cloudflare / vinext

* fix: close security gaps in init.ts shell exec and app-dev-server external proxy Gap 1 (GHSA-w7vc-6jjg-498h): migrate init.ts from execSync to execFileSync with argument array, matching the pattern already applied in deploy.ts and cli.ts. Inputs are hardcoded package names so practical risk is near zero, but this eliminates the last instance of the flagged pattern. Gap 2 (GHSA-pf96-3m7r-pv3j): harden the inline __proxyExternalRequest in the generated RSC entry (app-dev-server.ts) to strip Cookie, Authorization, x-api-key, proxy-authorization, and all x-middleware-* headers before forwarding to external rewrite targets. Also adds a 30-second AbortSignal.timeout. This brings the dev-server code path into parity with the already-fixed proxyExternalRequest in config-matchers.ts. Also fixes a missed GSP redirect path in dev-server.ts where backslash normalization was not applied (GHSA-79rw-r8hc-qg8v — the GSSP path was already committed). Includes an integration test that verifies credential stripping end-to-end via a mock HTTP server and a conditional external rewrite in next.config.ts. * fix: unify isExternalUrl to detect all URL schemes and protocol-relative URLs All four copies of isExternalUrl (config-matchers.ts, router.ts, navigation.ts, app-dev-server.ts inline) now use the same RFC 3986 scheme regex: /^[a-z][a-z0-9+.-]*:/i.test(url) || url.startsWith('//') Previously: - config-matchers.ts and app-dev-server.ts only checked http:// and https:// (missing // protocol-relative) - router.ts and navigation.ts checked http://, https://, and // but missed exotic schemes (data:, javascript:, blob:, ftp:, etc.) Now all copies are consistent and detect any URL scheme per RFC 3986 plus protocol-relative URLs. Adds test cases for exotic schemes, protocol-relative, hash-only, and bare string inputs. * fix: add shell: true to execFileSync for Windows .cmd file compat On Windows, package managers (pnpm, npm, yarn) are .cmd batch files. execFileSync without shell: true cannot execute them. Adding shell: true lets the OS shell resolve .cmd files while still using the argument array form for safer argument passing.