With the rise in supply chain attacks and OSS dependencies being used as a attack vector, Microsoft is working with our ecosystem partners, such as the Linux Foundation's OpenSSF, to enable OSS consumers to track packages back to their public sources.
We've identified that the following packages published to NPM do not report where sources can be found, typically accomplished by including a link to your GitHub repository in your `package.json` REPOSITORY field. This PR was created to add this value, ensuring future releases will include this provenance information.
Published NPM packages with repository information:
* tree-sitter-html
`buffer[i++]` is a `signed char` so this cast does not correctly handle
negative values. If a custom tag has a length greater than 128 then
`buffer[i++]` is negative and so the `(uint16_t)` cast will cast it to a large
unsigned integer. This causes an out-of-bound read when reading the tag name.
We need to cast `name_length` to a `uint8_t` first, then widen to a `uint16_t`.
We first serialize the total number of tags, then serialize each individual
tag. If we don't have enough space to serialize a particular tag we stop
serializing any remaining tags.
However, this causes an out-of-bounds read when deserializing because there are
less tags than expected. Just bail when there are too many tags to serialize.
`buffer` contains signed chars, so if a tag length is greater than 128 then it
is treated as a negative value when deserializing. The negative signed char is
then implicitly cast to a large unsigned integer. Explicitly cast the values to
signed chars
Co-authored-by: Rahul Zhade <zhade3@github.com>
