npm - seo-intel - Versions diffs - 1.4.7 → 1.4.9 - Mend

seo-intel 1.4.7 → 1.4.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,25 @@
 # Changelog
+## 1.4.9 (2026-04-10)
+### Security
+- Fixed arbitrary file write via `--out` query param in dashboard terminal API — write paths now server-controlled only
+- Fixed path traversal in froggo config loader — project names validated to `[a-z0-9_-]`
+- Added project name validation to export and terminal API endpoints
+### URL Normalization
+- Pages are now normalized before storage: fragments stripped (`/#pricing` → `/`), `index.html` collapsed
+- Internal link targets also normalized for consistent orphan/link analysis
+- Re-crawl to clean up existing fragment duplicates in your database
+## 1.4.8 (2026-04-10)
+### Export: own site only, zero competitor bloat
+- ALL profile sections now filter to own site (target/owned) — no competitor pages, links, headings, or AEO scores
+- Keywords export shows gap summary only: keywords competitors use that you don't, with who uses them
+- AEO export shows only low-scoring own pages (<60) that need improvement
+- Technical export was already own-site; removed the AI pipeline exception that bypassed filtering
 ## 1.4.7 (2026-04-09)
 ### Export: profiles are actions only

package/db/db.js CHANGED Viewed

@@ -268,7 +268,19 @@ export function upsertDomain(db, { domain, project, role }) {
   `).run(domain, project, role, now, now);
 }
+function normalizePageUrl(rawUrl) {
+  try {
+    const u = new URL(rawUrl);
+    u.hash = '';                              // strip fragments (#pricing, #faq, etc.)
+    let path = u.pathname;
+    path = path.replace(/\/index\.html?$/i, '/');  // /en/index.html → /en/
+    u.pathname = path;
+    return u.toString();
+  } catch { return rawUrl; }
+}
 export function upsertPage(db, { domainId, url, statusCode, wordCount, loadMs, isIndexable, clickDepth = 0, publishedDate = null, modifiedDate = null, contentHash = null, title = null, metaDesc = null, bodyText = null }) {
+  url = normalizePageUrl(url);
   const now = Date.now();
   db.prepare(`
     INSERT INTO pages (domain_id, url, crawled_at, first_seen_at, status_code, word_count, load_ms, is_indexable, click_depth, published_date, modified_date, content_hash, title, meta_desc, body_text)
@@ -350,7 +362,7 @@ export function insertLinks(db, sourceId, links) {
   const stmt = db.prepare(`INSERT INTO links (source_id, target_url, anchor_text, is_internal) VALUES (?, ?, ?, ?)`);
   db.exec('BEGIN');
   try {
-    for (const l of links) stmt.run(sourceId, l.url, l.anchor, l.isInternal ? 1 : 0);
+    for (const l of links) stmt.run(sourceId, normalizePageUrl(l.url), l.anchor, l.isInternal ? 1 : 0);
     db.exec('COMMIT');
   } catch (e) { db.exec('ROLLBACK'); throw e; }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "seo-intel",
-  "version": "1.4.7",
+  "version": "1.4.9",
   "description": "Local Ahrefs-style SEO competitor intelligence. Crawl → SQLite → cloud analysis.",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE",

