hermes-agent

mirrors/hermes-agent

Fork 0

mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-11 08:42:11 +00:00

Commit graph

Author	SHA1	Message	Date
Teknium	c0424b06af	fix(osv_check): honor npx --package/-p install target when parsing package arg (#40567 ) Salvaged from #40461; cleaned up, re-verified against main, tests added. Co-authored-by: HeLLGURD <HeLLGURD@users.noreply.github.com>	2026-06-06 18:30:39 -07:00
kshitij	2ec8d2b42f	chore: ruff auto-fix PLR6201 — tuple → set in membership tests (#23937 ) Replace with for all literal-tuple membership tests. Set lookup is O(1) vs O(n) for tuple — consistent micro-optimization across the codebase. 608 instances fixed via `ruff --fix --unsafe-fixes`, 0 remaining. 133 files, +626/-626 (net zero).	2026-05-11 11:13:25 -07:00
Teknium	4494fba140	feat: OSV malware check for MCP extension packages (#5305 ) Before launching an MCP server via npx/uvx, queries the OSV (Open Source Vulnerabilities) API to check if the package has known malware advisories (MAL-* IDs). Regular CVEs are ignored — only confirmed malware is blocked. - Free, public API (Google-maintained), ~300ms per query - Runs once per MCP server launch, inside _run_stdio() before subprocess spawn - Parallel with other MCP servers (asyncio.gather already in place) - Fail-open: network errors, timeouts, unrecognized commands → allow - Parses npm (scoped @scope/pkg@version) and PyPI (name[extras]==version) Inspired by Block/goose extension malware check.	2026-04-05 12:46:07 -07:00

Author

SHA1

Message

Date

Teknium

c0424b06af

fix(osv_check): honor npx --package/-p install target when parsing package arg (#40567 )

Salvaged from #40461; cleaned up, re-verified against main, tests added.

Co-authored-by: HeLLGURD <HeLLGURD@users.noreply.github.com>

2026-06-06 18:30:39 -07:00

kshitij

2ec8d2b42f

chore: ruff auto-fix PLR6201 — tuple → set in membership tests (#23937 )

Replace  with  for all literal-tuple
membership tests. Set lookup is O(1) vs O(n) for tuple — consistent
micro-optimization across the codebase.

608 instances fixed via `ruff --fix --unsafe-fixes`, 0 remaining.
133 files, +626/-626 (net zero).

2026-05-11 11:13:25 -07:00

Teknium

4494fba140

feat: OSV malware check for MCP extension packages (#5305 )

Before launching an MCP server via npx/uvx, queries the OSV (Open Source
Vulnerabilities) API to check if the package has known malware advisories
(MAL-* IDs). Regular CVEs are ignored — only confirmed malware is blocked.

- Free, public API (Google-maintained), ~300ms per query
- Runs once per MCP server launch, inside _run_stdio() before subprocess spawn
- Parallel with other MCP servers (asyncio.gather already in place)
- Fail-open: network errors, timeouts, unrecognized commands → allow
- Parses npm (scoped @scope/pkg@version) and PyPI (name[extras]==version)

Inspired by Block/goose extension malware check.

2026-04-05 12:46:07 -07:00

3 commits