git-watchtower 1.10.16 → 1.10.18

package/bin/git-watchtower.js

@@ -2530,6 +2530,7 @@ function setupKeyboardInput() {
           const child = spawn('npm', ['i', '-g', 'git-watchtower'], {
             stdio: 'ignore',
             detached: false,
+            shell: process.platform === 'win32',
           });
           child.on('close', (code) => {
             store.setState({ updateInProgress: false, updateModalVisible: false, updateModalSelectedIndex: 0 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "git-watchtower",
-  "version": "1.10.16",
+  "version": "1.10.18",
   "description": "Terminal-based Git branch monitor with activity sparklines and optional dev server with live reload",
   "main": "bin/git-watchtower.js",
   "bin": {

package/src/server/coordinator.js

@@ -26,6 +26,13 @@ const crypto = require('crypto');
  */
 const WATCHTOWER_DIR = path.join(os.homedir(), '.watchtower');
 
+/**
+ * Maximum IPC receive buffer size (1 MiB). Connections that exceed
+ * this without a complete newline-delimited message are dropped to
+ * prevent unbounded memory growth from malformed or malicious peers.
+ */
+const MAX_IPC_BUFFER = 1024 * 1024;
+
 /**
  * Lock file path
  */
@@ -268,6 +275,10 @@ class Coordinator {
 
     socket.on('data', (data) => {
       buffer += data.toString();
+      if (buffer.length > MAX_IPC_BUFFER) {
+        socket.destroy();
+        return;
+      }
       let newlineIdx;
       while ((newlineIdx = buffer.indexOf('\n')) !== -1) {
         const line = buffer.slice(0, newlineIdx);
@@ -413,6 +424,10 @@ class Worker {
 
       this.socket.on('data', (data) => {
         this._buffer += data.toString();
+        if (this._buffer.length > MAX_IPC_BUFFER) {
+          this.socket.destroy();
+          return;
+        }
         let idx;
         while ((idx = this._buffer.indexOf('\n')) !== -1) {
           const line = this._buffer.slice(0, idx);