- Full repository audit across auth, request pipeline, account rotation, storage, and dependency supply chain.
- Severity focus: Critical, High, Medium.
- Remediation PR policy: fix-in-place for findings above threshold.
- Baseline
npm auditreported 4 vulnerabilities (3 high, 1 moderate), including directhonoexposure plus transitiverollup,minimatch, andajv. - Remediation: ran
npm audit fix, updated lockfile graph, and verifiednpm auditreports zero vulnerabilities.
- OAuth redirect URI used
localhostwhile callback listener binds to127.0.0.1. - On environments where
localhostresolves to non-IPv4 loopback, this can cause callback failures. - Remediation: aligned redirect URI to
http://127.0.0.1:1455/auth/callback.
- Hybrid account selection and current-account fast path did not enforce token availability.
- This could pick accounts that are locally token-depleted and trigger avoidable request failure behavior.
- Remediation:
- enforce token availability during current-account reuse and hybrid eligibility filtering;
- continue account traversal when local token consumption fails to avoid premature loop exit.
- OAuth callback server loaded
oauth-success.htmlsynchronously at module import with no fallback. - If that asset was missing in a runtime package edge case, plugin startup could fail before auth flow execution.
- Remediation:
- add resilient loader with warning telemetry;
- serve a built-in minimal success page when file load fails.
- enforce
waitForCode(state)contract by checking captured callback state before returning a code.
npm run lintpassnpm run typecheckpassnpm testpassnpm auditreports zero vulnerabilities
- This audit focused on root-cause correctness and supply-chain risk reduction, while preserving existing plugin APIs and storage format compatibility.