Skip to content

Harden security across publishing, auth, and input validation#24

Merged
theoephraim merged 3 commits into
mainfrom
fix/security-hardening
Apr 21, 2026
Merged

Harden security across publishing, auth, and input validation#24
theoephraim merged 3 commits into
mainfrom
fix/security-hardening

Conversation

@theoephraim

@theoephraim theoephraim commented Apr 21, 2026

Copy link
Copy Markdown
Member

Summary

  • Git token auth: Use ephemeral git -c http.extraheader instead of rewriting the remote URL — prevents token persistence in .git/config if the process crashes mid-push (relevant for self-hosted runners)
  • Custom command gating: Add allowCustomCommands root config option so per-package publishCommand/buildCommand/checkPublished in package.json must be explicitly allowed by the root config. Commands in .bumpy/_config.json packages are always trusted.
  • Input validation: Validate package names (reject shell/HTML metacharacters) and bump types (major|minor|patch|none) during bump file parsing
  • Tarball path parsing: Use --json flag for npm/pnpm pack to get deterministic tarball filenames instead of fragile regex parsing
  • Changelog formatter path traversal: Resolve symlinks with realpathSync and use path.relative() check instead of string prefix matching
  • Force-push safeguard: Refuse to force-push if the target branch is main, master, or the current HEAD branch

Test plan

  • Verify bumpy ci release still pushes version PR branch correctly with BUMPY_GH_TOKEN
  • Verify bumpy publish works with npm and pnpm pack --json output
  • Test that a package.json with publishCommand throws without allowCustomCommands in root config
  • Test that allowCustomCommands: true and glob patterns allow the commands through
  • Verify bump files with invalid package names or bump types are skipped with warnings
  • Test custom changelog formatter loading with relative paths

🤖 Generated with Claude Code

theoephraim and others added 2 commits April 21, 2026 00:25
@theoephraim @claude
Harden security across publishing, git auth, and input validation
db81a9f 
- Use ephemeral git -c http.extraheader for token auth instead of rewriting remote URL (prevents token persistence in .git/config on crash)
- Add allowCustomCommands root config to gate per-package shell commands from package.json
- Validate package names and bump types in bump file parsing
- Use --json for npm/pnpm pack output to prevent tarball path injection
- Fix changelog formatter path traversal check to resolve symlinks
- Add force-push safeguard to reject pushes to main/master branches

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim @claude
Fix lint warnings from security hardening commit
999e434 
Remove unused log import in config.ts and use Unicode escapes for
control character regex in bump-file.ts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bumpy-bot

bumpy-bot commented Apr 21, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

bumpy-frog

The changes in this PR will be included in the next version bump.

patch Patch releases

  • @varlock/bumpy 0.0.2 → 0.0.3

Bump files in this PR

Click here if you want to add another bump file to this PR

This comment is maintained by bumpy.

@theoephraim @claude
Add bump file for security hardening changes
ca2fd77 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@theoephraim theoephraim merged commit 99aad22 into main Apr 21, 2026
2 checks passed
This was referenced Apr 21, 2026
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@theoephraim @bumpy-bot