npm - cc-safe-setup - Versions diffs - 23.1.0 → 25.0.0 - Mend

cc-safe-setup 23.1.0 → 25.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/README.md +1 -1
package/examples/check-accessibility.sh +4 -0
package/examples/check-csrf-protection.sh +4 -0
package/examples/check-error-boundaries.sh +4 -0
package/examples/check-input-validation.sh +4 -0
package/examples/check-rate-limiting.sh +4 -0
package/examples/no-cleartext-storage.sh +4 -0
package/examples/no-dangerouslySetInnerHTML.sh +4 -0
package/examples/no-eval-in-template.sh +4 -0
package/examples/no-floating-promises.sh +4 -0
package/examples/no-mutation-in-reducer.sh +4 -0
package/examples/no-open-redirect.sh +4 -0
package/examples/no-path-join-user-input.sh +4 -0
package/examples/no-prototype-pollution.sh +4 -0
package/examples/no-xml-external-entity.sh +4 -0
package/examples/prefer-optional-chaining.sh +4 -0
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -6,7 +6,7 @@
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
-8 built-in + 124 examples = **215 hooks**. 45 CLI commands. 561 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Wizard](https://yurukusa.github.io/cc-safe-setup/wizard.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 124 examples = **230 hooks**. 45 CLI commands. 561 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Wizard](https://yurukusa.github.io/cc-safe-setup/wizard.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 ```bash
 npx cc-safe-setup

package/examples/check-accessibility.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "<img[^>]+(?!alt=)" && echo "NOTE: img without alt attribute" >&2
+exit 0

package/examples/check-csrf-protection.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "<form.*method.*POST" && ! echo "$CONTENT" | grep -qE "csrf|_token|csrfmiddleware" && echo "NOTE: Form without CSRF protection" >&2
+exit 0

package/examples/check-error-boundaries.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "class.*extends.*Component|function.*\(\)" && echo "$CONTENT" | grep -q "render" && ! echo "$CONTENT" | grep -q "ErrorBoundary" && echo "NOTE: Consider adding ErrorBoundary" >&2
+exit 0

package/examples/check-input-validation.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "req\.(body|query|params)\.\w+" && ! echo "$CONTENT" | grep -qE "validate|sanitize|Joi|zod|yup" && echo "NOTE: User input without validation" >&2
+exit 0

package/examples/check-rate-limiting.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "app\.(get|post|put|delete)\(" && ! echo "$CONTENT" | grep -q "rateLimit" && echo "NOTE: API endpoint without rate limiting" >&2
+exit 0

package/examples/no-cleartext-storage.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "localStorage\.setItem.*password|sessionStorage.*token" && echo "WARNING: Storing secrets in browser storage" >&2
+exit 0

package/examples/no-dangerouslySetInnerHTML.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -q "dangerouslySetInnerHTML" && echo "WARNING: XSS risk via dangerouslySetInnerHTML" >&2
+exit 0

package/examples/no-eval-in-template.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "\$\{.*eval|new Function" && echo "WARNING: eval in template" >&2
+exit 0

package/examples/no-floating-promises.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "^\s+\w+\.\w+\(" && echo "$CONTENT" | grep -q "await\|\.then\|\.catch" || echo "$CONTENT" | grep -qE "async" && echo "NOTE: Check for unhandled promises" >&2
+exit 0

package/examples/no-mutation-in-reducer.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "(state\.\w+\s*=|\.push\(|\.splice\()" && echo "$CONTENT" | grep -q "reducer\|Reducer" && echo "WARNING: Direct state mutation in reducer" >&2
+exit 0

package/examples/no-open-redirect.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "redirect\(req\.(query|params|body)" && echo "WARNING: Open redirect risk" >&2
+exit 0

package/examples/no-path-join-user-input.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "path\.(join|resolve)\(.*req\." && echo "WARNING: Path traversal risk" >&2
+exit 0

package/examples/no-prototype-pollution.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "__proto__|Object\.assign\(\{\}," && echo "WARNING: Potential prototype pollution" >&2
+exit 0

package/examples/no-xml-external-entity.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "parseXML|xml2js|DOMParser|libxml" && echo "$CONTENT" | grep -q "ENTITY" && echo "WARNING: Possible XXE in XML parsing" >&2
+exit 0

package/examples/prefer-optional-chaining.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "\w+\s*&&\s*\w+\.\w+" && echo "NOTE: Consider optional chaining (?.) instead" >&2
+exit 0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "23.1.0",
+  "version": "25.0.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {