npm - llm-cli-gateway - Versions diffs - 1.5.32 → 1.5.34 - Mend

llm-cli-gateway 1.5.32 → 1.5.34

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,19 @@
 All notable changes to the llm-cli-gateway project.
+## [1.5.34] - 2026-05-25
+### Security
+- Pin the development Redis client fixture back to `ioredis@5.9.2` and reject the Socket-flagged `ioredis@5.10.1` / `@ioredis/commands@1.5.1` lockfile pair in the release security audit. The runtime Redis integration remains an optional peer dependency.
+## [1.5.33] - 2026-05-25
+### Security
+- Stop using `better-sqlite3`'s dynamic `db.pragma(source)` helper in production code. SQLite setup now uses fixed literal `PRAGMA` statements through `db.exec(...)`, and the release security audit fails future production `.pragma()` calls.
+- Document the bounded `better-sqlite3/lib/methods/pragma.js` scanner alert in README and `socket.yml`, including the local mitigation and release audit gate.
 ## [1.5.32] - 2026-05-25
 ### Changed

package/README.md CHANGED Viewed

@@ -1018,6 +1018,7 @@ If you're vetting `llm-cli-gateway` through [Socket](https://socket.dev/npm/pack
 | **Network access** | `src/http-transport.ts` opens an HTTP MCP transport when started via `npm run start:http`. `src/endpoint-exposure.ts` issues a HEAD probe to verify configured public/tunnel URLs. | The transport binds to `127.0.0.1` by default and requires `LLM_GATEWAY_AUTH_TOKEN` to be set. The default stdio MCP entry point (`npm start`) opens no sockets. |
 | **Shell access** | `src/executor.ts` uses `child_process.spawn(cmd, args, …)` to invoke the underlying LLM CLIs. | `spawn` is called with an argument array and **never** `shell: true`, so there is no shell interpolation path for caller input. The command name is restricted to an allow-list of known CLI binaries (`claude`, `codex`, `gemini`, `grok`, `vibe`). |
 | **Uses eval** | None in our source. Transitive: `@modelcontextprotocol/sdk` → `ajv@8` uses `new Function(...)` in `ajv/dist/compile/index.js` to compile JSON Schema validators. | This is ajv's standard codegen path. Only known schemas (defined in our source and the MCP SDK) flow into it; no caller-supplied data ever reaches the compiled function body. |
+| **better-sqlite3 PRAGMA helper** | Transitive: `better-sqlite3/lib/methods/pragma.js` interpolates its caller-provided `source` into a `PRAGMA ${source}` statement. | We do not call `db.pragma()` from production source. Internal SQLite setup uses fixed literal `db.exec("PRAGMA ...")` statements, and `npm run security:audit` fails the release if production code reintroduces `.pragma()` calls. |
 | **Dependency ownership** | A handful of small transitive packages (e.g. `bindings` via `better-sqlite3`, `media-typer` via `@modelcontextprotocol/sdk`) trip Socket's "unstable ownership" or "obfuscated code" heuristics. | These are pinned, well-known micro-deps in the Node ecosystem with no known issues. We pin direct override versions of `content-type` and `type-is` in `package.json#overrides`. Our previous direct dependency on `toml@3.0.0` (also single-maintainer, last released 2020) was replaced with the actively-maintained `smol-toml` to reduce inherited risk. |
 See [`socket.yml`](./socket.yml) for the same context in machine-readable form.

package/dist/flight-recorder.js CHANGED Viewed

@@ -76,8 +76,8 @@ export class FlightRecorder {
             mkdirSync(directory, { recursive: true });
         }
         this.db = new BetterSqlite3(dbPath);
-        this.db.pragma("journal_mode = WAL");
-        this.db.pragma("foreign_keys = ON");
+        this.db.exec("PRAGMA journal_mode = WAL");
+        this.db.exec("PRAGMA foreign_keys = ON");
         this.db.exec(`
       CREATE TABLE IF NOT EXISTS _migrations (
         version INTEGER PRIMARY KEY,

package/dist/job-store.js CHANGED Viewed

@@ -84,8 +84,8 @@ export class SqliteJobStore {
             mkdirSync(directory, { recursive: true });
         }
         this.db = new BetterSqlite3(dbPath);
-        this.db.pragma("journal_mode = WAL");
-        this.db.pragma("synchronous = NORMAL");
+        this.db.exec("PRAGMA journal_mode = WAL");
+        this.db.exec("PRAGMA synchronous = NORMAL");
         this.db.exec(`
       CREATE TABLE IF NOT EXISTS jobs (
         id TEXT PRIMARY KEY,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "llm-cli-gateway",
-  "version": "1.5.32",
+  "version": "1.5.34",
   "mcpName": "io.github.verivus-oss/llm-cli-gateway",
   "description": "MCP server providing unified access to Claude Code, Codex, Gemini, Grok, and Mistral Vibe CLIs with session management, retry logic, async job orchestration, durable job results, and cross-LLM validation.",
   "license": "MIT",
@@ -109,7 +109,7 @@
     "@vitest/coverage-v8": "^4.1.2",
     "eslint": "^8.57.1",
     "eslint-config-prettier": "^9.0.0",
-    "ioredis": "^5.4.1",
+    "ioredis": "5.9.2",
     "pg": "^8.12.0",
     "prettier": "^3.0.0",
     "typescript": "^5.0.0",

package/socket.yml CHANGED Viewed

@@ -26,6 +26,13 @@ version: 2
 #     which compiles JSON Schema validators using `new Function(...)`.
 #     This is ajv's standard codegen path; no caller-supplied data flows
 #     into the compiled function body.
+#
+#   better-sqlite3 PRAGMA helper
+#     Socket may flag better-sqlite3/lib/methods/pragma.js because it
+#     constructs PRAGMA SQL from its caller-provided `source` string. The
+#     gateway does not call db.pragma() from production code; SQLite setup
+#     uses fixed literal db.exec("PRAGMA ...") statements, and the release
+#     security audit fails future production `.pragma()` calls.
 issueRules:
   # Defaults from Socket. Listed explicitly so future contributors see what