confluence-cli 1.33.0 → 1.33.1

package/bin/index.js

@@ -12,7 +12,7 @@
 
 // Make sure we're using a supported Node.js version
 const nodeVersion = process.version;
-const requiredVersion = '14.0.0';
+const requiredVersion = '18.0.0';
 
 if (!nodeVersion.startsWith('v') || 
     parseInt(nodeVersion.slice(1).split('.')[0]) < parseInt(requiredVersion.split('.')[0])) {

package/lib/confluence-client.js

@@ -996,6 +996,12 @@ class ConfluenceClient {
       throw new Error('Unable to determine download URL for attachment');
     }
 
+    // Refuse to send credentials to an unexpected origin. The download URL is
+    // derived from a server-supplied _links.download value, so a tampered or
+    // misconfigured response could otherwise exfiltrate the bearer/basic token,
+    // including via an http:// downgrade against an https-configured client.
+    this.assertSameOrigin(downloadUrl);
+
     // Download directly using axios with the same auth headers
     const downloadRequestConfig = {
       responseType: options.responseType || 'stream',
@@ -1780,6 +1786,45 @@ class ConfluenceClient {
     return `${this.protocol}://${this.domain}${normalized}`;
   }
 
+  configuredOrigin() {
+    if (!this.domain) {
+      return null;
+    }
+    try {
+      return new URL(`${this.protocol}://${this.domain}`).origin;
+    } catch {
+      return null;
+    }
+  }
+
+  isSameOriginAsConfigured(url) {
+    const expected = this.configuredOrigin();
+    if (!url || !expected) {
+      return false;
+    }
+    try {
+      return new URL(url).origin === expected;
+    } catch {
+      return false;
+    }
+  }
+
+  assertSameOrigin(url) {
+    if (this.isSameOriginAsConfigured(url)) {
+      return;
+    }
+    let actualOrigin;
+    try {
+      actualOrigin = new URL(url).origin;
+    } catch {
+      actualOrigin = String(url);
+    }
+    const expectedOrigin = this.configuredOrigin() ?? `${this.protocol}://${this.domain}`;
+    throw new Error(
+      `Refusing to send credentials to "${actualOrigin}": origin does not match the configured Confluence origin "${expectedOrigin}". This may indicate a tampered or misconfigured API response, or an http downgrade against an https-configured client.`
+    );
+  }
+
   joinBaseUrl(baseUrl, path) {
     if (!baseUrl) {
       return null;

package/npm-shrinkwrap.json

@@ -1,12 +1,12 @@
 {
   "name": "confluence-cli",
-  "version": "1.33.0",
+  "version": "1.33.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "confluence-cli",
-      "version": "1.33.0",
+      "version": "1.33.1",
       "license": "MIT",
       "dependencies": {
         "axios": "^1.15.0",
@@ -15,15 +15,14 @@
         "form-data": "^4.0.5",
         "html-to-text": "^9.0.5",
         "inquirer": "^8.2.6",
-        "markdown-it": "^14.1.0",
-        "ora": "^5.4.1"
+        "markdown-it": "^14.1.0"
       },
       "bin": {
         "confluence": "bin/index.js",
         "confluence-cli": "bin/index.js"
       },
       "engines": {
-        "node": ">=14.0.0"
+        "node": ">=18.0.0"
       }
     },
     "node_modules/@inquirer/external-editor": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "confluence-cli",
-  "version": "1.33.0",
+  "version": "1.33.1",
   "description": "A command-line interface for Atlassian Confluence with page creation and editing capabilities",
   "main": "index.js",
   "bin": {
@@ -29,8 +29,7 @@
     "form-data": "^4.0.5",
     "html-to-text": "^9.0.5",
     "inquirer": "^8.2.6",
-    "markdown-it": "^14.1.0",
-    "ora": "^5.4.1"
+    "markdown-it": "^14.1.0"
   },
   "devDependencies": {
     "@types/node": "^20.10.0",
@@ -45,7 +44,7 @@
     }
   },
   "engines": {
-    "node": ">=14.0.0"
+    "node": ">=18.0.0"
   },
   "repository": {
     "type": "git",