perry

v0.5.1159 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3d Build & Package

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

android compile harmonyos ios llvm macos

+5 more

native smc typescript watchos windows

Affected surfaces

rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 3d

The perry v0.5.1159 release fixes a path traversal / arbitrary file write vulnerability in the `perry publish` command (GHSA-x55v-q459-68ch).

Why it matters: Addresses CVE GHSA‑x55v‑q459‑68ch, which enables arbitrary file writes via path traversal; upgrade to v0.5.1159 immediately.

Summary

AI summary

Fixes arbitrary file write via path traversal in perry publish (GHSA-x55v-q459-68ch).

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fixes path traversal / arbitrary file write in perry publish (GHSA-x55v-q459-68ch). Fixes path traversal / arbitrary file write in perry publish (GHSA-x55v-q459-68ch). Source: llm_adapter@2026-06-11 Confidence: high	—

Full changelog

Security release

Fixes a path traversal / arbitrary file write in perry publish — GHSA-x55v-q459-68ch (CVSS 4.0 8.6, High, CWE-22).

perry publish trusted the build server's ArtifactReady.artifact_name and download_path verbatim when constructing the local destination path. A malicious or compromised hub could deliver a traversal payload (e.g. ../../.ssh/authorized_keys) to write downloaded content outside the chosen output directory (arbitrary file write), and in the self-hosted-hub local-copy path could copy out arbitrary local files (arbitrary read). The primary multi-victim vector is a malicious PR setting [publish] server = "…" in a repo's perry.toml; CI runs receive no confirmation prompt.

All versions through v0.5.1158 are affected. Upgrade to v0.5.1159.

fix(publish): sanitize server-controlled artifact path — reduce artifact_name to a bare, traversal-free filename and gate the download_path local-copy shortcut to loopback hubs (#4989)

Reported by @wsparks-vc.

Security Fixes

GHSA-x55v-q459-68ch — Arbitrary file write via path traversal in `perry publish` (CVSS 8.6, High, CWE-22).

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track perry

Get notified when new releases ship.

About perry

A native TypeScript compiler written in Rust. Compiles TypeScript directly to executables using SWC and LLVM.

All releases →

Related context

Related tools

Earlier breaking changes

v0.5.1158 `cluster` workers share a listening port using SO_REUSEPORT and IPC round‑trip.
v0.5.1158 Streams now support BYOB readers and real `ByteLengthQueuingStrategy` accounting.
v0.5.1158 `Atomics.wait`, `notify`, and `waitAsync` now block and wake across agents using a shared `SharedArrayBuffer`.
v0.5.1158 `node:dns` and `node:dgram` perform real network I/O instead of stub behavior.
v0.5.1158 `AsyncLocalStorage` and `async_hooks` now propagate context across await, microtasks, timers, and `process.nextTick`.