Summary
parseMeta() in packages/core/src/observer.ts used JSON.parse(raw) as Record<string, unknown> without validating the parsed type. If a data-askable attribute contains valid JSON that is not a plain object — e.g. data-askable="42", data-askable="[1,2,3]", data-askable="null" — the value would be unsafely cast to Record<string, unknown> at compile time but would be a number, array, or null at runtime.
Downstream code that calls Object.entries(meta) or accesses properties on meta would receive unexpected values, potentially causing runtime errors or incorrect context output.
Impact
If the data-askable attribute contains a non-object JSON primitive, focus tracking could produce malformed context objects. Severity is low because the attribute is set by application developers, not end users.
Fix
Validate the JSON.parse result: if it's not a plain object (non-null, not an array), fall back to the raw string — matching the explicit | string return type.
Fixed in: claude/create-agents-md-fqfEf
Summary
parseMeta()inpackages/core/src/observer.tsusedJSON.parse(raw) as Record<string, unknown>without validating the parsed type. If adata-askableattribute contains valid JSON that is not a plain object — e.g.data-askable="42",data-askable="[1,2,3]",data-askable="null"— the value would be unsafely cast toRecord<string, unknown>at compile time but would be a number, array, or null at runtime.Downstream code that calls
Object.entries(meta)or accesses properties onmetawould receive unexpected values, potentially causing runtime errors or incorrect context output.Impact
If the
data-askableattribute contains a non-object JSON primitive, focus tracking could produce malformed context objects. Severity is low because the attribute is set by application developers, not end users.Fix
Validate the JSON.parse result: if it's not a plain object (non-null, not an array), fall back to the raw string — matching the explicit
| stringreturn type.Fixed in:
claude/create-agents-md-fqfEf