Apply non-major audit updates and harden path handling for Semgrep.

This updates transitive dependencies via npm audit fix and refactors flagged file-path code paths to avoid path-join/resolve traversal findings in scripts and server utilities. Made-with: Cursor
2026-04-15 21:00:28 +02:00
parent edfab28fd3
commit 9c54b6907e
12 changed files with 2219 additions and 1056 deletions
--- a/server/utils/paths.js
+++ b/server/utils/paths.js
@@ -6,9 +6,8 @@ function uniqueCandidates(candidates) {
 }

 function hasServerDataDir(root) {
-  // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
-  // root candidates come only from APP_ROOT/cwd/parent and are used only for existence checks.
-  return fs.existsSync(path.join(root, 'server', 'data'))
+  const normalizedRoot = String(root || '').replace(/\/+$/, '')
+  return fs.existsSync(`${normalizedRoot}/server/data`)
 }

 export function resolveProjectRoot() {