npm - een-api-toolkit - Versions diffs - 0.3.78 → 0.3.79 - Mend

een-api-toolkit 0.3.78 → 0.3.79

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/CHANGELOG.md +31 -83
package/dist/index.cjs +2 -2
package/dist/index.cjs.map +1 -1
package/dist/index.js +554 -554
package/dist/index.js.map +1 -1
package/docs/AI-CONTEXT.md +1 -1
package/docs/ai-reference/AI-AUTH.md +1 -1
package/docs/ai-reference/AI-AUTOMATIONS.md +1 -1
package/docs/ai-reference/AI-DEVICES.md +1 -1
package/docs/ai-reference/AI-EVENT-DATA-SCHEMAS.md +1 -1
package/docs/ai-reference/AI-EVENTS.md +1 -1
package/docs/ai-reference/AI-GROUPING.md +1 -1
package/docs/ai-reference/AI-JOBS.md +1 -1
package/docs/ai-reference/AI-MEDIA.md +1 -1
package/docs/ai-reference/AI-SETUP.md +1 -1
package/docs/ai-reference/AI-USERS.md +1 -1
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -2,68 +2,10 @@
 All notable changes to this project will be documented in this file.
-## [0.3.78] - 2026-02-12
+## [0.3.79] - 2026-02-14
 ### Release Summary
-#### PR #102: Release v0.3.69: CI improvements and dependency management
-## Summary
-- Dynamic E2E test matrix discovery (auto-detects example apps with `playwright.config.ts`)
-- Added missing `vue-jobs` to CI E2E testing
-- Dependabot configuration for automated dependency updates
-- Pinned GitHub Actions to immutable commit SHAs for supply chain security
-## Commits
-- `474e9bb` ci: Dynamically discover example apps for E2E matrix
-- `ad3f318` fix: pin GitHub Actions to immutable commit SHAs
-- `cc706d8` chore: add Dependabot configuration for automated dependency updates
-- `24a385b` Merge PR #95 (workflow SHA pinning security fix)
-## Test Results
-- **Lint**: Passed (0 errors, 1 warning)
-- **Unit tests**: 619/619 passed
-- **Build**: Successful
-- **E2E tests**: 11/11 example apps passed (1 transient OAuth timeout on vue-users, passed on rerun)
-## Security Review
-Changes are CI/infrastructure only (workflow files, dependabot config). No source code changes. No security vulnerabilities.
-## Version
-`v0.3.69`
-#### PR #106: Release v0.3.70: Fix Dependabot TypeScript minor version ignore
-## Summary
-- Re-add `semver-minor` ignore for TypeScript in Dependabot config to prevent unwanted 5.8→5.9 bump PRs
-- Dependabot modifies `package.json` directly, bypassing the `~5.8.x` constraint — must be blocked at the Dependabot level
-- Addresses review feedback from PR #102 and closes Dependabot PR #104
-- Documentation updates: fix inaccuracies in CLAUDE.md and README.md, regenerate API docs
-- Remove misleading auto-merge comment, add CodeQL and SHA pinning guidance to CLAUDE.md
-## Changes
-- `.github/dependabot.yml` - Re-add semver-minor to TypeScript ignore, clarify comments
-- `.github/workflows/validate-pr.yml` - Add validation to discover-examples job
-- `.github/workflows/claude-code-review.yml` - Update SHA version comment to v1.0.48
-- `CLAUDE.md` - Fix 7 documentation inaccuracies, add SHA pinning guidance
-- `README.md` - Add vue-automations and vue-jobs to examples table
-- `docs/` - Regenerated API docs and AI reference docs
-## Test Results
-- **Lint**: Passed (0 errors, 1 warning)
-- **Unit tests**: 619/619 passed
-- **Build**: Successful
-- **E2E tests**: 11/11 example apps passed
-## Security Review
-No source code changes — infrastructure and documentation only. No security concerns.
