From a116b95199c48cbbb7ad5f2f3d89e4931f065cc5 Mon Sep 17 00:00:00 2001
From: Simos Mikelatos <simosmik@gmail.com>
Date: Wed, 11 Mar 2026 20:24:17 +0100
Subject: [PATCH 1/3] Update .env.example

---
 .env.example | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.env.example b/.env.example
index 0a237e4..d18b97e 100755
--- a/.env.example
+++ b/.env.example
@@ -42,4 +42,4 @@ HOST=0.0.0.0
 VITE_CONTEXT_WINDOW=160000
 CONTEXT_WINDOW=160000
 
-# VITE_IS_PLATFORM=false
+

From b9c902b016f411a942c8707dd07d32b60bad087c Mon Sep 17 00:00:00 2001
From: simosmik <simosmik@gmail.com>
Date: Wed, 11 Mar 2026 22:04:38 +0000
Subject: [PATCH 2/3] fix(security): disable executable gray-matter frontmatter
 in commands

---
 server/routes/commands.js     |  8 ++++----
 server/utils/commandParser.js |  4 ++--
 server/utils/frontmatter.js   | 18 ++++++++++++++++++
 3 files changed, 24 insertions(+), 6 deletions(-)
 create mode 100644 server/utils/frontmatter.js

diff --git a/server/routes/commands.js b/server/routes/commands.js
index 5446734..388a8f7 100644
--- a/server/routes/commands.js
+++ b/server/routes/commands.js
@@ -3,8 +3,8 @@ import { promises as fs } from 'fs';
 import path from 'path';
 import { fileURLToPath } from 'url';
 import os from 'os';
-import matter from 'gray-matter';
 import { CLAUDE_MODELS, CURSOR_MODELS, CODEX_MODELS } from '../../shared/modelConstants.js';
+import { parseFrontmatter } from '../utils/frontmatter.js';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = path.dirname(__filename);
@@ -38,7 +38,7 @@ async function scanCommandsDirectory(dir, baseDir, namespace) {
         // Parse markdown file for metadata
         try {
           const content = await fs.readFile(fullPath, 'utf8');
-          const { data: frontmatter, content: commandContent } = matter(content);
+          const { data: frontmatter, content: commandContent } = parseFrontmatter(content);
 
           // Calculate relative path from baseDir for command name
           const relativePath = path.relative(baseDir, fullPath);
@@ -475,7 +475,7 @@ router.post('/load', async (req, res) => {
 
     // Read and parse the command file
     const content = await fs.readFile(commandPath, 'utf8');
-    const { data: metadata, content: commandContent } = matter(content);
+    const { data: metadata, content: commandContent } = parseFrontmatter(content);
 
     res.json({
       path: commandPath,
@@ -560,7 +560,7 @@ router.post('/execute', async (req, res) => {
       }
     }
     const content = await fs.readFile(commandPath, 'utf8');
-    const { data: metadata, content: commandContent } = matter(content);
+    const { data: metadata, content: commandContent } = parseFrontmatter(content);
     // Basic argument replacement (will be enhanced in command parser utility)
     let processedContent = commandContent;
 
diff --git a/server/utils/commandParser.js b/server/utils/commandParser.js
index 11af5c7..56e3f70 100644
--- a/server/utils/commandParser.js
+++ b/server/utils/commandParser.js
@@ -1,9 +1,9 @@
-import matter from 'gray-matter';
 import { promises as fs } from 'fs';
 import path from 'path';
 import { execFile } from 'child_process';
 import { promisify } from 'util';
 import { parse as parseShellCommand } from 'shell-quote';
+import { parseFrontmatter } from './frontmatter.js';
 
 const execFileAsync = promisify(execFile);
 
