26501daa4e
- Rustup: Download script to temp file with shebang/size validation before execution, matching mise/ollama pattern (line 1119) - SKIP_EXPORTS: Refactor from embedded shell commands to base64-encoded list decoded safely in VM, eliminating injection risk (line 478) - Playwright symlink: Validate path is executable and within expected cache directory before creating system symlinks (line 1053) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
80 lines
2.8 KiB
Markdown
80 lines
2.8 KiB
Markdown
# Changelog
|
|
|
|
All notable changes to this project will be documented in this file.
|
|
|
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
|
|
## [0.9.0] - 2025-01-25
|
|
|
|
### Security
|
|
- Fix rustup pipe-to-shell vulnerability: now downloads to temp file with validation before execution
|
|
- Fix SKIP_EXPORTS command injection risk: refactored to use base64-encoded list instead of shell command string
|
|
- Fix Playwright symlink path validation: validates executable and path prefix before creating symlinks
|
|
|
|
## [0.8.0] - 2025-01-25
|
|
|
|
### Added
|
|
- Project memory system using CLAUDE.md, CHANGELOG.md, and README.md
|
|
- Versioning rules and documentation update guidelines in CLAUDE.md
|
|
|
|
## [0.7.0] - 2025-01-25
|
|
|
|
### Added
|
|
- CHANGELOG.md with version history following Keep a Changelog format
|
|
|
|
## [0.6.0] - 2025-01-25
|
|
|
|
### Changed
|
|
- All tools now use latest versions by default instead of pinning specific versions
|
|
- PostgreSQL authentication uses scram-sha-256 for all TCP connections
|
|
- Simplified tool installation by removing version pinning constraints
|
|
|
|
### Security
|
|
- VNC passwords are never stored and must be entered each time
|
|
- Added documentation for input validation patterns and safe config loading
|
|
|
|
## [0.5.0] - 2025-01-25
|
|
|
|
### Security
|
|
- Prevents shell injection through input validation and safe parameter passing
|
|
- Replaces direct sourcing with manual config parsing to avoid code execution
|
|
- Downloads and validates install scripts before execution instead of piping
|
|
- Uses base64 encoding for secure VM parameter transmission
|
|
- Adds checksum verification for binary downloads
|
|
- Creates secure temporary directories and files with proper permissions
|
|
|
|
## [0.4.0] - 2025-01-25
|
|
|
|
### Changed
|
|
- Replaces sequential installation with parallel step execution
|
|
- Introduces real-time progress dashboard with spinner and status
|
|
- Removes color variables to improve terminal compatibility
|
|
- Restructures logging with per-step files for better debugging
|
|
|
|
### Performance
|
|
- Significantly reduces total setup time by running independent steps concurrently
|
|
|
|
## [0.3.0] - 2025-01-25
|
|
|
|
### Added
|
|
- Dual-mode operation: orchestration on macOS, provisioning on Linux
|
|
- Interactive component selection with visual menu interface
|
|
- VNC desktop access for OAuth workflows and browser-based tasks
|
|
|
|
### Security
|
|
- Secure VM creation with disabled host filesystem access
|
|
|
|
## [0.2.0] - 2025-01-25
|
|
|
|
### Added
|
|
- OrbStack development sandbox setup script
|
|
- mise version manager with Node.js, Erlang, and Elixir support
|
|
- PostgreSQL 16 with remote access configuration
|
|
- Claude Code integration with multiple plugin marketplaces
|
|
- Chromium browser and Playwright for automation tasks
|
|
|
|
## [0.1.0] - 2025-01-25
|
|
|
|
### Added
|
|
- Initial project structure
|