-## Version
-v0.3.70
 #### PR #108: Release v0.3.76: Hostname validation security hardening
 ## Summary
 - **Security Fix**: Validate hostname against EEN domain allowlist to prevent token exfiltration via malicious base URL injection
@@ -91,48 +33,54 @@ v0.3.70
 🤖 Generated with [Claude Code](https://claude.com/claude-code)
-#### PR #94: Release v0.3.69: SSRF protection fix with test coverage
+#### PR #110: fix: Security hardening - hostname validation and CI/CD pipeline
 ## Summary
-- Merges security fix from PR #93 (SSRF domain validation in `initMediaSession`)
-- Fixes broken unit tests caused by the domain validation (updated test domains from `example.com` to `eagleeyenetworks.com`)
-- Adds 2 new unit tests for domain validation coverage (untrusted domain rejection, `een.cloud` acceptance)
+Release v0.3.79 - Security hardening fixes for three vulnerabilities identified in code review:
+- **Hostname validation bypass**: Added DNS hostname character regex (`/^[a-z0-9]([a-z0-9.-]*[a-z0-9])?$/`) before `endsWith()` check in `isAllowedEenHostname()` to prevent bypass attacks like `evil.com/.eagleeyenetworks.com`
+- **CI/CD branch restriction**: Added `head_branch == 'production'` check to npm-publish workflow to prevent publishing from non-production branches
+- **Script injection prevention**: Moved `${{ }}` interpolation from shell `run:` blocks to `env:` blocks in test-release workflow at 3 locations
 ## Commits
-- `22aed68` Fix AUTH_BYPASS vulnerability in initMediaSession()
-- `b6d21d1` fix: Update media tests for SSRF domain validation and add coverage
+- `d4e8a06` fix: harden hostname validation and CI/CD security
+- `c870348` Update src/utils/hostname.ts
+- `5a76991` Merge pull request #109
 ## Test Results
-- **Lint**: Passed (1 warning, 0 errors)
-- **Unit tests**: 619/619 passed
-- **Build**: Successful (v0.3.69)
-- **E2E tests**: 11/11 example apps passed
-## Security Review
-The only source code change is the SSRF protection in `src/media/service.ts` which validates session URLs against allowed domains (`.eagleeyenetworks.com`, `.een.cloud`). This is a security improvement with no new vulnerabilities.
+- **Lint**: 0 errors (1 pre-existing warning)
+- **Unit tests**: 644 passed
+- **Build**: Success
+- **E2E tests**: 225 passed across all 11 example apps
+- **Security review**: No HIGH-confidence vulnerabilities found
+## Files Changed
+- `src/utils/hostname.ts` - Added hostname character validation regex
+- `src/__tests__/auth.store.test.ts` - Added 5 test cases for malicious hostname bypass
+- `.github/workflows/npm-publish.yml` - Added production branch restriction
+- `.github/workflows/test-release.yml` - Fixed script injection at 3 locations
 ## Version
-`v0.3.69`
+`0.3.79`
+🤖 Generated with [Claude Code](https://claude.com/claude-code)
 ### Detailed Changes
 #### Bug Fixes
-- fix: Repair broken JSDoc comment in hostname.ts
-- fix: Address code review concerns for PR #108
-- fix: harden hostname/port validation and fail-secure on tampered storage
-- fix: Add falsy guard to isAllowedEenHostname for robustness
-- fix: Use console.warn for rejected hostname validation messages
-- fix: Validate hostname against EEN domain allowlist to prevent token exfiltration
-- fix: Re-add semver-minor ignore for TypeScript in Dependabot
+- fix: harden hostname validation and CI/CD security
 #### Other Changes
 - Update src/utils/hostname.ts
-- docs: Add @internal JSDoc tag to ALLOWED_DOMAINS constant
-- test: Add hostname validation tests for auth store security fix
 ### Links
 - [npm package](https://www.npmjs.com/package/een-api-toolkit)
-- [Full Changelog](https://github.com/klaushofrichter/een-api-toolkit/compare/v0.3.70...v0.3.78)
+- [Full Changelog](https://github.com/klaushofrichter/een-api-toolkit/compare/v0.3.78...v0.3.79)
 ---
-*Released: 2026-02-12 20:28:23 CST*
+*Released: 2026-02-14 07:56:49 CST*