Summary Fixes defeating less's when content fits on one screen. Why this matters is a popular less configuration. Today, this works for directly but breaks under . Reproducer from #3738: less doesn't auto-quit even though the file fits, forcing the user to press q. Root cause: with , bat passes (chop long lines) to less. When less also receives (either from bat's own quit-if-one-screen path or from ), the / combination keeps less from auto-quitting on one-screen content. The patch skips whenever is in play, so less can quit as expected. Tradeoff to be aware of: when contains , long lines will now wrap in less instead of being chopped. If preserving matters more than auto-quit in that case, the approach can be reworked. Testing New integration tests in install a mock that captures the arguments it receives, and assert the exact flags bat passes per wrapping mode: with and without quit-if-one-screen, plus regression coverage for and . Fixes #3738
Summary Address high severity security finding in . Vulnerability Description: This Dependabot configuration does not set a cooldown period. Newly published packages can be malicious or unstable. Add a block with to each entry under to wait 7 days before proposing updates to newly published package versions. Reference: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cooldown Evidence Scanner confirmation: semgrep rule matched this pattern as package_managers.dependabot.dependabot-missing-cooldown.dependabot-missing-cooldown. Production code: This file is in the production codebase, not test-only code. Changes Verification [x] Build passes [x] Scanner re-scan confirms fix [x] LLM code review passed Security Invariant Property: The security boundary is maintained under adversarial input Regression test This test guards against regressions — it's useful independent of the code change above. This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation. Automated security fix by OrbisAI Security
Problem When contains (a common personal config), running opens a separate pager session per theme, making theme names invisible and the output entirely unusable. Root cause The branch in had no guard for , so the pager ran unconditionally. Fix Check flag before applying . Override to when listing themes, consistent with the existing guard already present in the branch (line 306). Testing Manual: set and run — all themes now display correctly in a single pass. Fixes #1618
This adds an alias for and enforces more strict sanitation. is currently the only option to handle untrusted data, but the name is confusing and does not fully reflect what the code does and it is also incomplete for the purpose of sanitation. This PR adds an alternative to the option named it extends the filtered characters to cover all relevant sequences that could spoof content or trigger terminal commands. Specifically the added changes are: Parse 8-bit C1 introducers and DCS/SOS/PM/APC bodies (the #3725 fix). Substitute bare CR with U+FFFD () (line-overwrite forgery). Substitute SO/SI with U+FFFD () (charset-shift forgery). Substitute non-introducer 8-bit C1 controls with U+FFFD () (RI is a cursor-up overwrite vector). Substitute the remaining C0 controls and DEL (BEL, BS, VT, CAN, SUB, …) with U+FFFD (). Substitute Unicode bidi and zero-width formatting characters (U+200B–U+200D, U+202A–U+202E, U+2066–U+2069, U+FEFF) with U+FFFD () (content-spoofing / Trojan-Source vector). CRLF, FF, tab, newline pass through unchanged. -mode plain-text carve-out preserved. Loop-through cat-mode preserved.
Repository: sharkdp/bat. Description: A cat(1) clone with wings. Stars: 59559, Forks: 1578. Primary language: Rust. License: Apache-2.0. Topics: cli, command-line, git, hacktoberfest, rust, syntax-highlighting, terminal, tool. Open PRs: 69, open issues: 321. Last activity: 2d ago. Top contributors: sharkdp, keith-hall, dependabot[bot], Enselic, eth-p, dependabot-preview[bot], cyqsimon, auto-merge-dependabot-prs[bot], einfachIrgendwer0815, mohamed-abdelnour and others.