Highlights
Auth Bypass: 11 prior fixes. Scrutinize any change in this area.
apps/demo/src/apps/expenses/plugins/authorization.plugin.ts: most-fixed (2 issues). Treat as high-risk during review.
14 high-severity fixes in this history; regressions here are high-impact.
Recurring patterns
The bug types that recur here, drawn from past fixes, not open vulnerabilities.
Auth Bypass: Prioritizing untrusted client metadata over request context for session identification historically allowed complete authentication bypass. Future developers must strictly validate and enforce context-derived sessions over client-supplied headers.
Prototype Pollution: Parsing complex, external OpenAPI specifications and schemas frequently exposes the runtime to prototype pollution through unsafe key-path traversal of properties like constructor and __proto__. Strict key validation is required in all parsing routines.
Command Injection: Untrusted configuration structures and package installation pathways passed raw values down to child_process.spawn without strict command name allowlisting or safe escaping mechanisms.