2026-01-16 19:55:10 -07:00
|
|
|
{
|
|
|
|
|
"$schema": "./node_modules/oxlint/configuration_schema.json",
|
2026-01-31 16:16:13 +09:00
|
|
|
"plugins": ["unicorn", "typescript", "oxc"],
|
2026-01-16 19:55:10 -07:00
|
|
|
"categories": {
|
2026-01-31 15:58:24 +09:00
|
|
|
"correctness": "error",
|
2026-01-31 16:03:28 +09:00
|
|
|
"perf": "error",
|
2026-01-31 16:16:13 +09:00
|
|
|
"suspicious": "error"
|
2026-01-31 15:58:24 +09:00
|
|
|
},
|
|
|
|
|
"rules": {
|
2026-01-31 16:19:20 +09:00
|
|
|
"curly": "error",
|
2026-01-31 15:58:24 +09:00
|
|
|
"eslint-plugin-unicorn/prefer-array-find": "off",
|
|
|
|
|
"eslint/no-await-in-loop": "off",
|
2026-01-31 16:16:13 +09:00
|
|
|
"eslint/no-new": "off",
|
2026-02-17 08:53:59 +09:00
|
|
|
"eslint/no-shadow": "off",
|
|
|
|
|
"eslint/no-unmodified-loop-condition": "off",
|
2026-01-31 15:58:24 +09:00
|
|
|
"oxc/no-accumulating-spread": "off",
|
2026-01-31 16:16:13 +09:00
|
|
|
"oxc/no-async-endpoint-handlers": "off",
|
2026-01-31 16:03:28 +09:00
|
|
|
"oxc/no-map-spread": "off",
|
2026-02-02 15:45:05 +09:00
|
|
|
"typescript/no-explicit-any": "error",
|
2026-01-31 16:16:13 +09:00
|
|
|
"typescript/no-extraneous-class": "off",
|
|
|
|
|
"typescript/no-unsafe-type-assertion": "off",
|
2026-01-31 16:03:28 +09:00
|
|
|
"unicorn/consistent-function-scoping": "off",
|
2026-01-31 16:16:13 +09:00
|
|
|
"unicorn/require-post-message-target-origin": "off"
|
2026-01-16 20:04:34 -07:00
|
|
|
},
|
2026-01-31 21:23:23 +09:00
|
|
|
"ignorePatterns": [
|
|
|
|
|
"assets/",
|
|
|
|
|
"dist/",
|
|
|
|
|
"docs/_layouts/",
|
fix: comprehensive BlueBubbles and channel cleanup (#11093)
* feat(bluebubbles): auto-strip markdown from outbound messages (#7402)
* fix(security): add timeout to webhook body reading (#6762)
Adds 30-second timeout to readBody() in voice-call, bluebubbles, and nostr
webhook handlers. Prevents Slow-Loris DoS (CWE-400, CVSS 7.5).
Merged with existing maxBytes protection in voice-call.
* fix(security): unify Error objects and lint fixes in webhook timeouts (#6762)
* fix: prevent plugins from auto-enabling without user consent (#3961)
Changes default plugin enabled state from true to false in enablePluginEntry().
Preserves existing enabled:true values. Fixes #3932.
* fix: apply hierarchical mediaMaxMb config to all channels (#8749)
Generalizes resolveAttachmentMaxBytes() to use account → channel → global
config resolution for all channels, not just BlueBubbles. Fixes #7847.
* fix(bluebubbles): sanitize attachment filenames against header injection (#10333)
Strip ", \r, \n, and \\ from filenames after path.basename() to prevent
multipart Content-Disposition header injection (CWE-93, CVSS 5.4).
Also adds sanitization to setGroupIconBlueBubbles which had zero filename
sanitization.
* fix(lint): exclude extensions/ from Oxlint preflight check (#9313)
Extensions use PluginRuntime|null patterns that trigger
no-redundant-type-constituents because PluginRuntime resolves to any.
Excluding extensions/ from Oxlint unblocks user upgrades.
Re-applies the approach from closed PR #10087.
* fix(bluebubbles): add tempGuid to createNewChatWithMessage payload (#7745)
Non-Private-API mode (AppleScript) requires tempGuid in send payloads.
The main sendMessageBlueBubbles already had it, but createNewChatWithMessage
was missing it, causing 400 errors for new chat creation without Private API.
* fix: send stop-typing signal when run ends with NO_REPLY (#8785)
Adds onCleanup callback to the typing controller that fires when the
controller is cleaned up while typing was active (e.g., after NO_REPLY).
Channels using createTypingCallbacks automatically get stop-typing on
cleanup. This prevents the typing indicator from lingering in group chats
when the agent decides not to reply.
* fix(telegram): deduplicate skill commands in multi-agent setup (#5717)
Two fixes:
1. Skip duplicate workspace dirs when listing skill commands across agents.
Multiple agents sharing the same workspace would produce duplicate commands
with _2, _3 suffixes.
2. Clear stale commands via deleteMyCommands before registering new ones.
Commands from deleted skills now get cleaned up on restart.
* fix: add size limits to unbounded in-memory caches (#4948)
Adds max-size caps with oldest-entry eviction to prevent OOM in
long-running deployments:
- BlueBubbles serverInfoCache: 64 entries (already has TTL)
- Google Chat authCache: 32 entries
- Matrix directRoomCache: 1024 entries
- Discord presenceCache: 5000 entries per account
* fix: address review concerns (#11093)
- Chain deleteMyCommands → setMyCommands to prevent race condition (#5717)
- Rename enablePluginEntry to registerPluginEntry (now sets enabled: false)
- Add Slow-Loris timeout test for readJsonBody (#6023)
2026-02-07 05:00:55 -08:00
|
|
|
"extensions/",
|
2026-01-31 21:23:23 +09:00
|
|
|
"node_modules/",
|
|
|
|
|
"patches/",
|
2026-02-17 09:20:04 +09:00
|
|
|
"pnpm-lock.yaml",
|
2026-01-31 21:23:23 +09:00
|
|
|
"skills/",
|
2026-02-16 23:31:54 +00:00
|
|
|
"src/auto-reply/reply/export-html/template.js",
|
2026-01-31 21:23:23 +09:00
|
|
|
"src/canvas-host/a2ui/a2ui.bundle.js",
|
|
|
|
|
"Swabble/",
|
2026-02-02 15:08:47 +09:00
|
|
|
"vendor/"
|
2026-01-31 21:23:23 +09:00
|
|
|
]
|
2026-01-16 19:55:10 -07:00
|
|
|
}
|