npm - een-api-toolkit - Versions diffs - 0.3.70 → 0.3.79 - Mend

een-api-toolkit 0.3.70 → 0.3.79

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/CHANGELOG.md +51 -49
package/dist/index.cjs +3 -3
package/dist/index.cjs.map +1 -1
package/dist/index.js +917 -889
package/dist/index.js.map +1 -1
package/docs/AI-CONTEXT.md +1 -1
package/docs/ai-reference/AI-AUTH.md +1 -1
package/docs/ai-reference/AI-AUTOMATIONS.md +1 -1
package/docs/ai-reference/AI-DEVICES.md +1 -1
package/docs/ai-reference/AI-EVENT-DATA-SCHEMAS.md +1 -1
package/docs/ai-reference/AI-EVENTS.md +1 -1
package/docs/ai-reference/AI-GROUPING.md +1 -1
package/docs/ai-reference/AI-JOBS.md +1 -1
package/docs/ai-reference/AI-MEDIA.md +1 -1
package/docs/ai-reference/AI-SETUP.md +1 -1
package/docs/ai-reference/AI-USERS.md +1 -1
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -2,83 +2,85 @@
 All notable changes to this project will be documented in this file.
-## [0.3.70] - 2026-02-10
+## [0.3.79] - 2026-02-14
 ### Release Summary
-#### PR #102: Release v0.3.69: CI improvements and dependency management
+#### PR #108: Release v0.3.76: Hostname validation security hardening
 ## Summary
-- Dynamic E2E test matrix discovery (auto-detects example apps with `playwright.config.ts`)
-- Added missing `vue-jobs` to CI E2E testing
-- Dependabot configuration for automated dependency updates
-- Pinned GitHub Actions to immutable commit SHAs for supply chain security
+- **Security Fix**: Validate hostname against EEN domain allowlist to prevent token exfiltration via malicious base URL injection
+- **Hardening**: Fail-secure on tampered storage - clears all auth data when poisoned hostname/port detected
+- **Validation**: Port validation (1-65535 range), protocol bypass prevention, subdomain spoofing protection
+- **Tests**: Comprehensive hostname validation test suite for auth store (46 new tests)
+- **Robustness**: Added `isAllowedEenHostname` utility with falsy guard, console.warn for rejected hostnames, `@internal` JSDoc tag on `ALLOWED_DOMAINS`
 ## Commits
-- `474e9bb` ci: Dynamically discover example apps for E2E matrix
-- `ad3f318` fix: pin GitHub Actions to immutable commit SHAs
-- `cc706d8` chore: add Dependabot configuration for automated dependency updates
-- `24a385b` Merge PR #95 (workflow SHA pinning security fix)
+- fix: Validate hostname against EEN domain allowlist to prevent token exfiltration
+- test: Add hostname validation tests for auth store security fix
+- docs: Add @internal JSDoc tag to ALLOWED_DOMAINS constant
+- fix: Use console.warn for rejected hostname validation messages
+- fix: Add falsy guard to isAllowedEenHostname for robustness
+- fix: harden hostname/port validation and fail-secure on tampered storage
 ## Test Results
-- **Lint**: Passed (0 errors, 1 warning)
-- **Unit tests**: 619/619 passed
-- **Build**: Successful
-- **E2E tests**: 11/11 example apps passed (1 transient OAuth timeout on vue-users, passed on rerun)
-## Security Review
-Changes are CI/infrastructure only (workflow files, dependabot config). No source code changes. No security vulnerabilities.
