mirror of
https://github.com/openclaw/openclaw.git
synced 2026-04-12 01:31:08 +00:00
fix(deps): patch basic-ftp advisory
This commit is contained in:
Peter Steinberger
@@ -42,6 +42,7 @@ Docs: https://docs.openclaw.ai
|
||||
- Browser/security: re-run blocked-destination safety checks after interaction-driven main-frame navigations from click, evaluate, hook-triggered click, and batched action flows, so browser interactions cannot bypass the SSRF quarantine when they land on forbidden URLs. (#63226) Thanks @eleqtrizit.
|
||||
- Security/dotenv: expand workspace `.env` filtering to block runtime-control variables like gateway routing, ClawHub endpoints/tokens, browser executable overrides, and skip/disable control families, so untrusted repositories cannot steer OpenClaw runtime behavior through repo-local dotenv files. (#62660) Thanks @eleqtrizit.
|
||||
- Browser/security: block browser-control module override and skip-server env vars from untrusted workspace `.env` files, and reject unsafe URL-style browser control override specifiers before lazy loading, so repo-local dotenv state cannot steer browser control module loading. (#62663) Thanks @eleqtrizit.
|
||||
- Security/dependency audit: force `basic-ftp` to `5.2.1` to pick up the CRLF command-injection fix from GHSA-chqc-8p9q-pq6q.
|
||||
- Security/dependency audit: bump Hono to `4.12.12` and `@hono/node-server` to `1.19.13` in production resolution paths.
|
||||
|
||||
## 2026.4.8
|
||||
|
||||
@@ -1427,6 +1427,7 @@
|
||||
"fast-xml-parser": "5.5.7",
|
||||
"request": "npm:@cypress/request@3.0.10",
|
||||
"request-promise": "npm:@cypress/request-promise@5.0.0",
|
||||
"basic-ftp": "5.2.1",
|
||||
"file-type": "22.0.0",
|
||||
"form-data": "2.5.4",
|
||||
"minimatch": "10.2.4",
|
||||
|
||||
11
pnpm-lock.yaml
generated
11
pnpm-lock.yaml
generated
@@ -13,6 +13,7 @@ overrides:
|
||||
fast-xml-parser: 5.5.7
|
||||
request: npm:@cypress/request@3.0.10
|
||||
request-promise: npm:@cypress/request-promise@5.0.0
|
||||
basic-ftp: 5.2.1
|
||||
file-type: 22.0.0
|
||||
form-data: 2.5.4
|
||||
minimatch: 10.2.4
|
||||
@@ -4339,8 +4340,8 @@ packages:
|
||||
base64-js@1.5.1:
|
||||
resolution: {integrity: sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==}
|
||||
|
||||
basic-ftp@5.2.0:
|
||||
resolution: {integrity: sha512-VoMINM2rqJwJgfdHq6RiUudKt2BV+FY5ZFezP/ypmwayk68+NzzAQy4XXLlqsGD4MCzq3DrmNFD/uUmBJuGoXw==}
|
||||
basic-ftp@5.2.1:
|
||||
resolution: {integrity: sha512-0yaL8JdxTknKDILitVpfYfV2Ob6yb3udX/hK97M7I3jOeznBNxQPtVvTUtnhUkyHlxFWyr5Lvknmgzoc7jf+1Q==}
|
||||
engines: {node: '>=10.0.0'}
|
||||
|
||||
bidi-js@1.0.3:
|
||||
@@ -10883,7 +10884,7 @@ snapshots:
|
||||
|
||||
base64-js@1.5.1: {}
|
||||
|
||||
basic-ftp@5.2.0: {}
|
||||
basic-ftp@5.2.1: {}
|
||||
|
||||
bidi-js@1.0.3:
|
||||
dependencies:
|
||||
@@ -11635,7 +11636,7 @@ snapshots:
|
||||
|
||||
get-uri@6.0.5:
|
||||
dependencies:
|
||||
basic-ftp: 5.2.0
|
||||
basic-ftp: 5.2.1
|
||||
data-uri-to-buffer: 6.0.2
|
||||
debug: 4.4.3
|
||||
transitivePeerDependencies:
|
||||
@@ -11643,7 +11644,7 @@ snapshots:
|
||||
|
||||
get-uri@8.0.0:
|
||||
dependencies:
|
||||
basic-ftp: 5.2.0
|
||||
basic-ftp: 5.2.1
|
||||
data-uri-to-buffer: 8.0.0
|
||||
debug: 4.4.3
|
||||
transitivePeerDependencies:
|
||||
|
||||
@@ -8,6 +8,7 @@ minimumReleaseAge: 2880
|
||||
|
||||
minimumReleaseAgeExclude:
|
||||
- "acpx"
|
||||
- "basic-ftp"
|
||||
- "hono"
|
||||
- "openclaw"
|
||||
- "@buape/carbon"
|
||||
|
||||
Reference in New Issue
Block a user