npm - cc-safe-setup - Versions diffs - 24.0.0 → 25.1.0 - Mend

cc-safe-setup 24.0.0 → 25.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/README.md +1 -1
package/examples/check-csrf-protection.sh +4 -0
package/examples/check-error-boundaries.sh +4 -0
package/examples/check-error-message.sh +4 -0
package/examples/check-input-validation.sh +4 -0
package/examples/check-rate-limiting.sh +4 -0
package/examples/check-semantic-versioning.sh +4 -0
package/examples/no-cleartext-storage.sh +4 -0
package/examples/no-console-time.sh +4 -0
package/examples/no-dangerouslySetInnerHTML.sh +4 -0
package/examples/no-mixed-line-endings.sh +4 -0
package/examples/no-open-redirect.sh +4 -0
package/examples/no-path-join-user-input.sh +4 -0
package/examples/no-prototype-pollution.sh +4 -0
package/examples/no-todo-without-issue.sh +4 -0
package/examples/no-xml-external-entity.sh +4 -0
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -6,7 +6,7 @@
 **One command to make Claude Code safe for autonomous operation.** [日本語](docs/README.ja.md)
-8 built-in + 124 examples = **220 hooks**. 45 CLI commands. 561 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Wizard](https://yurukusa.github.io/cc-safe-setup/wizard.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
+8 built-in + 124 examples = **235 hooks**. 45 CLI commands. 561 tests. 5 languages. [**Hub**](https://yurukusa.github.io/cc-safe-setup/hub.html) · [Wizard](https://yurukusa.github.io/cc-safe-setup/wizard.html) · [Cheat Sheet](https://yurukusa.github.io/cc-safe-setup/hooks-cheatsheet.html) · [Builder](https://yurukusa.github.io/cc-safe-setup/builder.html) · [FAQ](https://yurukusa.github.io/cc-safe-setup/faq.html) · [Examples](https://yurukusa.github.io/cc-safe-setup/by-example.html) · [Matrix](https://yurukusa.github.io/cc-safe-setup/matrix.html) · [Playground](https://yurukusa.github.io/cc-hook-registry/playground.html)
 ```bash
 npx cc-safe-setup

package/examples/check-csrf-protection.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "<form.*method.*POST" && ! echo "$CONTENT" | grep -qE "csrf|_token|csrfmiddleware" && echo "NOTE: Form without CSRF protection" >&2
+exit 0

package/examples/check-error-boundaries.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "class.*extends.*Component|function.*\(\)" && echo "$CONTENT" | grep -q "render" && ! echo "$CONTENT" | grep -q "ErrorBoundary" && echo "NOTE: Consider adding ErrorBoundary" >&2
+exit 0

package/examples/check-error-message.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "throw new Error\(['\"](error|Error|something went wrong)" && echo "NOTE: Generic error message — be specific" >&2
+exit 0

package/examples/check-input-validation.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "req\.(body|query|params)\.\w+" && ! echo "$CONTENT" | grep -qE "validate|sanitize|Joi|zod|yup" && echo "NOTE: User input without validation" >&2
+exit 0

package/examples/check-rate-limiting.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "app\.(get|post|put|delete)\(" && ! echo "$CONTENT" | grep -q "rateLimit" && echo "NOTE: API endpoint without rate limiting" >&2
+exit 0

package/examples/check-semantic-versioning.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "\"version\":\s*\"[^0-9]" && echo "NOTE: Non-semver version string" >&2
+exit 0

package/examples/no-cleartext-storage.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "localStorage\.setItem.*password|sessionStorage.*token" && echo "WARNING: Storing secrets in browser storage" >&2
+exit 0

package/examples/no-console-time.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "console\.(time|timeEnd|timeLog)" && echo "NOTE: console.time left in code" >&2
+exit 0

package/examples/no-dangerouslySetInnerHTML.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -q "dangerouslySetInnerHTML" && echo "WARNING: XSS risk via dangerouslySetInnerHTML" >&2
+exit 0

package/examples/no-mixed-line-endings.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+if echo "$CONTENT" | grep -qP "\r\n" && echo "$CONTENT" | grep -qP "[^\r]\n"; then echo "NOTE: Mixed line endings (CRLF + LF)" >&2; fi
+exit 0

package/examples/no-open-redirect.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "redirect\(req\.(query|params|body)" && echo "WARNING: Open redirect risk" >&2
+exit 0

package/examples/no-path-join-user-input.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "path\.(join|resolve)\(.*req\." && echo "WARNING: Path traversal risk" >&2
+exit 0

package/examples/no-prototype-pollution.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "__proto__|Object\.assign\(\{\}," && echo "WARNING: Potential prototype pollution" >&2
+exit 0

package/examples/no-todo-without-issue.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "TODO[^(]|FIXME[^(]" && ! echo "$CONTENT" | grep -qE "TODO\(#|FIXME\(#" && echo "NOTE: TODO without issue reference" >&2
+exit 0

package/examples/no-xml-external-entity.sh ADDED Viewed

@@ -0,0 +1,4 @@
+CONTENT=$(cat | jq -r '.tool_input.new_string // .tool_input.content // empty' 2>/dev/null)
+[ -z "$CONTENT" ] && exit 0
+echo "$CONTENT" | grep -qE "parseXML|xml2js|DOMParser|libxml" && echo "$CONTENT" | grep -q "ENTITY" && echo "WARNING: Possible XXE in XML parsing" >&2
+exit 0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "cc-safe-setup",
-  "version": "24.0.0",
+  "version": "25.1.0",
   "description": "One command to make Claude Code safe. 59 hooks (8 built-in + 51 examples). 26 CLI commands: dashboard, create, audit, lint, diff, migrate, compare, generate-ci. 284 tests.",
   "main": "index.mjs",
   "bin": {