Other
|
|
9
|
+
- test(engine): add unit tests for isWorktreeRetryableError, removeStaleIndexLock, _maxTurnsForType, buildProjectContext, normalizeAc (#1752)
|
|
6
10
|
- test(timeout): add unit tests for checkIdleThreshold, checkSteering, checkTimeouts (#1748)
|
|
7
11
|
|
|
8
12
|
## 0.1.1548 (2026-04-23)
|
package/dashboard/js/utils.js
CHANGED
|
@@ -98,9 +98,15 @@ function toggleModalPin() {
|
|
|
98
98
|
|
|
99
99
|
// Canonical HTML-escape helper (SEC-03). Use this in all new code and for any user-controlled
|
|
100
100
|
// field that reaches `.innerHTML` / a template literal. Escapes the 6 HTML metacharacters
|
|
101
|
-
// (& < > " ' /) — the `/` escape closes the
|
|
101
|
+
// (& < > " ' /) — the `/` escape closes the `<\/script>` break-out path that a 5-char escape
|
|
102
102
|
// leaves open. Returns '' for null/undefined so missing fields never render the literal strings
|
|
103
103
|
// "null"/"undefined". Idempotent for non-metacharacter input (double-escaping only expands `&`).
|
|
104
|
+
// NOTE: the `<\/script>` spelling above is deliberate. dashboard.js inlines every module in
|
|
105
|
+
// dashboard/js/ into a single inline <script> block; a raw closing-script-tag literal in any
|
|
106
|
+
// comment or string closes that block early and spills the rest as document text (issue #1746).
|
|
107
|
+
// The HTML5 tokenizer's script-data end-tag match is byte-level and ignores JS comment/string
|
|
108
|
+
// boundaries, so the only safe way to reference the token in-source is to break the match —
|
|
109
|
+
// `<` followed by `\/` works because after `<` only `/` (not `\`) triggers end-tag-open state.
|
|
104
110
|
function escapeHtml(str) {
|
|
105
111
|
if (str === null || str === undefined) return '';
|
|
106
112
|
return String(str)
|
package/engine.js
CHANGED
|
@@ -3759,6 +3759,8 @@ module.exports = {
|
|
|
3759
3759
|
// Shared helpers (used by lifecycle.js and tests)
|
|
3760
3760
|
reconcileItemsWithPrs, detectDependencyCycles,
|
|
3761
3761
|
parseConflictFiles, pruneAncestorDeps, preflightMergeSimulation, // exported for testing
|
|
3762
|
+
isWorktreeRetryableError, removeStaleIndexLock, // exported for testing
|
|
3763
|
+
_maxTurnsForType, buildProjectContext, normalizeAc, // exported for testing
|
|
3762
3764
|
|
|
3763
3765
|
// Playbooks
|
|
3764
3766
|
renderPlaybook, validatePlaybookVars, PLAYBOOK_REQUIRED_VARS, buildWorkItemDispatchVars,
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@yemi33/minions",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.1550",
|
|
4
4
|
"description": "Multi-agent AI dev team that runs from ~/.minions/ — five autonomous agents share a single engine, dashboard, and knowledge base",
|
|
5
5
|
"bin": {
|
|
6
6
|
"minions": "bin/minions.js"
|