Skip to content

Commit 29b9644

Browse files
committed
Release v0.2.4
1 parent aa0d7c9 commit 29b9644

3 files changed

Lines changed: 27 additions & 3 deletions

File tree

CHANGELOG.md

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,31 @@ All notable changes to this project will be documented in this file.
44

55
This project aims to follow [Semantic Versioning](https://semver.org/). Breaking changes include incompatible changes to command names, required arguments, JSON output contracts, structured error envelopes, stable exit codes, or safety behavior such as `--force` requirements.
66

7-
## [Unreleased]
7+
## [0.2.4] - 2026-06-15
8+
9+
### Security
10+
11+
- Closed a prototype-pollution gap: profile names matching reserved `Object.prototype` keys (`__proto__`, `prototype`, `constructor`) are now rejected by `safeProfileName` with the `invalid_profile` error code and `Usage` exit code.
12+
- Routed all dynamic-key reads, writes, and deletes on the credentials, profiles, and config maps through centralized wrappers (`src/core/profiles-map.ts`, `src/core/safe-io.ts`) so user-controlled keys can no longer reach the prototype chain.
13+
- Replaced the regex-based principal parser in `assertWindowsOwnerOnly` with a linear scan (`extractIcaclsPrincipal`) and swapped the `:(` anchor check for `indexOf(":(")` to drop a `safe-regex` complexity warning.
14+
- Force-patched `esbuild` to `>=0.28.1` via `pnpm-workspace.yaml` `overrides` to close the open Deno RCE and Windows dev-server file-read advisories across all transitive consumers (`vitest`, `tsx`, etc.).
15+
- Moved the build-script allowlist from `package.json`'s `pnpm.onlyBuiltDependencies` to `pnpm-workspace.yaml`'s `allowBuilds` (with `strictDepBuilds: false`); `esbuild` and `lefthook` are still allowed to run install-time build scripts, but the list is now explicit at the workspace level rather than per-package.
16+
- New `.github/workflows/security.yml` (reusable workflow, also called by `release.yml`): `npm audit --omit=dev --audit-level=high` on production deps; `betterleaks` 1.5.0 (SARIF uploaded to Code Scanning) on every push to `main`, on PRs that touch `src/**`, `package.json`, `pnpm-lock.yaml`, or `.github/workflows/**`, and on a weekly schedule; `shellcheck` on `*.sh`; and `actionlint` + `zizmor` (high severity, medium confidence) on `.github/workflows/`. Replaces the old `gitleaks` step in `ci.yml`.
17+
- New `.github/workflows/codeql.yml`: CodeQL JavaScript/TypeScript analysis on push to `main`, on PRs to `main`, and weekly.
18+
- `ci.yml` now runs `pnpm audit --audit-level=high` (was `--audit-level moderate`) after build, on a Node 24 / 26 matrix.
19+
20+
### Changed
21+
22+
- Bumped the supported Node.js runtime from `>=20.11` to `>=24`. Older Node versions are no longer supported; upgrade to Node 24+ before updating.
23+
- Replaced the `tsup` build pipeline with `tsc` (NodeNext ESM). The published `dist/` layout and the `raindrop` binary entry point are unchanged.
24+
- Stack: pnpm 11.6, TypeScript 6, ESLint 10, Vitest 4, Prettier 3.8, `lefthook`, plus `eslint-plugin-security`, `safe-regex`, and `betterleaks` in the dev toolchain. A new `pnpm validate` runs lint + format:check + typecheck + test + build + audit end-to-end.
25+
- Runtime dependencies: `commander` 14 → 15, `smol-toml` 1.4 → 1.6, `zod` 4.1 → 4.4. No public CLI contract changes.
26+
27+
### Internal
28+
29+
- Extracted the OAuth login completion flow into a `completeOAuthLogin` helper in `src/cli.ts`.
30+
- Shared the `commands.yaml` parser between `codegen` and `spec-lint` via a new `scripts/lib/parse-commands-yaml.ts`.
31+
- Added a `runCli` test helper and a `globalSetup` that isolates `RAINDROP_CONFIG_DIR` per test file.
832

933
## [0.2.3] - 2026-05-10
1034

docs/commands.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
<!-- AUTO-GENERATED by scripts/codegen.ts — do not edit by hand -->
44

5-
Generated from spec/commands.yaml on 2026-06-14.
5+
Generated from spec/commands.yaml on 2026-06-15.
66

77
Command names below use the actual shell syntax. The source command IDs in `spec/commands.yaml` use dots, for example `bookmark.add` maps to `raindrop bookmark add`.
88

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "@mocito/raindrop-cli",
3-
"version": "0.2.3",
3+
"version": "0.2.4",
44
"description": "Agent-friendly CLI for Raindrop.io",
55
"type": "module",
66
"repository": {

0 commit comments

Comments
 (0)