Summary
Audit identified security vulnerabilities, broken tooling, and type safety issues that need to be resolved.
Issues
Security
- Command injection in
browser.ts — exec() with unsanitized URL input allows arbitrary shell command execution
- Credential file permissions —
credentials.json created with default 0644 permissions, readable by all users on shared systems
Type Safety
- 5 TypeScript type errors —
pnpm typecheck fails (unsafe casts, missing paused status in union type, incompatible markedTerminal type)
Tooling
- Biome 2.x config broken —
biome.json uses deprecated v1.x keys (organizeImports, files.ignore), linter cannot run
- Lint auto-fixes — template literals, import sorting, unused imports
Reliability
- Infinite polling in contents command — async job handler has no timeout, can hang forever
- Hardcoded User-Agent —
valyu-cli/1.0.0 hardcoded in 4 places instead of using VERSION constant
Summary
Audit identified security vulnerabilities, broken tooling, and type safety issues that need to be resolved.
Issues
Security
browser.ts—exec()with unsanitized URL input allows arbitrary shell command executioncredentials.jsoncreated with default 0644 permissions, readable by all users on shared systemsType Safety
pnpm typecheckfails (unsafe casts, missingpausedstatus in union type, incompatiblemarkedTerminaltype)Tooling
biome.jsonuses deprecated v1.x keys (organizeImports,files.ignore), linter cannot runReliability
valyu-cli/1.0.0hardcoded in 4 places instead of usingVERSIONconstant