@@ -32,7 +32,7 @@ const BASH_COMMAND_ALLOWLIST = [
  */
 export function parseCommand(content) {
   try {
-    const parsed = matter(content);
+    const parsed = parseFrontmatter(content);
     return {
       data: parsed.data || {},
       content: parsed.content || '',
diff --git a/server/utils/frontmatter.js b/server/utils/frontmatter.js
new file mode 100644
index 0000000..0a4b1eb
--- /dev/null
+++ b/server/utils/frontmatter.js
@@ -0,0 +1,18 @@
+import matter from 'gray-matter';
+
+const disabledFrontmatterEngine = () => ({});
+
+const frontmatterOptions = {
+  language: 'yaml',
+  // Disable JS/JSON frontmatter parsing to avoid executable project content.
+  // Mirrors Gatsby's mitigation for gray-matter.
+  engines: {
+    js: disabledFrontmatterEngine,
+    javascript: disabledFrontmatterEngine,
+    json: disabledFrontmatterEngine
+  }
+};
+
+export function parseFrontmatter(content) {
+  return matter(content, frontmatterOptions);
+}

From 4b1e17ea3874bc7ad10f8284da67652a580ebfcd Mon Sep 17 00:00:00 2001
From: simosmik <simosmik@gmail.com>
Date: Wed, 11 Mar 2026 22:37:28 +0000
Subject: [PATCH 3/3] chore(release): v1.25.2

---
 CHANGELOG.md      | 17 +++++++++++++++++
 package-lock.json |  4 ++--
 package.json      |  2 +-
 3 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6642040..4c78f59 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,23 @@
 All notable changes to CloudCLI UI will be documented in this file.
 
 
+## [1.25.2](https://github.com/siteboon/claudecodeui/compare/v1.25.0...v1.25.2) (2026-03-11)
+
+### New Features
+
+* **i18n:** localize plugin settings for all languages ([#515](https://github.com/siteboon/claudecodeui/issues/515)) ([621853c](https://github.com/siteboon/claudecodeui/commit/621853cbfb4233b34cb8cc2e1ed10917ba424352))
+
+### Bug Fixes
+
+* codeql user value provided path validation ([aaa14b9](https://github.com/siteboon/claudecodeui/commit/aaa14b9fc0b9b51c4fb9d1dba40fada7cbbe0356))
+* numerous bugs ([#528](https://github.com/siteboon/claudecodeui/issues/528)) ([a77f213](https://github.com/siteboon/claudecodeui/commit/a77f213dd5d0b2538dea091ab8da6e55d2002f2f))
+* **security:** disable executable gray-matter frontmatter in commands ([b9c902b](https://github.com/siteboon/claudecodeui/commit/b9c902b016f411a942c8707dd07d32b60bad087c))
+* session reconnect catch-up, always-on input, frozen session recovery ([#524](https://github.com/siteboon/claudecodeui/issues/524)) ([4d8fb6e](https://github.com/siteboon/claudecodeui/commit/4d8fb6e30aa03d7cdb92bd62b7709422f9d08e32))
+
+### Refactoring
+
+* new settings page design and new pill component ([8ddeeb0](https://github.com/siteboon/claudecodeui/commit/8ddeeb0ce8d0642560bd3fa149236011dc6e3707))
+
 ## [1.25.0](https://github.com/siteboon/claudecodeui/compare/v1.24.0...v1.25.0) (2026-03-10)
 
 ### New Features
diff --git a/package-lock.json b/package-lock.json
index 5b9e460..82ad891 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@siteboon/claude-code-ui",
-  "version": "1.25.0",
+  "version": "1.25.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@siteboon/claude-code-ui",
-      "version": "1.25.0",
+      "version": "1.25.2",
       "hasInstallScript": true,
       "license": "GPL-3.0",
       "dependencies": {
diff --git a/package.json b/package.json
index 4dcfc0e..aad66d0 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@siteboon/claude-code-ui",
-  "version": "1.25.0",
+  "version": "1.25.2",
   "description": "A web-based UI for Claude Code CLI",
   "type": "module",
   "main": "server/index.js",