Tandem Browser v0.57.13
·
626 commits
to main
since this release
Tandem Browser v0.57.13 is the second public developer preview release.
What's new since v0.57.9
Security hardening (CodeQL-driven, 3 passes):
- XSS/ReDoS fixes in API server, shell renderer, and OAuth callback
- Path injection hardening across extension loader, chrome importer, and native messaging proxy
- Prototype pollution fix in task manager
- Modulo bias removed from password generation
- Shared security helpers in
src/utils/security.ts(URL validation, path root containment, HTML escaping) - Rate limiting added globally and on sensitive routes
- DOM-only rendering for new tab page and bookmarks (no more innerHTML with user content)
- Google Photos callback no longer reflects error text back into HTML
- Type-loop bounds added for CodeQL loop-bound findings
CI and repo hygiene:
- CodeQL scanning workflow added (runs on push, PR, and weekly schedule)
- Dependency security alerts resolved (tar, hono, yauzl)
- Lint warnings cleared across the full source tree
- Verify CI badge and CodeQL badge in README
- GitHub topics, homepage, and PR template added
Status
- primary platform: macOS
- secondary platform: Linux
- local API on
127.0.0.1:8765(Bearer auth required) - intended for maintainers, contributors, and serious testers
- not yet a polished end-user production release
Start here
- README: https://github.com/hydro13/tandem-browser#readme
- Changelog: https://github.com/hydro13/tandem-browser/blob/main/CHANGELOG.md
- Tandem skill for OpenClaw: https://github.com/hydro13/tandem-browser/blob/main/skill/SKILL.md