github momenbasel/PureMac v2.1.0
PureMac v2.1.0
on GitHub

8 hours ago

v2.1.0

Universal binary (Intel + Apple Silicon).

Security hardening

Five reported vulnerabilities closed - all exploitable with a prior same-UID foothold, no admin/root required.

  • Allow-list bypass via hasPrefix without trailing separator (#47) - sibling paths like /tmpfoo/victim.secret could pass the whole-subtree check for /tmp. Fixed with separator-anchored prefix match in CleaningEngine.isSafeToDelete and OrphanSafetyPolicy.isSafeCandidate.
  • Zero-click cache deletion via HOMEBREW_CACHE + pre-seeded ScheduleConfig (#48). scanBrewCache now strips HOMEBREW_* from the child env and validates brew --cache output against a known-roots allow-list. Downloads, Documents, and Desktop removed from the whole-subtree allow-list (still deletable as per-file large-file items). SchedulerService.init discards a stale nextRunDate; AppState.init gates scheduler.start() on OnboardingComplete.
  • TOCTOU between symlink check and removeItem (#49). CleaningEngine.cleanItems now deletes through the resolved URL and re-resolves + re-verifies the resolved path immediately before the unlink.
  • App-uninstaller short-name bomb + unchecked removeItem (#50). Minimum 5-char token length enforced on app-name / path-component / letters-only / bundle-last-two / base-bundle / stripped-name / company / team-ID matches. Bundle-ID condition matching is now anchored (==, hasPrefix(cond + "."), or hasSuffix("." + cond)) instead of an unanchored contains - stops com.evil.jetbrainsapp from hijacking the jetbrains rule. AppState.removeSelectedFiles and OrphanSafetyPolicy refuse any high-risk home dotpath.
  • Removing Claude.ai webapp deleted ~/.claude (#51). Locations.appSearch.paths no longer includes bare $HOME, so top-level home dotfiles are not scanned as app artifacts. A new highRiskHomeDotPaths list in Conditions.swift (~/.claude, ~/.ssh, ~/.aws, ~/.kube, ~/.docker, ~/.gnupg, ~/.config, cloud/CLI-tool configs, shell histories) is unconditionally skipped by the scanner and the uninstaller selection guard.

UI fixes

  • Home page lost after redirecting to side tabs (#69). Smart Scan is now pinned to a dedicated Home section at the top of the sidebar, so it is always reachable.
  • Installed Apps sort not working (#59). Application and Size columns are sortable via KeyPathComparator.
  • Sidebar expands indefinitely in Installed Apps (#60). Left pane of the internal HSplitView capped at maxWidth: 600.
  • About-box version mismatch (#44, #46, #57, #64). Info.plist now uses $(MARKETING_VERSION) / $(CURRENT_PROJECT_VERSION) macros instead of hardcoded 1.0.1/3. The shipped bundle now reports 2.1.0 (5).

Other landed work

  • Data-race fix in AppPathFinder.shouldSkipItem (#67)
  • CLI dispatch only enters CLI mode for known commands - Xcode's -NSDocumentRevisionsDebugMode and LaunchServices -psn_<pid> no longer hijack launch (#68)
  • New Docker Cache cleaning category (#36, closes #1)
  • Spanish (es) localization + multilingual README (#65)

Install

brew tap momenbasel/tap
brew install --cask puremac

Or download PureMac-2.1.0.dmg below.

Check out latest releases or
releases around momenbasel/PureMac v2.1.0

Don't miss a new PureMac release

NewReleases is sending notifications on new releases.

Get notifications