npm - termbeam - Versions diffs - 1.22.2 → 1.22.4 - Mend

termbeam 1.22.2 → 1.22.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,19 @@
 # Changelog
+## [1.22.4] - 2026-04-26
+- perf(test): parallelize e2e suite via shared server + workers (#214) (@dorlugasigal)
+- fix(security): add inline path validation guards for CodeQL (#216) (@dorlugasigal)
+- fix(deps): update vulnerable dependencies and pin Docker image (#218) (@dorlugasigal)
+- refactor(site): clean up landing page design and optimize CI (#220) (@dorlugasigal)
+## [1.22.3] - 2026-04-26
+- fix(site): auto-detect Cloudflare Pages build target (@dorlugasigal)
+- ci(site): restore Cloudflare Pages deploy workflow (@dorlugasigal)
+- ci(site): merge GitHub Pages and Cloudflare Pages into one workflow (@dorlugasigal)
+- chore(ci): enforce 92% coverage gate (#212) (@dorlugasigal)
 ## [1.22.2] - 2026-04-26
 - fix(site): repair mobile feature card rendering (@dorlugasigal)

package/README.md CHANGED Viewed

@@ -137,6 +137,8 @@ The installer checks for [PM2](https://pm2.keymetrics.io/) (and offers to instal
 For systemd, launchd, and Windows Task Scheduler setup, see the [Running in Background docs](https://dorlugasigal.github.io/TermBeam/running-in-background/).
+> 💡 **Keep the host awake** so the service stays reachable while you're away. macOS: pair with [Amphetamine](https://apps.apple.com/app/amphetamine/id937984704) (process trigger on `node`) or wrap with `caffeinate -dims`. Windows: enable [PowerToys Awake](https://learn.microsoft.com/windows/powertoys/) and disable network adapter power saving. Linux: use `systemd-inhibit` in your unit file. See [Keeping the Host Awake](https://dorlugasigal.github.io/TermBeam/running-in-background/#keeping-the-host-awake-) for the full setup.
 ## Security
 TermBeam auto-generates a password and creates a secure tunnel by default, binding to `127.0.0.1` (localhost only). Auth uses httpOnly cookies with 24-hour expiry, login is rate-limited to 5 attempts per minute, QR codes contain single-use share tokens (5-min expiry), and security headers (X-Frame-Options, CSP, nosniff) are set on all responses.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "termbeam",
-  "version": "1.22.2",
+  "version": "1.22.4",
   "description": "Beam your terminal to any device — mobile-optimized web terminal with multi-session support",
   "main": "src/server/index.js",
   "bin": {
@@ -9,8 +9,8 @@
   "scripts": {
     "start": "node bin/termbeam.js",
     "dev": "node bin/termbeam.js --generate-password",
-    "test": "node -e \"const{execFileSync:r}=require('child_process'),{readdirSync:d,statSync:s}=require('fs'),{join:j}=require('path');function f(p){let a=[];for(const e of d(p)){const c=j(p,e);s(c).isDirectory()?a.push(...f(c)):e.endsWith('.test.js')&&!e.startsWith('e2e-')&&e!=='devtunnel-install.test.js'&&a.push(c)}return a}r(process.execPath,['--test','--test-timeout=60000',...f('test')],{stdio:'inherit'})\"",
-    "test:coverage": "c8 --exclude=src/tunnel/ --exclude=test --reporter=text --reporter=lcov --reporter=json-summary --reporter=json node -e \"const{execFileSync:r}=require('child_process'),{readdirSync:d,statSync:s}=require('fs'),{join:j}=require('path');function f(p){let a=[];for(const e of d(p)){const c=j(p,e);s(c).isDirectory()?a.push(...f(c)):e.endsWith('.test.js')&&!e.startsWith('e2e-')&&e!=='devtunnel-install.test.js'&&a.push(c)}return a}r(process.execPath,['--test','--test-timeout=60000','--test-reporter=spec','--test-reporter-destination=stdout',...f('test')],{stdio:'inherit'})\"",
+    "test": "node -e \"const{execFileSync:r}=require('child_process'),{readdirSync:d,statSync:s}=require('fs'),{join:j}=require('path');function f(p){let a=[];for(const e of d(p)){const c=j(p,e);s(c).isDirectory()?a.push(...f(c)):e.endsWith('.test.js')&&!e.startsWith('e2e-')&&e!=='devtunnel-install.test.js'&&a.push(c)}return a}r(process.execPath,['--test','--test-timeout=180000',...f('test')],{stdio:'inherit'})\"",
+    "test:coverage": "c8 --reporter=text --reporter=lcov --reporter=json-summary --reporter=json node -e \"const{execFileSync:r}=require('child_process'),{readdirSync:d,statSync:s}=require('fs'),{join:j}=require('path');function f(p){let a=[];for(const e of d(p)){const c=j(p,e);s(c).isDirectory()?a.push(...f(c)):e.endsWith('.test.js')&&!e.startsWith('e2e-')&&e!=='devtunnel-install.test.js'&&a.push(c)}return a}r(process.execPath,['--test','--test-timeout=180000','--test-reporter=spec','--test-reporter-destination=stdout',...f('test')],{stdio:'inherit'})\"",
     "prepare": "husky",
     "format": "prettier --write .",
     "lint": "node --check src/server/*.js src/cli/*.js src/tunnel/*.js src/utils/*.js bin/*.js",
@@ -84,6 +84,17 @@
   "optionalDependencies": {
     "better-sqlite3": "^12.8.0"
   },
+  "c8": {
+    "check-coverage": true,
+    "lines": 92,
+    "functions": 92,
+    "branches": 85,
+    "statements": 92,
+    "exclude": [
+      "src/tunnel/",
+      "test"
+    ]
+  },
   "devDependencies": {
     "@eslint/js": "^10.0.1",
     "@playwright/test": "^1.58.2",

