helm-env-delta 1.14.0 → 1.14.1

package/README.md

@@ -64,7 +64,9 @@ HelmEnvDelta (`hed`) automates environment synchronization for GitOps workflows
 
 🛡️ **Safety First** - Pre-execution summary, first-run tips, improved error messages with helpful examples.
 
-⚡ **High Performance** - 45-60% faster than alternatives with intelligent caching and parallel processing.
+⚡ **High Performance** - Intelligent caching and parallel processing. Formatting rules, compiled regexes, and array normalization are all cached for fast repeated runs.
+
+🔐 **Security Hardened** - Regex inputs (stop rules, transforms, pattern files) are validated against ReDoS (catastrophic backtracking). Fixed values are validated against prototype pollution attacks.
 
 🔔 **Auto Updates** - Notifies when newer versions are available (skips in CI/CD).
 
@@ -523,7 +525,7 @@ fixedValues:
 
 **Supported filter operators:** `=` (equals), `^=` (startsWith), `$=` (endsWith), `*=` (contains) - updates ALL matching items
 
-**Value types:** String, number, boolean, null, object, array
+**Value types:** String, number, boolean, null, object, array (objects with `__proto__`, `constructor`, or `prototype` keys are rejected)
 
 **Behavior:**
 
@@ -678,6 +680,8 @@ stopRules:
 
 **Override:** Use `--force` to bypass stop rules when needed.
 
+**Regex safety:** All `regex` patterns (inline and from files) are validated against catastrophic backtracking (ReDoS). Patterns with nested quantifiers on groups (e.g., `(a+)+`) are rejected at config load time.
+
 **Visibility:** Stop rule violations appear in console output, JSON reports, and HTML reports (dry-run mode only, as a collapsible table in the header area).
 
 ---

package/dist/config/configFile.d.ts

@@ -82,7 +82,7 @@ declare const keySortRuleSchema: z.ZodObject<{
 }, z.core.$strip>;
 declare const fixedValueRuleSchema: z.ZodObject<{
     path: z.ZodString;
-    value: z.ZodUnknown;
+    value: z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodNull, z.ZodArray<z.ZodUnknown>, z.ZodRecord<z.ZodString, z.ZodUnknown>]>;
 }, z.core.$strip>;
 declare const transformRuleSchema: z.ZodObject<{
     find: z.ZodString;
@@ -173,7 +173,7 @@ declare const baseConfigSchema: z.ZodObject<{
     }, z.core.$strict>], "type">>>>;
     fixedValues: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodObject<{
         path: z.ZodString;
-        value: z.ZodUnknown;
+        value: z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodNull, z.ZodArray<z.ZodUnknown>, z.ZodRecord<z.ZodString, z.ZodUnknown>]>;
     }, z.core.$strip>>>>;
 }, z.core.$strip>;
 declare const finalConfigSchema: z.ZodObject<{
@@ -227,7 +227,7 @@ declare const finalConfigSchema: z.ZodObject<{
     }, z.core.$strict>], "type">>>>;
     fixedValues: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodObject<{
         path: z.ZodString;
-        value: z.ZodUnknown;
+        value: z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodNull, z.ZodArray<z.ZodUnknown>, z.ZodRecord<z.ZodString, z.ZodUnknown>]>;
     }, z.core.$strip>>>>;
     include: z.ZodDefault<z.ZodArray<z.ZodString>>;
     exclude: z.ZodDefault<z.ZodArray<z.ZodString>>;
@@ -302,7 +302,7 @@ declare const formatOnlyConfigSchema: z.ZodObject<{
     }, z.core.$strict>], "type">>>>;
     fixedValues: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodObject<{
         path: z.ZodString;
-        value: z.ZodUnknown;
+        value: z.ZodUnion<readonly [z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodNull, z.ZodArray<z.ZodUnknown>, z.ZodRecord<z.ZodString, z.ZodUnknown>]>;
     }, z.core.$strip>>>>;
     include: z.ZodDefault<z.ZodArray<z.ZodString>>;
     exclude: z.ZodDefault<z.ZodArray<z.ZodString>>;

