From cc744f5681eafb098a1d15fd46dc6baf64db7fbd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 16 Jan 2026 11:11:23 +0000
Subject: [PATCH 1/2] Initial plan


From ae14e8764c56695b8ee8c9f3037ee44c9e4e0957 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 16 Jan 2026 11:14:13 +0000
Subject: [PATCH 2/2] Fix path traversal vulnerability in setup.ts

Co-authored-by: toolate28 <105518313+toolate28@users.noreply.github.com>
---
 scripts/setup.ts | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/scripts/setup.ts b/scripts/setup.ts
index ae2617d..716685f 100644
--- a/scripts/setup.ts
+++ b/scripts/setup.ts
@@ -15,7 +15,7 @@
 import { $ } from "bun";
 import { existsSync, rmSync } from "fs";
 import { mkdir, writeFile } from "fs/promises";
-import { join } from "path";
+import { join, resolve } from "path";
 
 const ROOT_DIR = join(import.meta.dir, "..");
 const ATOM_TRAIL_DIR = join(ROOT_DIR, ".atom-trail");
@@ -101,9 +101,11 @@ async function installDependencies(force: boolean): Promise<boolean> {
     const nodeModulesPath = join(ROOT_DIR, "node_modules");
     if (force) {
       log("step", "Force reinstalling dependencies...");
-      // Validate path before removal for safety
-      if (existsSync(nodeModulesPath) && nodeModulesPath.endsWith("node_modules")) {
-        rmSync(nodeModulesPath, { recursive: true, force: true });
+      // Validate path before removal for safety - ensure it resolves to expected location
+      const resolvedPath = resolve(nodeModulesPath);
+      const expectedPath = resolve(ROOT_DIR, "node_modules");
+      if (existsSync(resolvedPath) && resolvedPath === expectedPath) {
+        rmSync(resolvedPath, { recursive: true, force: true });
       }
       await $`cd ${ROOT_DIR} && bun install`.quiet();
     } else {