Skip to content

chore: COD-28 harden dependencies and public assets#106

Merged
Ark0N merged 3 commits into
Ark0N:masterfrom
aakhter:cod-28-security-public-assets
Jun 8, 2026
Merged

chore: COD-28 harden dependencies and public assets#106
Ark0N merged 3 commits into
Ark0N:masterfrom
aakhter:cod-28-security-public-assets

Conversation

@aakhter
Copy link
Copy Markdown
Contributor

@aakhter aakhter commented Jun 8, 2026

Summary

  • updates security-sensitive dependency ranges and lockfiles to patched versions
  • adds dependency security regression tests
  • adds a public asset checker and removes literal NUL placeholders from app.js

Verification

  • npm test -- test/dependency-security.test.ts test/frontend-public-tooling.test.ts
  • npm run check:public-assets
  • npm run check:lockfile
  • npm audit --audit-level=moderate
  • (packages/xterm-zerolag-input) npm audit --audit-level=moderate

Jira: COD-28

aakhter and others added 3 commits June 8, 2026 09:56
@aakhter
chore: COD-28 harden dependencies and public assets
eb87433
@Ark0N
Merge remote-tracking branch 'origin/master' into cod-28-security-pub…
a721af4 
…lic-assets
@Ark0N @claude
chore: scope new public-asset prettier check to maintained files
d2efaa2 
The PR adds an extended format:check / check-public-assets prettier pass
over src/web/public, but the hand-written public JS modules (and the
ported gesture bundle) have never been prettier-enforced and would turn
the new check red on master. Rather than reformat the entire frontend
(~2k lines of churn) inside a dependency-hardening PR, add those legacy
files + src/web/public/gesture/ to .prettierignore — matching the
author's existing pattern (app.js, styles.css, mobile.css, index.html).

The security-relevant checks are unaffected: check-public-assets.mjs
still validates NUL bytes and runs `node --check` on EVERY public .js
file regardless of .prettierignore.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Ark0N Ark0N merged commit 6bf69a8 into Ark0N:master Jun 8, 2026
1 check passed
Ark0N added a commit that referenced this pull request Jun 8, 2026
@Ark0N @claude
chore: release 0.9.0 — security hardening + warn-don't-block network …
a8e0e2a 
…policy

Release 0.9.0 covering the merged security/reliability PRs (#106 deps/
supply-chain, #107 auth/network, #108 test stability, #110 tmux cwd) plus:

- Network policy: a non-loopback bind without CODEMAN_PASSWORD now STARTS
  with a loud warning (3 ways to secure) instead of refusing to start.
  Loopback stays the safe default. --allow-unauthenticated-network just
  acknowledges (terser note). (src/web/server.ts start())
- Post-install security note explaining the loopback default + safe exposure.
- New docs/security-architecture.md documenting the full model (binding,
  auth pipeline, tunnel req.ip caveat, file-serving, supply-chain, isolation,
  recommended setups). CLAUDE.md Security section + gotcha updated.
- Updated auth-security test: asserts warn-and-start (not throw).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aakhter @Ark0N