From c333c2289e57bf040b32846f18d669e3f8edad9b Mon Sep 17 00:00:00 2001 From: bradautomates Date: Sat, 9 May 2026 08:41:59 +1000 Subject: [PATCH] Release v0.1.3 - #2: harden subprocess argv against option injection - #4: read/write config files as UTF-8 on Windows Co-Authored-By: Claude Opus 4.7 (1M context) --- .claude-plugin/plugin.json | 2 +- CHANGELOG.md | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json index b815f76..7d99d9f 100644 --- a/.claude-plugin/plugin.json +++ b/.claude-plugin/plugin.json @@ -1,6 +1,6 @@ { "name": "watch", - "version": "0.1.2", + "version": "0.1.3", "description": "Let Claude watch a video. Downloads with yt-dlp, extracts auto-scaled frames with ffmpeg, pulls captions or falls back to Whisper, and hands frames + transcript to Claude so it can answer questions about the video.", "author": { "name": "Bradley Bonanno" diff --git a/CHANGELOG.md b/CHANGELOG.md index 091e063..6ad03c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,15 @@ All notable changes to `/watch` are documented here. +## [0.1.3] — 2026-05-09 + +### Fixed +- Windows: `video.info.json` is read as UTF-8 (#4). Previously `Path.read_text()` defaulted to cp1252 on Windows and crashed on yt-dlp's UTF-8 output, silently dropping Title/Uploader from the report. Same fix applied to `.env` reads/writes in `whisper.py` and `setup.py`. +- `download.py` now logs info.json parse failures to stderr instead of swallowing them. + +### Security +- Hardened subprocess argv against option injection (#2): inserted `--` before the URL in the yt-dlp argv, and tightened `is_url` to reject `-`-prefixed sources and require a non-empty netloc. Resolved video/audio paths to absolute via `Path.resolve()` before passing to `ffmpeg`/`ffprobe`, so a relative path starting with `-` can't be misinterpreted as a flag. + ## [0.1.2] — 2026-04-24 ### Fixed