package/src/cli/resume.js CHANGED Viewed

@@ -6,15 +6,22 @@ const log = require('../utils/logger');
 const { createTerminalClient } = require('./client');
 const { bold, dim, red, yellow, choose, createRL, ask } = require('./prompts');
-const CONFIG_DIR = process.env.TERMBEAM_CONFIG_DIR || path.join(os.homedir(), '.termbeam');
-const CONNECTION_FILE = path.join(CONFIG_DIR, 'connection.json');
+// Resolve config paths at call time so that tests (and other code paths) which
+// set TERMBEAM_CONFIG_DIR after this module is first required still take effect.
+function getConfigDir() {
+  return process.env.TERMBEAM_CONFIG_DIR || path.join(os.homedir(), '.termbeam');
+}
+function getConnectionFile() {
+  return path.join(getConfigDir(), 'connection.json');
+}
 // ── Connection config ────────────────────────────────────────────────────────
 function readConnectionConfig() {
   log.debug('Reading connection config');
   try {
-    return JSON.parse(fs.readFileSync(CONNECTION_FILE, 'utf8'));
+    return JSON.parse(fs.readFileSync(getConnectionFile(), 'utf8'));
   } catch {
     return null;
   }
@@ -22,14 +29,15 @@ function readConnectionConfig() {
 function writeConnectionConfig({ port, host, password }) {
   log.debug('Writing connection config');
-  fs.mkdirSync(CONFIG_DIR, { recursive: true });
-  fs.writeFileSync(CONNECTION_FILE, JSON.stringify({ port, host, password }, null, 2) + '\n', {
+  const connectionFile = getConnectionFile();
+  fs.mkdirSync(getConfigDir(), { recursive: true });
+  fs.writeFileSync(connectionFile, JSON.stringify({ port, host, password }, null, 2) + '\n', {
     mode: 0o600,
   });
   // Ensure restrictive permissions even if the file already existed
   if (process.platform !== 'win32') {
     try {
-      fs.chmodSync(CONNECTION_FILE, 0o600);
+      fs.chmodSync(connectionFile, 0o600);
     } catch {
       /* best-effort */
     }
@@ -39,7 +47,7 @@ function writeConnectionConfig({ port, host, password }) {
 function removeConnectionConfig() {
   log.debug('Removing connection config');
   try {
-    fs.unlinkSync(CONNECTION_FILE);
+    fs.unlinkSync(getConnectionFile());
   } catch {
     /* ignore */
   }
@@ -402,6 +410,12 @@ module.exports = {
   readConnectionConfig,
   printResumeHelp,
   parseDetachKey,
-  CONFIG_DIR,
-  CONNECTION_FILE,
+  // Lazy getters so tests reading these after setting TERMBEAM_CONFIG_DIR see
+  // the current value, not the value at module load time.
+  get CONFIG_DIR() {
+    return getConfigDir();
+  },
+  get CONNECTION_FILE() {
+    return getConnectionFile();
+  },
 };

