Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| await server.listen(); | ||
| server.printUrls(); | ||
| // Keep the process alive | ||
| await new Promise(() => {}); |
There was a problem hiding this comment.
Never-resolving promise makes caller messages unreachable
Medium Severity
startDevServer ends with await new Promise(() => {}), which never resolves. In createCommand, await startDevServer(port) on line 15 therefore blocks forever, making the "Ready at http://localhost:..." and "Press Ctrl+C to stop" console messages on lines 17–18 completely unreachable. Users will never see feedback that the server is ready.
| const filePath = path.join(appRoot, urlPath); | ||
|
|
||
| // Prevent path traversal | ||
| if (!filePath.startsWith(appRoot)) { |
There was a problem hiding this comment.
Path traversal check missing trailing separator
Low Severity
The path traversal guard uses filePath.startsWith(appRoot) without appending a path separator to appRoot. A crafted URL targeting a sibling directory whose name shares the app-dist prefix (e.g., app-dist-secrets) would pass this check, since startsWith performs a pure string-prefix match. Appending path.sep to appRoot in the comparison would close this gap.
|
You have used all of your free Bugbot PR reviews. To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial. |
2 participants
What does this PR do?
FIxed running via
npxType of Change
Packages Affected
@mobile-reality/mdma-cliNote
Medium Risk
Replaces the Vite-powered dev server with a custom static HTTP server, which could change routing/asset serving behavior and affect the CLI's web UI startup. Risk is limited to local development/runtime behavior (no backend data/auth changes).
Overview
Fixes running the CLI via
npxby removing the Vite dev server dependency at runtime and serving the prebuiltapp-distdirectly from a Nodehttpserver.The new server includes basic MIME-type handling, SPA
index.htmlfallback for unknown routes, and a simple path-traversal guard, and it opens the browser on startup. Also bumps@mobile-reality/mdma-cliversion to0.1.2.Written by Cursor Bugbot for commit 16938eb. This will update automatically on new commits. Configure here.