ldy26098
/
BMAD-METHOD
mirror of https://github.com/bmad-code-org/BMAD-METHOD.git
1
0
Fork 0
Code Packages Projects Releases Wiki Activity
BMAD-METHOD/tools
History
Brian Madison fb57c81176 fix(installer): address third-round PR #2353 review comments 
(J) Prototype pollution guard (CodeRabbit major).
`--set __proto__.x=1` previously mutated Object.prototype because
`overrides.__proto__` returned Object.prototype on a plain object,
and assigning `[key]=value` polluted every plain object in the process.
Verified the attack reproduces on f1c9e12 and is now blocked: parser
rejects __proto__/prototype/constructor segments, and the maps are
Object.create(null) for defense-in-depth.

(I) Non-zero exit when --list-options <module>'s yaml is unparseable
(CodeRabbit major). formatOptionsList tracks moduleScopedFailure and
returns ok:false in that case; install.js exits 1.

(F) Dynamic defaults can now see --set sibling values (Augment medium).
buildQuestion's function default falls back to
`this.collectedConfig[mod][otherKey]`, but overrides were only in
`allAnswers` (local) at default-evaluation time. Pre-write override
raw values to collectedConfig before the prompt batch so the
fallback resolves. Post-prompt template processing overwrites with
the rendered version.

(E) applyOverridesAfterSeeding no longer bypasses carry-forward when
the schema can't be loaded (Augment low). Restructured: schema-load
is now best-effort; without schema, declaredKeys is an empty Set, so
all overrides are flagged as "unknown" and carry-forward runs against
every prior key. Comment now matches behavior.

(G) Flag placeholder --set <spec> instead of <module.key=value>
(Augment low) — angle brackets in the placeholder were misleading;
the description spells out the spec format.

(H) README wording: "every available key" → "locally-known official
keys (built-in modules plus any external officials cached on this
machine)" (CodeRabbit minor) — accurately reflects scope.

Tests: +2 cases for prototype-pollution rejection. Total 343 passing.
 		2026-04-28 11:42:07 -05:00
..
docs feat(installer): expand to 42 platforms with shared target_dir coordination (#2313) 2026-04-25 21:14:00 -05:00
installer fix(installer): address third-round PR #2353 review comments 2026-04-28 11:42:07 -05:00
build-docs.mjs fix(docs): community feedback — typo, locale 404s, llms-full (#2091) 2026-03-21 16:42:57 -06:00
fix-doc-links.js fix(docs): comprehensive documentation site review fixes (#1578) 2026-02-08 11:58:22 -06:00
format-workflow-md.js check alignment 2025-10-22 12:36:39 -05:00
javascript-conventions.md refactor(installer): restructure installer with clean separation of concerns (#2129) 2026-03-27 06:50:07 -06:00
migrate-custom-module-paths.js fix(installer): replace fs-extra with native node:fs to prevent file loss 2026-04-13 00:44:28 -05:00
skill-validator.md refactor: tighten SKILL-04 regex, broaden WF-01/WF-02, remove forbidden names 2026-03-18 08:02:01 -06:00
validate-doc-links.js feat(docs): add public roadmap and improve site navigation 2026-02-22 19:41:57 -06:00
validate-file-refs.js feat(skills): TOML-based agent and workflow customization (#2284) 2026-04-19 19:30:29 -05:00
validate-skills.js fix: address PR review findings in skill validator 2026-03-18 14:35:52 -06:00
validate-svg-changes.sh Project Cleanup of Agents Menus, BMB module removal to other repo 2026-01-19 02:04:14 -06:00