package/dist/config/configFile.js

@@ -6,6 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.isConfigValidationError = exports.ConfigValidationError = exports.parseConfig = exports.parseFormatOnlyConfig = exports.parseFinalConfig = exports.parseBaseConfig = void 0;
 const node_path_1 = __importDefault(require("node:path"));
 const zod_1 = require("zod");
+const regexSafety_1 = require("../utils/regexSafety");
 const ZodError_1 = require("./ZodError");
 const semverMajorUpgradeRuleSchema = zod_1.z.object({
     type: zod_1.z.literal('semverMajorUpgrade'),
@@ -47,6 +48,10 @@ const regexRuleSchema = zod_1.z
 }, {
     message: 'Invalid regular expression pattern',
     path: ['regex']
+})
+    .refine((data) => (0, regexSafety_1.isSafeRegex)(data.regex), {
+    message: 'Potentially unsafe regex pattern (may cause catastrophic backtracking / ReDoS)',
+    path: ['regex']
 });
 const regexFileRuleSchema = zod_1.z.object({
     type: zod_1.z.literal('regexFile'),
@@ -80,9 +85,25 @@ const arraySortRuleSchema = zod_1.z.object({
     order: zod_1.z.enum(['asc', 'desc']).default('asc')
 });
 const keySortRuleSchema = zod_1.z.object({ path: zod_1.z.string().min(1) });
+const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
+const hasDangerousKeys = (value) => {
+    if (value === null || typeof value !== 'object')
+        return false;
+    if (Array.isArray(value))
+        return value.some((item) => hasDangerousKeys(item));
+    for (const key of Object.keys(value))
+        if (DANGEROUS_KEYS.has(key) || hasDangerousKeys(value[key]))
+            return true;
+    return false;
+};
+const safeFixedValue = zod_1.z
+    .union([zod_1.z.string(), zod_1.z.number(), zod_1.z.boolean(), zod_1.z.null(), zod_1.z.array(zod_1.z.unknown()), zod_1.z.record(zod_1.z.string(), zod_1.z.unknown())])
+    .refine((value) => !hasDangerousKeys(value), {
+    message: 'Value must not contain prototype-polluting keys (__proto__, constructor, prototype)'
+});
 const fixedValueRuleSchema = zod_1.z.object({
     path: zod_1.z.string().min(1).describe('JSONPath to the value to set'),
-    value: zod_1.z.unknown().describe('The constant value to set (any type: string, number, boolean, null, object, array)')
+    value: safeFixedValue.describe('The constant value to set (any type: string, number, boolean, null, object, array)')
 });
 const transformRuleSchema = zod_1.z
     .object({
@@ -100,6 +121,10 @@ const transformRuleSchema = zod_1.z
 }, {
     message: 'Invalid regular expression pattern',
     path: ['find']
+})
+    .refine((data) => (0, regexSafety_1.isSafeRegex)(data.find), {
+    message: 'Potentially unsafe regex pattern (may cause catastrophic backtracking / ReDoS)',
+    path: ['find']
 });
 const transformRulesSchema = zod_1.z
     .object({

package/dist/pipeline/fileDiff.d.ts

@@ -1,4 +1,4 @@
-import { Config, FixedValueConfig, TransformConfig } from '../config';
+import { Config, FixedValueConfig, FixedValueRule, TransformConfig } from '../config';
 import { FileMap } from './fileLoader';
 export interface FileDiffResult {
     addedFiles: AddedFile[];
@@ -16,6 +16,7 @@ export interface ChangedFile {
     rawParsedSource: unknown;
     rawParsedDest: unknown;
     skipPaths: string[];
+    fixedValueRules: FixedValueRule[];
     normalizedSource?: unknown;
     normalizedDest?: unknown;
     parsedSource?: unknown;