+- **Lint**: Passed (1 warning - pre-existing)
+- **Unit Tests**: 639 passed (23 test files)
+- **Build**: Successful (ESM + CJS)
+- **E2E Tests**: All 11 example apps passed
 ## Version
-`v0.3.69`
+`0.3.76`
+🤖 Generated with [Claude Code](https://claude.com/claude-code)
-#### PR #94: Release v0.3.69: SSRF protection fix with test coverage
+#### PR #110: fix: Security hardening - hostname validation and CI/CD pipeline
 ## Summary
-- Merges security fix from PR #93 (SSRF domain validation in `initMediaSession`)
-- Fixes broken unit tests caused by the domain validation (updated test domains from `example.com` to `eagleeyenetworks.com`)
-- Adds 2 new unit tests for domain validation coverage (untrusted domain rejection, `een.cloud` acceptance)
+Release v0.3.79 - Security hardening fixes for three vulnerabilities identified in code review:
+- **Hostname validation bypass**: Added DNS hostname character regex (`/^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$/`) before `endsWith()` check in `isAllowedEenHostname()` to prevent bypass attacks like `evil.com/.eagleeyenetworks.com`
+- **CI/CD branch restriction**: Added `head_branch == 'production'` check to npm-publish workflow to prevent publishing from non-production branches
+- **Script injection prevention**: Moved `${{ }}` interpolation from shell `run:` blocks to `env:` blocks in test-release workflow at 3 locations
 ## Commits
-- `22aed68` Fix AUTH_BYPASS vulnerability in initMediaSession()
-- `b6d21d1` fix: Update media tests for SSRF domain validation and add coverage
+- `d4e8a06` fix: harden hostname validation and CI/CD security
+- `c870348` Update src/utils/hostname.ts
+- `5a76991` Merge pull request #109
 ## Test Results
-- **Lint**: Passed (1 warning, 0 errors)
-- **Unit tests**: 619/619 passed
-- **Build**: Successful (v0.3.69)
-- **E2E tests**: 11/11 example apps passed
-## Security Review
-The only source code change is the SSRF protection in `src/media/service.ts` which validates session URLs against allowed domains (`.eagleeyenetworks.com`, `.een.cloud`). This is a security improvement with no new vulnerabilities.
+- **Lint**: 0 errors (1 pre-existing warning)
+- **Unit tests**: 644 passed
+- **Build**: Success
+- **E2E tests**: 225 passed across all 11 example apps
+- **Security review**: No HIGH-confidence vulnerabilities found
+## Files Changed
+- `src/utils/hostname.ts` - Added hostname character validation regex
+- `src/__tests__/auth.store.test.ts` - Added 5 test cases for malicious hostname bypass
+- `.github/workflows/npm-publish.yml` - Added production branch restriction
+- `.github/workflows/test-release.yml` - Fixed script injection at 3 locations
 ## Version
-`v0.3.69`
+`0.3.79`
+🤖 Generated with [Claude Code](https://claude.com/claude-code)
 ### Detailed Changes
 #### Bug Fixes
-- fix: Address code review concerns for PR #102
-- fix: Revert TypeScript to ~5.8.0 and block minor bumps in Dependabot
-- fix: Revert eslint to v9 for typescript-eslint compatibility
-- fix: pin GitHub Actions to immutable commit SHAs
+- fix: harden hostname validation and CI/CD security
 #### Other Changes
-- docs: Address minor review concerns for PR #102
-- docs: Fix documentation inaccuracies and regenerate API docs
-- chore(deps): bump github/codeql-action from 3.32.2 to 4.32.2
-- chore: Ignore eslint major version bumps in Dependabot
-- chore(deps-dev): bump the npm-dependencies group with 18 updates
-- chore(deps): bump actions/upload-artifact from 4.6.2 to 6.0.0
-- chore(deps): bump anthropics/claude-code-action
-- chore(deps): bump github/codeql-action
-- chore(deps): bump actions/setup-node from 4.4.0 to 6.2.0
-- chore(deps): bump actions/checkout from 4.3.1 to 6.0.2
-- chore: add Dependabot configuration for automated dependency updates
-- ci: Dynamically discover example apps for E2E matrix
+- Update src/utils/hostname.ts
 ### Links
 - [npm package](https://www.npmjs.com/package/een-api-toolkit)
-- [Full Changelog](https://github.com/klaushofrichter/een-api-toolkit/compare/v0.3.69...v0.3.70)
+- [Full Changelog](https://github.com/klaushofrichter/een-api-toolkit/compare/v0.3.78...v0.3.79)
 ---
-*Released: 2026-02-10 21:07:19 CST*
+*Released: 2026-02-14 07:56:49 CST*