From ab6a9ec9ff8eb0d89b408b1730b32c7ca9826659 Mon Sep 17 00:00:00 2001 From: Chevon Phillip Date: Sat, 11 Apr 2026 00:24:17 -0400 Subject: [PATCH 1/3] fix(desktop): escape backslashes in CSS selector generation Agent-Id: agent-ea2b5334-be90-492a-9158-0b8914ea181b Linked-Note-Id: 50d781b8-c6a7-4259-a460-3f0edb5808db --- packages/cli/src/desktop/electron-app.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/cli/src/desktop/electron-app.ts b/packages/cli/src/desktop/electron-app.ts index 8bef300..0c02024 100644 --- a/packages/cli/src/desktop/electron-app.ts +++ b/packages/cli/src/desktop/electron-app.ts @@ -124,10 +124,10 @@ export async function getElectronUIStructure(session: ElectronSession): Promise< const value = element.getAttribute(attr); if (!value) continue; if (attr === "id") return "#" + CSS.escape(value); - return "[" + attr + "=\"" + value.replace(/"/g, '\\"') + "\"]"; + return "[" + attr + "=\"" + value.replace(/\\/g, '\\\\').replace(/"/g, '\\"') + "\"]"; } if (element.tagName === "A" && element.getAttribute("href")) { - return "a[href=\"" + element.getAttribute("href")!.replace(/"/g, '\\"') + "\"]"; + return "a[href=\"" + element.getAttribute("href")!.replace(/\\/g, '\\\\').replace(/"/g, '\\"') + "\"]"; } return null; }; From 81e4a9f3f7b0c14f9549e47fa6b7cca23045aaa3 Mon Sep 17 00:00:00 2001 From: Chevon Phillip Date: Sat, 11 Apr 2026 00:26:34 -0400 Subject: [PATCH 2/3] ci: add read-only permissions for workflow Agent-Id: agent-e72fc79c-5dec-44ea-8df2-fbc451b0f72f Linked-Note-Id: db021f53-d311-44da-9ef3-e72eb72884b3 --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d15f377..00474b0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,9 @@ on: branches: - main +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest From e25fc11c3349cdf394949f074ecf3c35d0bb0c7e Mon Sep 17 00:00:00 2001 From: Chevon Phillip Date: Sat, 11 Apr 2026 00:33:14 -0400 Subject: [PATCH 3/3] Resolve remaining Dependabot lockfile alerts in the publish branch The security-fix branch already contained the workflow permission hardening and Electron escaping fix, but the lockfile-only dependency bumps were still local. This records the remaining hono and @hono/node-server updates so the published PR fully matches the requested security scope. Constraint: Publish branch must contain all security fixes in one PR Rejected: Open the PR without the lockfile bump | would leave the dependency remediation out of the diff Confidence: high Scope-risk: narrow Reversibility: clean Directive: Keep dependency updates limited to the audited hono packages unless a fresh audit identifies additional exposure Tested: npm ci; npm audit --omit=dev; cd packages/cli && npx tsc --noEmit; cd packages/cli && npm run lint; cd packages/cli && npm test Not-tested: GitHub-hosted CI before PR creation --- package-lock.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/package-lock.json b/package-lock.json index 312bbaa..1aa2e54 100644 --- a/package-lock.json +++ b/package-lock.json @@ -729,9 +729,9 @@ "link": true }, "node_modules/@hono/node-server": { - "version": "1.19.12", - "resolved": "https://registry.npmjs.org/@hono/node-server/-/node-server-1.19.12.tgz", - "integrity": "sha512-txsUW4SQ1iilgE0l9/e9VQWmELXifEFvmdA1j6WFh/aFPj99hIntrSsq/if0UWyGVkmrRPKA1wCeP+UCr1B9Uw==", + "version": "1.19.13", + "resolved": "https://registry.npmjs.org/@hono/node-server/-/node-server-1.19.13.tgz", + "integrity": "sha512-TsQLe4i2gvoTtrHje625ngThGBySOgSK3Xo2XRYOdqGN1teR8+I7vchQC46uLJi8OF62YTYA3AhSpumtkhsaKQ==", "license": "MIT", "engines": { "node": ">=18.14.1" @@ -3589,9 +3589,9 @@ } }, "node_modules/hono": { - "version": "4.12.10", - "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.10.tgz", - "integrity": "sha512-mx/p18PLy5og9ufies2GOSUqep98Td9q4i/EF6X7yJgAiIopxqdfIO3jbqsi3jRgTgw88jMDEzVKi+V2EF+27w==", + "version": "4.12.12", + "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.12.tgz", + "integrity": "sha512-p1JfQMKaceuCbpJKAPKVqyqviZdS0eUxH9v82oWo1kb9xjQ5wA6iP3FNVAPDFlz5/p7d45lO+BpSk1tuSZMF4Q==", "license": "MIT", "engines": { "node": ">=16.9.0"