package/src/server/routes.js CHANGED Viewed

@@ -98,23 +98,28 @@ function validateMagicBytes(buffer, contentType) {
 }
 function setupRoutes(app, { auth, sessions, config, state, pushManager, copilotService }) {
-  const pageRateLimit = rateLimit({
-    windowMs: 1 * 60 * 1000,
-    max: 120,
-    standardHeaders: true,
-    legacyHeaders: false,
-    handler: (_req, res) =>
-      res.status(429).json({ error: 'Too many requests, please try again later.' }),
-  });
+  const noopLimit = (_req, _res, next) => next();
+  const pageRateLimit = config.disableRateLimit
+    ? noopLimit
+    : rateLimit({
+        windowMs: 1 * 60 * 1000,
+        max: 120,
+        standardHeaders: true,
+        legacyHeaders: false,
+        handler: (_req, res) =>
+          res.status(429).json({ error: 'Too many requests, please try again later.' }),
+      });
-  const apiRateLimit = rateLimit({
-    windowMs: 1 * 60 * 1000,
-    max: 120,
-    standardHeaders: true,
-    legacyHeaders: false,
-    handler: (_req, res) =>
-      res.status(429).json({ error: 'Too many requests, please try again later.' }),
-  });
+  const apiRateLimit = config.disableRateLimit
+    ? noopLimit
+    : rateLimit({
+        windowMs: 1 * 60 * 1000,
+        max: 120,
+        standardHeaders: true,
+        legacyHeaders: false,
+        handler: (_req, res) =>
+          res.status(429).json({ error: 'Too many requests, please try again later.' }),
+      });
   // Serve static files — sw.js must never be cached by the browser
   app.get('/sw.js', (_req, res, next) => {
@@ -860,7 +865,7 @@ function setupRoutes(app, { auth, sessions, config, state, pushManager, copilotS
     const rootDir = path.resolve(sessions.getSessionCwd(req.params.id));
     const dir = safePath(rootDir, req.query.dir || '.');
-    if (!dir) {
+    if (!dir || (dir !== rootDir && !dir.startsWith(rootDir + path.sep))) {
       return res.status(403).json({ error: 'Path is outside session directory' });
     }
@@ -930,7 +935,7 @@ function setupRoutes(app, { auth, sessions, config, state, pushManager, copilotS
     let startDir = rootDir;
     if (typeof req.query.path === 'string' && req.query.path.length > 0) {
       const resolved = safePath(rootDir, req.query.path);
-      if (!resolved) {
+      if (!resolved || (resolved !== rootDir && !resolved.startsWith(rootDir + path.sep))) {
         return res.status(403).json({ error: 'Path is outside session directory' });
       }
       try {
@@ -1040,7 +1045,7 @@ function setupRoutes(app, { auth, sessions, config, state, pushManager, copilotS
     const rootDir = path.resolve(sessions.getSessionCwd(req.params.id));
     const filePath = safePath(rootDir, file);
-    if (!filePath) {
+    if (!filePath || (filePath !== rootDir && !filePath.startsWith(rootDir + path.sep))) {
       return res.status(403).json({ error: 'Path is outside session directory' });
     }
@@ -1074,7 +1079,7 @@ function setupRoutes(app, { auth, sessions, config, state, pushManager, copilotS
     const rootDir = path.resolve(sessions.getSessionCwd(req.params.id));
     const filePath = safePath(rootDir, file);
-    if (!filePath) {
+    if (!filePath || (filePath !== rootDir && !filePath.startsWith(rootDir + path.sep))) {
       return res.status(403).json({ error: 'Path is outside session directory' });
     }
@@ -1108,7 +1113,7 @@ function setupRoutes(app, { auth, sessions, config, state, pushManager, copilotS
     const rootDir = path.resolve(sessions.getSessionCwd(req.params.id));
     const filePath = safePath(rootDir, file);
-    if (!filePath) {
+    if (!filePath || (filePath !== rootDir && !filePath.startsWith(rootDir + path.sep))) {
       return res.status(403).json({ error: 'Path is outside session directory' });
     }