package/server.js CHANGED Viewed

@@ -596,7 +596,7 @@ async function handleRequest(req, res) {
       const format = url.searchParams.get('format') || 'json';
       const profile = url.searchParams.get('profile'); // dev | content | ai-pipeline
-      if (!project) { json(res, 400, { error: 'Missing project' }); return; }
+      if (!project || !/^[a-z0-9_-]+$/i.test(project)) { json(res, 400, { error: 'Invalid project name' }); return; }
       const { getDb } = await import('./db/db.js');
       const db = getDb(join(__dirname, 'seo-intel.db'));
@@ -758,7 +758,7 @@ async function handleRequest(req, res) {
             return p.insightTypes ? data.filter(r => p.insightTypes.includes(r._type)) : data;
           }
           case 'technical': {
-            if (!Array.isArray(data) || prof === 'ai-pipeline') return data;
+            if (!Array.isArray(data)) return data;
             // Own site only, per-page issue summary
             const own = data.filter(r => r.role === 'target' || r.role === 'owned');
             const issues = [];
@@ -830,27 +830,30 @@ async function handleRequest(req, res) {
           case 'schemas': return data; // raw only — not in any profile
           case 'aeo': {
             if (!Array.isArray(data)) return data;
-            if (prof === 'content') {
-              // Content: only low-scoring pages (needs improvement)
-              return data.filter(r => r.score < 60);
-            }
-            return data;
+            // Own site only, low-scoring pages that need work
+            const ownAeo = data.filter(r => r.role === 'target' || r.role === 'owned');
+            return ownAeo.filter(r => r.score < 60);
           }
           case 'keywords': {
             if (!Array.isArray(data)) return data;
-            if (prof === 'content') {
-              // Content: only competitor-dominated keywords (role != target/owned)
-              const byKw = {};
-              for (const r of data) { (byKw[r.keyword] ||= []).push(r); }
-              const gapKws = new Set();
-              for (const [kw, rows] of Object.entries(byKw)) {
-                const hasTarget = rows.some(r => r.role === 'target' || r.role === 'owned');
-                const hasCompetitor = rows.some(r => r.role === 'competitor');
-                if (!hasTarget && hasCompetitor) gapKws.add(kw);
-              }
-              return data.filter(r => gapKws.has(r.keyword));
+            // Only keyword gaps: competitor has it, you don't
+            const byKw = {};
+            for (const r of data) { (byKw[r.keyword] ||= []).push(r); }
+            const gapKws = new Set();
+            for (const [kw, rows] of Object.entries(byKw)) {
+              const hasTarget = rows.some(r => r.role === 'target' || r.role === 'owned');
+              const hasCompetitor = rows.some(r => r.role === 'competitor');
+              if (!hasTarget && hasCompetitor) gapKws.add(kw);
             }
-            return data;
+            // Return gap keywords with which competitors use them
+            const gaps = [];
+            for (const kw of gapKws) {
+              const rows = byKw[kw];
+              const competitors = rows.map(r => r.domain).join(', ');
+              const topFreq = Math.max(...rows.map(r => r.freq));
+              gaps.push({ keyword: kw, used_by: competitors, frequency: topFreq });
+            }
+            return gaps.sort((a, b) => b.frequency - a.frequency);
           }
           case 'watch': {
             // Keep only errors + warnings, drop notices
@@ -954,6 +957,15 @@ async function handleRequest(req, res) {
             return md;
           }
           case 'keywords': {
+            // Profile exports return gap summary; raw exports return full matrix
+            if (data[0] && data[0].used_by !== undefined) {
+              let md = header + `## Keyword Gaps (${data.length})\n\nKeywords competitors use that you don't.\n\n| Keyword | Used By | Frequency |\n|---------|---------|----------|\n`;
+              for (const r of data.slice(0, 200)) {
+                md += `| ${r.keyword} | ${r.used_by} | ${r.frequency} |\n`;
+              }
+              if (data.length > 200) md += `\n_...and ${data.length - 200} more._\n`;
+              return md;
+            }
             let md = header + '## Keyword Matrix\n\n| Keyword | Domain | Role | Location | Frequency |\n|---------|--------|------|----------|-----------|\n';
             for (const r of data.slice(0, 500)) {
               md += `| ${r.keyword} | ${r.domain} | ${r.role} | ${r.location || ''} | ${r.freq} |\n`;
@@ -1152,6 +1164,10 @@ async function handleRequest(req, res) {
     const params = url.searchParams;
     const command = params.get('command');
     const project = params.get('project') || '';
+    if (project && !/^[a-z0-9_-]+$/i.test(project)) {
+      json(res, 400, { error: 'Invalid project name' });
+      return;
+    }
     // Whitelist allowed commands
     const ALLOWED = ['crawl', 'extract', 'analyze', 'export-actions', 'competitive-actions',
@@ -1178,7 +1194,7 @@ async function handleRequest(req, res) {
     if (params.get('type')) args.push('--type', params.get('type'));
     if (params.get('limit')) args.push('--limit', params.get('limit'));
     if (params.has('raw')) args.push('--raw');
-    if (params.get('out')) args.push('--out', params.get('out'));
+    // --out is NOT passed from dashboard — write paths are server-controlled only (see auto-save below)
     // Auto-save exports from dashboard to reports/
     const EXPORT_CMDS = ['export-actions', 'suggest-usecases', 'competitive-actions'];