Go back
astro-minimax v0.9.2: Security Hardening & Architecture Split

astro-minimax v0.9.2: Security Hardening & Architecture Split

astro-minimax v0.9.2: Full-package security audit fixes, component and module splitting, single-source configuration, notification timeouts, and code quality improvements.

Souloss 2 min 248 words Release
#release #changelog #security #refactoring

astro-minimax v0.9.2 focuses on security hardening and architectural improvements. Following a parallel deep audit of all four packages, we fixed XSS/path traversal vulnerabilities, completed two rounds of component splitting, and consolidated configuration constants to a single source of truth.

Security Fixes

URL Protocol Validation (Critical)

Model-generated Markdown links in AI chat and URLs in notification templates now pass through a protocol allowlist (only http/https/mailto), preventing javascript: XSS attack vectors.

Mermaid Security Hardening

MermaidBlock securityLevel changed from 'loose' to 'strict', preventing malicious Mermaid syntax from executing scripts via SVG injection.

PostsContainer HTML Escaping

Client-side rendered post cards now escape title, description, category, and tag values, eliminating stored XSS risk.

CLI Path Traversal Protection

The extensions validate command now validates that file paths don’t escape the extensions directory, preventing ../ path traversal.

Notification Log Redaction

Webhook logs no longer output full URLs (which may contain ?token= credentials), showing only origin + pathname.

Architecture Improvements

Component Splitting — AI Package

FileLinesExtracted Modules
ChatPanel.tsx1020→580RichText.tsx, MessageBubble.tsx, ChatInput.tsx, ReasoningBlock.tsx
CodeBlock.tsx785→256MermaidBlock.tsx, MarkmapBlock.tsx, VizShared.tsx

Module Splitting — CLI Package

ai.ts (1167 lines) split into 6 focused modules: index (122 lines), types, run-tool, profile, facts, extensions.

Single-Source Configuration

Eliminated 8 duplicated configuration constants, all consolidated into constants.ts: timeouts, search parameters, cache TTL, and CLI version.

Reliability Improvements

Architecture Progress

PhaseCompletion
Phase 1 (Initial Audit)19/21 (90%)
Phase 2 (Deep Audit)18/25 (72%)
Total37/46 (80%)
> cd ..
astro-minimax v0.9.2: Security Hardening & Architecture Split
https://demo-astro-minimax.souloss.cn/en/posts/astro-minimax-0.9.2/
Author: Souloss Published: License: CC BY-NC-SA 4.0
Buy me a cup of coffee ☕
Previous Post
@astro-minimax/ai Module Technical Architecture Deep Dive
Next Post
astro-minimax v0.9.1: AI Tool Calling & Action System

Related Posts

astro-minimax v0.9.3: Runtime Alignment, Accessibility & Data Refresh

astro-minimax v0.9.3: Workspace runtime alignment, refreshed AI knowledge/profile assets, a rewritten browser smoke harness, accessibility improvements for chat and settings, and synced release documentation.

astro-minimax v0.9.1: AI Tool Calling & Action System

astro-minimax v0.9.1: AI tool calling and a client-side action runtime, paragraph-level RAG with RRF hybrid retrieval, ChatPanel and CodeBlock improvements, plus build and typing fixes.

Security Hardening Guide

Learn about astro-minimax security measures: URL sanitization, XSS prevention, Mermaid strict mode, CLI path traversal protection, webhook log redaction, and CORS configuration.

评论区

文明评论,共建和谐社区