agentsmesh 0.19.0 → 0.19.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +59 -0
- package/dist/canonical.js +5 -1
- package/dist/canonical.js.map +1 -1
- package/dist/cli.js +135 -135
- package/dist/engine.js +20 -1
- package/dist/engine.js.map +1 -1
- package/dist/index.js +20 -1
- package/dist/index.js.map +1 -1
- package/dist/targets.js.map +1 -1
- package/package.json +1 -1
package/dist/engine.js
CHANGED
|
@@ -20018,10 +20018,12 @@ async function loadConfig(configPath) {
|
|
|
20018
20018
|
}
|
|
20019
20019
|
return result.data;
|
|
20020
20020
|
}
|
|
20021
|
+
var PROTOTYPE_POLLUTION_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
|
|
20021
20022
|
function deepMergeObjects(base, overrides2) {
|
|
20022
20023
|
const result = { ...base };
|
|
20023
20024
|
for (const [k, v] of Object.entries(overrides2)) {
|
|
20024
20025
|
if (v === null || v === void 0) continue;
|
|
20026
|
+
if (PROTOTYPE_POLLUTION_KEYS.has(k)) continue;
|
|
20025
20027
|
const baseVal = result[k];
|
|
20026
20028
|
if (typeof v === "object" && !Array.isArray(v) && v !== null && typeof baseVal === "object" && baseVal !== null && !Array.isArray(baseVal)) {
|
|
20027
20029
|
result[k] = deepMergeObjects(
|
|
@@ -20458,7 +20460,9 @@ function parseGitSource(source) {
|
|
|
20458
20460
|
} catch {
|
|
20459
20461
|
return null;
|
|
20460
20462
|
}
|
|
20461
|
-
|
|
20463
|
+
const allowInsecure = process.env.AGENTSMESH_ALLOW_INSECURE_GIT === "1" || process.env.AGENTSMESH_ALLOW_INSECURE_GIT === "true";
|
|
20464
|
+
const allowedProtocols = allowInsecure ? ["https:", "http:", "ssh:", "file:"] : ["https:", "ssh:", "file:"];
|
|
20465
|
+
if (!allowedProtocols.includes(parsedUrl.protocol)) {
|
|
20462
20466
|
return null;
|
|
20463
20467
|
}
|
|
20464
20468
|
return { url, ref };
|
|
@@ -22246,15 +22250,30 @@ function isLocalSource(source) {
|
|
|
22246
22250
|
// these on win32, and they must not be misinterpreted as bare npm package names.
|
|
22247
22251
|
/^[A-Za-z]:[/\\]/.test(source);
|
|
22248
22252
|
}
|
|
22253
|
+
function canonicalize(path) {
|
|
22254
|
+
try {
|
|
22255
|
+
return realpathSync(path);
|
|
22256
|
+
} catch {
|
|
22257
|
+
return path;
|
|
22258
|
+
}
|
|
22259
|
+
}
|
|
22260
|
+
function assertSourceInsideProjectRoot(resolvedPath, projectRoot) {
|
|
22261
|
+
const rootAbs = canonicalize(resolve(projectRoot));
|
|
22262
|
+
const sourceAbs = canonicalize(resolvedPath);
|
|
22263
|
+
if (sourceAbs === rootAbs || sourceAbs.startsWith(`${rootAbs}${sep}`)) return;
|
|
22264
|
+
throw new Error(`Plugin source resolves outside project root (escapes ${rootAbs}): ${sourceAbs}`);
|
|
22265
|
+
}
|
|
22249
22266
|
async function importPluginModule(entry, projectRoot) {
|
|
22250
22267
|
const { source } = entry;
|
|
22251
22268
|
let importTarget;
|
|
22252
22269
|
if (isLocalSource(source)) {
|
|
22253
22270
|
const raw = source.startsWith("file:") ? fileURLToPath(source) : source;
|
|
22254
22271
|
const resolved = resolve(projectRoot, raw);
|
|
22272
|
+
assertSourceInsideProjectRoot(resolved, projectRoot);
|
|
22255
22273
|
importTarget = pathToFileURL(resolved).href;
|
|
22256
22274
|
} else {
|
|
22257
22275
|
const resolved = resolveNpmSpecifier(source, projectRoot);
|
|
22276
|
+
assertSourceInsideProjectRoot(resolved, projectRoot);
|
|
22258
22277
|
importTarget = pathToFileURL(resolved).href;
|
|
22259
22278
|
}
|
|
22260
22279
|
const mod = await import(importTarget);
|