Skip to content

[pull] main from perplexityai:main#13

Merged
pull[bot] merged 3 commits into
Iovionew:mainfrom
perplexityai:main
Jun 17, 2026
Merged

[pull] main from perplexityai:main#13
pull[bot] merged 3 commits into
Iovionew:mainfrom
perplexityai:main

Conversation

@pull

@pull pull Bot commented Jun 17, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

thom-pplx and others added 3 commits June 15, 2026 15:49
- BIND_ADDRESS defaults to 127.0.0.1 (was 0.0.0.0)
- ALLOWED_ORIGINS defaults to empty (was "*")
- Add ALLOWED_HOSTS for Host header allowlisting
- Reject Origin: null unless explicitly allowlisted
- Log a warning at startup when BIND_ADDRESS=0.0.0.0 or ALLOWED_ORIGINS=*
- Rename :public scripts to :UNSAFE-public to make config visible
- Add SECURITY.md and configuration notes
- Refactor http.ts to export createHttpApp() for testability
- Add regression tests for CORS, Origin: null, and Host allowlist
…or disallowed Origin

- Startup banners (BIND_ADDRESS=0.0.0.0, ALLOWED_ORIGINS=*, listening
  banner) now write directly to stderr instead of going through the
  level-gated logger, which defaults to ERROR. Without this, the
  banners were silently dropped under default config.
- Disallowed cross-origin preflights now return 403 with a JSON-RPC
  error body instead of the default Express 500. Mirrors the 421
  emitted by the Host header check.
- Tests: 3 new banner tests (spy on console.error); existing CORS
  rejection tests upgraded to assert 403 + JSON-RPC body.
chore(http): tighten default config for HTTP transport
@pull pull Bot locked and limited conversation to collaborators Jun 17, 2026
@pull pull Bot added the ⤵️ pull label Jun 17, 2026
@pull pull Bot merged commit 7c89934 into Iovionew:main Jun 17, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants