7a5dc22a04
Two issues raised by coderabbit on the latest commit: 1. Shell injection surface: execSync was building the zip command with a template literal that interpolated bundle.slug from JSON. Even with our controlled inputs, a slug with shell metacharacters would break quoting. Switched to execFileSync with an argument array (no shell) and added a strict ^[a-z0-9][a-z0-9-]*$ slug regex enforced before any FS or zip call. 2. Missing bundle directories were [SKIP]-warned but the script still printed the release command, allowing an incomplete release to ship cleanly. Now treated as fatal: any missing or invalid slug blocks the printed gh command and exits non-zero with the offending slugs listed. |
||
|---|---|---|
| .. | ||
| docs | ||
| installer | ||
| build-docs.mjs | ||
| bundle-web-bundles.js | ||
| fix-doc-links.js | ||
| format-workflow-md.js | ||
| javascript-conventions.md | ||
| migrate-custom-module-paths.js | ||
| skill-validator.md | ||
| validate-doc-links.js | ||
| validate-file-refs.js | ||
| validate-sidebar-order.js | ||
| validate-skills.js | ||
| validate-svg-changes.sh | ||