



























@@ -21,11 +21,16 @@ type PublishablePluginPackage = {
2121const REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS = new Set([
2222"@openclaw/acpx:dangerous-exec:src/codex-auth-bridge.ts",
2323"@openclaw/acpx:dangerous-exec:src/runtime-internals/mcp-proxy.mjs",
24+"@openclaw/acpx:dangerous-exec:dist/mcp-proxy.mjs",
25+"@openclaw/acpx:dangerous-exec:dist/service-<hash>.js",
2426"@openclaw/codex:dangerous-exec:src/app-server/transport-stdio.ts",
27+"@openclaw/codex:dangerous-exec:dist/client-<hash>.js",
2528"@openclaw/google-meet:dangerous-exec:src/node-host.ts",
2629"@openclaw/google-meet:dangerous-exec:src/realtime.ts",
30+"@openclaw/google-meet:dangerous-exec:dist/index.js",
2731"@openclaw/voice-call:dangerous-exec:src/tunnel.ts",
2832"@openclaw/voice-call:dangerous-exec:src/webhook/tailscale.ts",
33+"@openclaw/voice-call:dangerous-exec:dist/runtime-entry-<hash>.js",
2934]);
30353136const tempDirs: string[] = [];
@@ -72,6 +77,15 @@ function isScannerWalkedPackedPath(packedPath: string): boolean {
7277);
7378}
747980+function normalizePackedFindingPath(packedPath: string): string {
81+for (const prefix of ["client", "runtime-entry", "service"]) {
82+if (packedPath.startsWith(`dist/${prefix}-`) && packedPath.endsWith(".js")) {
83+return `dist/${prefix}-<hash>.js`;
84+}
85+}
86+return packedPath;
87+}
88+7589function stageScannerRelevantPackedFiles(
7690packageDir: string,
7791packedFiles: readonly string[],
@@ -141,7 +155,9 @@ describe("publishable plugin npm package install security scan", () => {
141155if (finding.severity !== "critical") {
142156continue;
143157}
144-const packedPath = relative(stageDir, finding.file).split(sep).join("/");
158+const packedPath = normalizePackedFindingPath(
159+relative(stageDir, finding.file).split(sep).join("/"),
160+);
145161const key = `${plugin.packageName}:${finding.ruleId}:${packedPath}`;
146162if (REVIEWED_PUBLISHABLE_CRITICAL_FINDINGS.has(key)) {
147163reviewedCriticalFindings.add(key);
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。