package/dist/pipeline/fileDiff.js

@@ -117,10 +117,33 @@ const applySkipPaths = (data, skipPaths) => {
         return data;
     if (skipPaths.length === 0)
         return data;
-    const cloned = structuredClone(data);
+    const affectedKeys = new Set();
+    let needsFullClone = false;
+    for (const skipPath of skipPaths) {
+        const parts = (0, jsonPath_1.parseJsonPath)(skipPath);
+        if (parts.length === 0)
+            continue;
+        const firstPart = parts[0];
+        if (firstPart === '*' || ((0, jsonPath_1.isFilterSegment)(firstPart) && Array.isArray(data))) {
+            needsFullClone = true;
+            break;
+        }
+        affectedKeys.add(firstPart);
+    }
+    if (needsFullClone) {
+        const cloned = structuredClone(data);
+        for (const path of skipPaths)
+            deleteJsonPath(cloned, path);
+        return cloned;
+    }
+    const object = data;
+    const result = { ...object };
+    for (const key of affectedKeys)
+        if (key in result)
+            result[key] = structuredClone(result[key]);
     for (const path of skipPaths)
-        deleteJsonPath(cloned, path);
-    return cloned;
+        deleteJsonPath(result, path);
+    return result;
 };
 const getSkipPathsForFile = (filePath, skipPath) => {
     if (!skipPath)
@@ -193,6 +216,7 @@ const processYamlFile = (options) => {
         rawParsedSource: sourceFiltered,
         rawParsedDest: destinationFiltered,
         skipPaths: pathsToSkip,
+        fixedValueRules,
         normalizedSource,
         normalizedDest: normalizedDestination,
         parsedSource: sourceParsed,
@@ -237,7 +261,8 @@ const processChangedFiles = (sourceFiles, destinationFiles, skipPath, transforms
                 processedDestContent: destinationContent,
                 rawParsedSource: sourceContent,
                 rawParsedDest: destinationContent,
-                skipPaths: []
+                skipPaths: [],
+                fixedValueRules: []
             });
     }
     return { changedFiles, unchangedFiles };

