orcs-oss/orcs-code
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: remove runtime require of unverified modifiers-napi package

Browse Source 
Fixes #7. The modifiers-napi package is an Anthropic-internal native
addon, but a package with the same name exists on npm and could be a
supply chain attack vector. The build script already stubs it, but
the source code had live require() calls that would execute when
running without the bundler (e.g. bun dev, ts-node).

Replaced both functions with safe no-ops since modifier key detection
is not needed in the open-source build. Build verified passing.
This commit is contained in:
salmanrajz
2026-04-01 12:10:31 +04:00
parent 2d7aa9c841
commit cb24750cb7
1 changed files with 10 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
src/utils/modifiers.ts
View File

@@ -1,36 +1,22 @@
export type ModifierKey = 'shift' | 'command' | 'control' | 'option' export type ModifierKey = 'shift' | 'command' | 'control' | 'option'
let prewarmed = false
/** /**
* Pre-warm the native module by loading it in advance. * Pre-warm the native module by loading it in advance.
* Call this early to avoid delay on first use. *
* NOTE: The `modifiers-napi` package is an Anthropic-internal native addon
* that is not shipped with the open-source build. All calls are no-ops here
* to avoid supply-chain risk from unverified npm packages with the same name.
*/ */
export function prewarmModifiers(): void { export function prewarmModifiers(): void {
if (prewarmed || process.platform !== 'darwin') { // No-op in open-source build — native modifier detection is not available.
return
}
prewarmed = true
// Load module in background
try {
// eslint-disable-next-line @typescript-eslint/no-require-imports
const { prewarm } = require('modifiers-napi') as { prewarm: () => void }
prewarm()
} catch {
// Ignore errors during prewarm
}
} }
/** /**
* Check if a specific modifier key is currently pressed (synchronous). * Check if a specific modifier key is currently pressed (synchronous).
*
* Always returns false in the open-source build since the native addon
* is not available.
*/ */
export function isModifierPressed(modifier: ModifierKey): boolean { export function isModifierPressed(_modifier: ModifierKey): boolean {
if (process.platform !== 'darwin') {
return false return false
}
// Dynamic import to avoid loading native module at top level
const { isModifierPressed: nativeIsModifierPressed } =
// eslint-disable-next-line @typescript-eslint/no-require-imports
require('modifiers-napi') as { isModifierPressed: (m: string) => boolean }
return nativeIsModifierPressed(modifier)
} }