skillscokac 1.5.0 → 1.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/LICENSE +7 -12
  2. package/README.md +66 -0
  3. package/package.json +1 -1
package/LICENSE CHANGED
@@ -1,15 +1,10 @@
1
- ISC License
1
+ The MIT License (MIT)
2
2
 
3
3
  Copyright (c) 2025 코드깎는노인 <monogatree@gmail.com>
4
4
 
5
- Permission to use, copy, modify, and/or distribute this software for any
6
- purpose with or without fee is hereby granted, provided that the above
7
- copyright notice and this permission notice appear in all copies.
8
-
9
- THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10
- WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11
- MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12
- ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13
- WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14
- ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15
- OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
6
+
7
+ The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
8
+
9
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
10
+
package/README.md CHANGED
@@ -2,6 +2,9 @@
2
2
 
3
3
  CLI tool to install and manage Claude Code skills from [skills.cokac.com](https://skills.cokac.com)
4
4
 
5
+ [![npm version](https://img.shields.io/npm/v/skillscokac.svg)](https://www.npmjs.com/package/skillscokac)
6
+ [![License: ISC](https://img.shields.io/badge/License-ISC-blue.svg)](https://opensource.org/licenses/ISC)
7
+
5
8
  ## Installation
6
9
 
7
10
  No installation required! Use `npx` to run the CLI directly:
@@ -363,6 +366,69 @@ npm publish
363
366
  - **boxen** - Terminal UI boxes for skill listings
364
367
  - **yaml** - YAML frontmatter parsing from SKILL.md
365
368
 
369
+ ## Security
370
+
371
+ Version 1.5.0 introduces comprehensive security enhancements to protect against various attack vectors:
372
+
373
+ ### Security Features
374
+
375
+ **YAML Parsing Protection**
376
+ - Automatic YAML frontmatter preprocessing with special character handling
377
+ - Protection against YAML bombs (Billion Laughs attack)
378
+ - Frontmatter size limits (10KB max)
379
+ - Alias expansion limits (max 10 aliases)
380
+ - Strict YAML parsing with unique key validation
381
+
382
+ **Zip Bomb Protection**
383
+ - Compression ratio validation (max 100:1 ratio)
384
+ - Individual file size limits (10MB max)
385
+ - Total package size limits (100MB max)
386
+ - Early detection of suspicious compression patterns
387
+
388
+ **Path Traversal Protection**
389
+ - ZIP entry name validation
390
+ - Absolute path rejection
391
+ - Path traversal attempt detection (`..` sequences)
392
+ - Null byte filename protection
393
+
394
+ **Input Validation**
395
+ - Collection ID validation (alphanumeric with hyphens/underscores only)
396
+ - Skill name validation from API responses
397
+ - Network request validation (content-type, redirect limits)
398
+ - ReDoS (Regular Expression Denial of Service) protection
399
+
400
+ **File Content Validation**
401
+ - SKILL.md size validation before and after reading
402
+ - UTF-8 encoding validation
403
+ - Maximum line length limits (2000 chars)
404
+ - Maximum line count limits (1000 lines)
405
+
406
+ ### Reporting Security Issues
407
+
408
+ If you discover a security vulnerability, please email: monogatree@gmail.com
409
+
410
+ ## Changelog
411
+
412
+ ### v1.5.0 (2026-01-05)
413
+
414
+ **Security Enhancements:**
415
+ - Added comprehensive YAML bomb protection with alias limits
416
+ - Implemented ZIP bomb detection with compression ratio checks
417
+ - Enhanced path traversal protection for ZIP entries
418
+ - Added ReDoS (Regular Expression Denial of Service) protection
419
+ - Implemented strict input validation for collection IDs and skill names
420
+ - Added file content size validation
421
+ - Enhanced network request validation with content-type checks
422
+
423
+ **Improvements:**
424
+ - Automatic YAML frontmatter preprocessing for special characters
425
+ - Better error messages for invalid inputs
426
+ - Improved handling of malformed SKILL.md files
427
+
428
+ ### v1.4.3 and earlier
429
+
430
+ Previous versions available on [npm](https://www.npmjs.com/package/skillscokac).
431
+
366
432
  ## License
367
433
 
368
434
  ISC
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "skillscokac",
3
- "version": "1.5.0",
3
+ "version": "1.5.2",
4
4
  "description": "CLI tool to install and manage Claude Code skills from skills.cokac.com",
5
5
  "main": "bin/skillscokac.js",
6
6
  "bin": {