ldy26098
/
BMAD-METHOD
mirror of https://github.com/bmad-code-org/BMAD-METHOD.git
1
0
Fork 0
Code Packages Projects Releases Wiki Activity
BMAD-METHOD/tools/installer/modules
History
Brian Madison fb57c81176 fix(installer): address third-round PR #2353 review comments 
(J) Prototype pollution guard (CodeRabbit major).
`--set __proto__.x=1` previously mutated Object.prototype because
`overrides.__proto__` returned Object.prototype on a plain object,
and assigning `[key]=value` polluted every plain object in the process.
Verified the attack reproduces on f1c9e12 and is now blocked: parser
rejects __proto__/prototype/constructor segments, and the maps are
Object.create(null) for defense-in-depth.

(I) Non-zero exit when --list-options <module>'s yaml is unparseable
(CodeRabbit major). formatOptionsList tracks moduleScopedFailure and
returns ok:false in that case; install.js exits 1.

(F) Dynamic defaults can now see --set sibling values (Augment medium).
buildQuestion's function default falls back to
`this.collectedConfig[mod][otherKey]`, but overrides were only in
`allAnswers` (local) at default-evaluation time. Pre-write override
raw values to collectedConfig before the prompt batch so the
fallback resolves. Post-prompt template processing overwrites with
the rendered version.

(E) applyOverridesAfterSeeding no longer bypasses carry-forward when
the schema can't be loaded (Augment low). Restructured: schema-load
is now best-effort; without schema, declaredKeys is an empty Set, so
all overrides are flagged as "unknown" and carry-forward runs against
every prior key. Comment now matches behavior.

(G) Flag placeholder --set <spec> instead of <module.key=value>
(Augment low) — angle brackets in the placeholder were misleading;
the description spells out the spec format.

(H) README wording: "every available key" → "locally-known official
keys (built-in modules plus any external officials cached on this
machine)" (CodeRabbit minor) — accurately reflects scope.

Tests: +2 cases for prototype-pollution rejection. Total 343 passing.
 		2026-04-28 11:42:07 -05:00
..
channel-plan.js feat(installer): channel-based version resolution + interactive channel management (#2305) 2026-04-24 08:20:30 -05:00
channel-resolver.js feat(installer): channel-based version resolution + interactive channel management (#2305) 2026-04-24 08:20:30 -05:00
community-manager.js fix(installer): route community installs through PluginResolver when marketplace.json ships (#2331) 2026-04-26 22:50:47 -05:00
custom-module-manager.js fix: use full update path when --custom-source is passed with --yes (#2336) 2026-04-27 20:49:21 -05:00
external-manager.js feat(installer): channel-based version resolution + interactive channel management (#2305) 2026-04-24 08:20:30 -05:00
official-modules.js fix(installer): address third-round PR #2353 review comments 2026-04-28 11:42:07 -05:00
plugin-resolver.js fix(installer): replace fs-extra with native node:fs to prevent file loss 2026-04-13 00:44:28 -05:00
registry-client.js feat(installer): use GitHub API as primary fetch with raw CDN fallback (#2248) 2026-04-18 08:53:23 -07:00
registry-fallback.yaml feat(installer): channel-based version resolution + interactive channel management (#2305) 2026-04-24 08:20:30 -05:00
version-resolver.js fix: bmad tea instal version (#2298) 2026-04-22 11:03:20 -05:00