package/dist/pipeline/fileUpdater.js

@@ -93,9 +93,21 @@ const deepMerge = (fullTarget, filteredSource, filteredTarget, currentPath = [],
             }
             result.push(sourceItem);
         }
-        for (const item of fullTargetArray)
-            if ((0, arrayMerger_1.shouldPreserveItem)(item, applicableFilters, result))
+        const resultKeySet = new Set(result
+            .filter((item) => !!item && typeof item === 'object')
+            .map((item) => JSON.stringify(applicableFilters.map((f) => item[f.filter.property]))));
+        for (const item of fullTargetArray) {
+            if (!item || typeof item !== 'object')
+                continue;
+            const { matches } = (0, arrayMerger_1.itemMatchesAnyFilter)(item, applicableFilters);
+            if (!matches)
+                continue;
+            const key = JSON.stringify(applicableFilters.map((f) => item[f.filter.property]));
+            if (!resultKeySet.has(key)) {
                 result.push(item);
+                resultKeySet.add(key);
+            }
+        }
         return result;
     }
     if (typeof filteredSource === 'object' && typeof fullTarget === 'object') {
@@ -142,7 +154,7 @@ const mergeYamlContent = (destinationContent, processedSourceContent, filteredDe
         });
     }
     try {
-        return yaml_1.default.stringify(merged);
+        return { content: yaml_1.default.stringify(merged), merged };
     }
     catch (error) {
         throw new FileUpdaterError('Failed to serialize merged YAML', {
@@ -198,15 +210,21 @@ const updateFile = async (options) => {
         logger.fileOp('update', changedFile.path, true);
         return;
     }
-    let contentToWrite = (0, fileType_1.isYamlFile)(changedFile.path)
-        ? mergeYamlContent(changedFile.destinationContent, changedFile.rawParsedSource, changedFile.rawParsedDest, changedFile.path, changedFile.skipPaths)
-        : changedFile.sourceContent;
+    let contentToWrite;
+    let mergedObject;
+    if ((0, fileType_1.isYamlFile)(changedFile.path)) {
+        const mergeResult = mergeYamlContent(changedFile.destinationContent, changedFile.rawParsedSource, changedFile.rawParsedDest, changedFile.path, changedFile.skipPaths);
+        contentToWrite = mergeResult.content;
+        mergedObject = mergeResult.merged;
+    }
+    else
+        contentToWrite = changedFile.sourceContent;
     if ((0, fileType_1.isYamlFile)(changedFile.path)) {
-        const fixedValueRules = (0, fixedValues_1.getFixedValuesForFile)(changedFile.path, config.fixedValues);
+        const fixedValueRules = changedFile.fixedValueRules ?? (0, fixedValues_1.getFixedValuesForFile)(changedFile.path, config.fixedValues);
         if (fixedValueRules.length > 0) {
-            const parsed = yaml_1.default.parse(contentToWrite);
-            (0, fixedValues_1.applyFixedValues)(parsed, fixedValueRules);
-            contentToWrite = yaml_1.default.stringify(parsed);
+            const target = mergedObject ?? yaml_1.default.parse(contentToWrite);
+            (0, fixedValues_1.applyFixedValues)(target, fixedValueRules);
+            contentToWrite = yaml_1.default.stringify(target);
         }
         const effectiveOutputFormat = skipFormat ? undefined : config.outputFormat;
         contentToWrite = (0, yamlFormatter_1.formatYaml)(contentToWrite, changedFile.path, effectiveOutputFormat);

package/dist/pipeline/yamlFormatter.js

@@ -18,7 +18,16 @@ exports.YamlFormatterError = (0, errors_1.createErrorClass)('YAML Formatter Erro
     PATTERN_MATCH_ERROR: 'File pattern matching failed'
 });
 exports.isYamlFormatterError = (0, errors_1.createErrorTypeGuard)(exports.YamlFormatterError);
+const formattingRulesCache = new WeakMap();
 const getFormattingRules = (filePath, outputFormat) => {
+    let fileMap = formattingRulesCache.get(outputFormat);
+    if (!fileMap) {
+        fileMap = new Map();
+        formattingRulesCache.set(outputFormat, fileMap);
+    }
+    const cached = fileMap.get(filePath);
+    if (cached)
+        return cached;
     const keyOrders = [];
     const keySort = [];
     const arraySort = [];
@@ -52,7 +61,9 @@ const getFormattingRules = (filePath, outputFormat) => {
         if (quoteValue)
             quoteValues.push(quoteValue);
     }
-    return { keyOrders, keySort, arraySort, quoteValues };
+    const rules = { keyOrders, keySort, arraySort, quoteValues };
+    fileMap.set(filePath, rules);
+    return rules;
 };
 const preserveMultilineStrings = (yamlDocument) => {
     if (!yamlDocument.contents)

package/dist/utils/regexPatternFileLoader.js

@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.loadRegexPatternsFromKeys = exports.loadRegexPatternArray = exports.isRegexPatternFileLoaderError = exports.RegexPatternFileLoaderError = void 0;
 const errors_1 = require("./errors");
+const regexSafety_1 = require("./regexSafety");
 const yamlFileLoader_1 = require("./yamlFileLoader");
 exports.RegexPatternFileLoaderError = (0, errors_1.createErrorClass)('RegexPatternFileLoaderError', {
     INVALID_FORMAT_NOT_ARRAY: 'Pattern file must contain a YAML array of regex patterns',
@@ -38,6 +39,8 @@ const validateRegexPattern = (pattern, source) => {
             cause: error
         });
     }
+    if (!(0, regexSafety_1.isSafeRegex)(pattern))
+        throw new exports.RegexPatternFileLoaderError(`Potentially unsafe regex pattern "${pattern}" ${source} — may cause catastrophic backtracking (ReDoS)`, { code: 'INVALID_REGEX' });
 };
 const loadRegexPatternArray = (filePath, configDirectory) => {
     let parsedData;

