github Lexus2016/claude-code-studio v5.22.1
v5.22.1 — Security & Bug Fixes
on GitHub

latest releases: v5.49.1, v5.49.0, v5.48.3...
one month ago

v5.22.1 — Security & Bug Fixes

Security Fixes

  • Path traversal in attachments — sanitize filenames with path.basename() to prevent directory escape when saving uploaded attachments
  • XSS via javascript: URLs — filter javascript: protocol in markdown link renderer
  • Selector injection — use CSS.escape() for dynamic agent IDs in querySelector calls
  • SQL interpolation — parametrize SESSION_TTL_DAYS in cleanOldSessions() query

Bug Fixes

  • Orphan subprocess on session delete — abort running Claude subprocess before deleting session (single and bulk delete)
  • Orphan subprocess on task delete — abort running worker and kill by PID before deleting task
  • Unbounded memory (chat buffers) — cap per-session chat buffer at 2MB with sliding window eviction
  • Unbounded memory (message queue) — cap queue at 20 messages per tab; reject with error when full
  • Infinite loop in scheduler — guard scheduleNextRun with 10,000-iteration cap for stale recurring tasks
  • Typing indicator leak — add 30-minute safety timer to auto-stop Telegram typing interval on subprocess crash
  • WebSocket crash in finally block — wrap ws.send() in try/catch in processChat cleanup path
  • Password minlength mismatch — sync auth.html input validation to 8 characters (matches auth.js server-side check)
  • Buffer overflow in CLI — add console warning when CLI output buffer exceeds limit

i18n Improvements

  • Server-side i18n — new SERVER_I18N system for session/task default titles with getUserLang() config reader
  • Language-agnostic defaults — SQL DEFAULT values changed from hardcoded Ukrainian to English; runtime defaults follow user language preference
  • Smart title detection — DEFAULT_SESSION_TITLES Set replaces single-string comparison for detecting untitled sessions across all languages
  • 14 new translation keys — added to all 3 languages (uk/en/ru): chain progress statuses, MCP environment section, notification dismiss, Kanban dispatch, custom skills, remote file browser, drag handles, Telegram toasts
  • ~15 hardcoded strings replaced — UI strings now use t() function for proper localization
  • Variable shadowing fix — renamed t to tk in chain progress card renderer to avoid shadowing the global t() translation function
  • Dynamic bulk bar labels — updateHistBulkBar() now called on language switch

Files Changed

File Changes
server.js +96/-30 — security fixes, subprocess abort, i18n system, buffer caps
public/index.html +51/-22 — XSS filter, CSS.escape, 14 new i18n keys, t() replacements
public/auth.html +2/-2 — password minlength sync
claude-cli.js +1/-1 — buffer overflow warning
package.json version bump to 5.22.1

Installation

```bash
npx github:Lexus2016/claude-code-studio
```

Full Changelog: v5.22.0...v5.22.1

Check out latest releases or
releases around Lexus2016/claude-code-studio v5.22.1

Don't miss a new claude-code-studio release

NewReleases is sending notifications on new releases.

Get notifications