You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: resolve CodeQL high-severity findings and harden CI (#966)
* chore: gitignore CLAUDE.md (local agent notes)
* fix: escape all backslashes in the venv activate path preview
String.prototype.replace with a string pattern only replaces the first
match, so a Windows activate path with multiple separators was left
partially unescaped in the command preview. Use a global regex.
Fixes a CodeQL incomplete-string-escaping finding (CWE-116).
* fix: stop logging the server environment in clear text
The launch debug log stringified execOptions, which embeds the full
process environment (and any user-set server env vars), writing secrets
to the log file. Log only cwd, shell, and the env var count.
Fixes a CodeQL clear-text-logging finding (CWE-312).
* fix: drop check-then-act before recursive mkdir in workspace save
existsSync followed by mkdirSync is a TOCTOU pattern; mkdirSync with
recursive: true is already idempotent, so the guard was both racy and
redundant. Call it directly.
Fixes a CodeQL file-system-race finding (CWE-367).
* ci: add least-privilege permissions to workflows
None of the release workflows declared GITHUB_TOKEN permissions, so they
ran with the repository default. Scope each to what it needs: release
workflows get contents: write (plus pull-requests: write for the release
PR), winget and the publish workflow default to contents: read.
Fixes CodeQL missing-workflow-permissions findings.
* ci: pin workflow actions to commit SHAs
Tags are mutable; a moved tag on any of these actions (several are
third-party and handle release/signing secrets) could inject code into
CI. Pin every action to a full-length commit SHA with the version in a
trailing comment so Dependabot's github-actions config keeps them current.
Fixes CodeQL unpinned-tag findings.
* ci: drop unused GITHUB_TOKEN write scopes on release workflows
The release PR and pre-release steps authenticate with secrets.JLAB_APP_TOKEN,
not the default GITHUB_TOKEN, and no step uses GITHUB_TOKEN for writes. Reduce
both workflows to contents: read for true least-privilege.
Addresses Copilot review feedback on #966.
* Update repo name from vedantmgoyal2009 to vedantmgoyal9
---------
Co-authored-by: Michał Krassowski <5832902+krassowski@users.noreply.github.com>
0 commit comments