git-watchtower 2.3.19 → 2.3.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/src/ui/ansi.js +8 -1
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "git-watchtower",
3
- "version": "2.3.19",
3
+ "version": "2.3.20",
4
4
  "description": "Terminal-based Git branch monitor with activity sparklines and optional dev server with live reload",
5
5
  "main": "bin/git-watchtower.js",
6
6
  "bin": {
package/src/ui/ansi.js CHANGED
@@ -296,8 +296,15 @@ const NON_SGR_CSI_RE = /\x1b\[[\x30-\x3f]*[\x20-\x2f]*[\x40-\x6c\x6e-\x7e]/g;
296
296
 
297
297
  // Match OSC sequences: ESC ] ... terminator (BEL or ESC \). These set
298
298
  // terminal title, hyperlinks, etc. — all undesirable in untrusted input.
299
+ // The trailing `|$` alternation also matches an UNTERMINATED OSC tail
300
+ // (`\x1b]0;evil-text` with no \x07 / \x1b\\ before EOF). Without it,
301
+ // the literal payload survived sanitisation as visible text — ESC_RE
302
+ // stripped the leading `\x1b]` since `]` is in the `\\-_` range, but
303
+ // "0;evil-text" remained. Per ECMA-48, an unterminated OSC at EOF is
304
+ // effectively an open control string, so dropping it entirely is the
305
+ // safe default.
299
306
  // eslint-disable-next-line no-control-regex
300
- const OSC_RE = /\x1b\][\s\S]*?(?:\x07|\x1b\\)/g;
307
+ const OSC_RE = /\x1b\][\s\S]*?(?:\x07|\x1b\\|$)/g;
301
308
 
302
309
  // Match other 2-byte ESC sequences (Fe codes 0x40-0x5F) excluding CSI ([)
303
310
  // and OSC (]) which are handled separately above.