




















@@ -18,18 +18,21 @@ type PublishablePluginPackage = {
1818packageName: string;
1919};
202021-const REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS = new Set([
21+const REQUIRED_REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS = new Set([
2222"@openclaw/acpx:dangerous-exec:src/codex-auth-bridge.ts",
2323"@openclaw/acpx:dangerous-exec:src/runtime-internals/mcp-proxy.mjs",
24-"@openclaw/acpx:dangerous-exec:dist/mcp-proxy.mjs",
25-"@openclaw/acpx:dangerous-exec:dist/service-<hash>.js",
2624"@openclaw/codex:dangerous-exec:src/app-server/transport-stdio.ts",
27-"@openclaw/codex:dangerous-exec:dist/client-<hash>.js",
2825"@openclaw/google-meet:dangerous-exec:src/node-host.ts",
2926"@openclaw/google-meet:dangerous-exec:src/realtime.ts",
30-"@openclaw/google-meet:dangerous-exec:dist/index.js",
3127"@openclaw/voice-call:dangerous-exec:src/tunnel.ts",
3228"@openclaw/voice-call:dangerous-exec:src/webhook/tailscale.ts",
29+]);
30+31+const OPTIONAL_REVIEWED_PUBLISHABLE_DIST_CRITICAL_FINDINGS = new Set([
32+"@openclaw/acpx:dangerous-exec:dist/mcp-proxy.mjs",
33+"@openclaw/acpx:dangerous-exec:dist/service-<hash>.js",
34+"@openclaw/codex:dangerous-exec:dist/client-<hash>.js",
35+"@openclaw/google-meet:dangerous-exec:dist/index.js",
3336"@openclaw/voice-call:dangerous-exec:dist/runtime-entry-<hash>.js",
3437]);
3538@@ -142,9 +145,18 @@ describe("publishable plugin npm package install security scan", () => {
142145it("keeps npm-published plugin files clear of unexpected critical hits", async () => {
143146const unexpectedCriticalFindings: string[] = [];
144147const reviewedCriticalFindings = new Set<string>();
148+const expectedReviewedCriticalFindings = new Set(
149+REQUIRED_REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS,
150+);
145151146152for (const plugin of collectPublishablePluginPackages()) {
147153const packedFiles = collectNpmPackedFiles(plugin.packageDir, plugin.packageName);
154+for (const packedFile of packedFiles) {
155+const key = `${plugin.packageName}:dangerous-exec:${normalizePackedFindingPath(packedFile)}`;
156+if (OPTIONAL_REVIEWED_PUBLISHABLE_DIST_CRITICAL_FINDINGS.has(key)) {
157+expectedReviewedCriticalFindings.add(key);
158+}
159+}
148160const stageDir = stageScannerRelevantPackedFiles(plugin.packageDir, packedFiles);
149161const summary = await scanDirectoryWithSummary(stageDir, {
150162excludeTestFiles: true,
@@ -159,7 +171,7 @@ describe("publishable plugin npm package install security scan", () => {
159171relative(stageDir, finding.file).split(sep).join("/"),
160172);
161173const key = `${plugin.packageName}:${finding.ruleId}:${packedPath}`;
162-if (REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS.has(key)) {
174+if (expectedReviewedCriticalFindings.has(key)) {
163175reviewedCriticalFindings.add(key);
164176continue;
165177}
@@ -169,7 +181,7 @@ describe("publishable plugin npm package install security scan", () => {
169181170182expect(unexpectedCriticalFindings).toEqual([]);
171183expect([...reviewedCriticalFindings].toSorted()).toEqual(
172-[...REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS].toSorted(),
184+[...expectedReviewedCriticalFindings].toSorted(),
173185);
174186});
175187});
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。