package/dist/utils/regexSafety.d.ts

@@ -0,0 +1 @@
+export declare const isSafeRegex: (pattern: string) => boolean;

package/dist/utils/regexSafety.js

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isSafeRegex = void 0;
+const isSafeRegex = (pattern) => {
+    if (/\([^()]*[*+][^()]*\)[*+{]/.test(pattern))
+        return false;
+    return true;
+};
+exports.isSafeRegex = isSafeRegex;

package/dist/utils/regexTransform.js

@@ -1,11 +1,16 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.applyRegexRulesSequentially = void 0;
+const regexCache = new Map();
 const applyRegexRulesSequentially = (value, rules, throwOnError = false) => {
     let result = value;
     for (const rule of rules)
         try {
-            const regex = new RegExp(rule.find, 'g');
+            let regex = regexCache.get(rule.find);
+            if (!regex) {
+                regex = new RegExp(rule.find, 'g');
+                regexCache.set(rule.find, regex);
+            }
             result = result.replace(regex, rule.replace);
         }
         catch (error) {

package/dist/utils/serialization.js

@@ -15,6 +15,19 @@ const serializeForDiff = (content, isYaml) => {
     });
 };
 exports.serializeForDiff = serializeForDiff;
+const deepSortKeys = (value) => {
+    if (value === null || value === undefined)
+        return value;
+    if (Array.isArray(value))
+        return value.map((item) => deepSortKeys(item));
+    if (typeof value === 'object') {
+        const sorted = {};
+        for (const key of Object.keys(value).toSorted())
+            sorted[key] = deepSortKeys(value[key]);
+        return sorted;
+    }
+    return value;
+};
 const normalizeForComparison = (value) => {
     if (value === null || value === undefined)
         return value;
@@ -25,7 +38,7 @@ const normalizeForComparison = (value) => {
         const normalized = value.map((item) => (0, exports.normalizeForComparison)(item));
         const serializedItems = normalized.map((item) => ({
             item,
-            serialized: yaml_1.default.stringify(item, { sortMapEntries: true }) ?? ''
+            serialized: JSON.stringify(deepSortKeys(item)) ?? ''
         }));
         return serializedItems.toSorted((a, b) => a.serialized.localeCompare(b.serialized)).map(({ item }) => item);
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "helm-env-delta",
-  "version": "1.14.0",
+  "version": "1.14.1",
   "description": "HelmEnvDelta – environment-aware YAML delta and sync for GitOps",
   "author": "BCsabaEngine",
   "license": "ISC",
@@ -65,18 +65,18 @@
   ],
   "devDependencies": {
     "@eslint/js": "^10.0.1",
-    "@types/node": "^25.3.0",
+    "@types/node": "^25.5.0",
     "@types/picomatch": "^4.0.2",
-    "@typescript-eslint/eslint-plugin": "^8.56.1",
-    "@vitest/coverage-v8": "^4.0.18",
-    "eslint": "^10.0.2",
+    "@typescript-eslint/eslint-plugin": "^8.57.0",
+    "@vitest/coverage-v8": "^4.1.0",
+    "eslint": "^10.0.3",
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-simple-import-sort": "^12.1.1",
     "eslint-plugin-unicorn": "^63.0.0",
     "prettier": "^3.8.1",
     "tsx": "^4.21.0",
     "typescript": "^5.9.3",
-    "vitest": "^4.0.18"
+    "vitest": "^4.1.0"
   },
   "dependencies": {
     "chalk": "^5.6.2",