Merge branch 'taewoo' of https://github.com/whs-authz-authn-project/caido-plugin-test into taewoo

.gitignore

@@ -1,224 +1,3 @@
-# Created by https://www.toptal.com/developers/gitignore/api/node,macos,windows,linux
+node_modules
-# Edit at https://www.toptal.com/developers/gitignore?templates=node,macos,windows,linux
 
-### Linux ###
+/dist
-*~
-
-# temporary files which can be created if a process still has a handle open of a deleted file
-.fuse_hidden*
-
-# KDE directory preferences
-.directory
-
-# Linux trash folder which might appear on any partition or disk
-.Trash-*
-
-# .nfs files are created when an open file is removed but is still being accessed
-.nfs*
-
-### macOS ###
-# General
-.DS_Store
-.AppleDouble
-.LSOverride
-
-# Icon must end with two \r
-Icon
-
-
-# Thumbnails
-._*
-
-# Files that might appear in the root of a volume
-.DocumentRevisions-V100
-.fseventsd
-.Spotlight-V100
-.TemporaryItems
-.Trashes
-.VolumeIcon.icns
-.com.apple.timemachine.donotpresent
-
-# Directories potentially created on remote AFP share
-.AppleDB
-.AppleDesktop
-Network Trash Folder
-Temporary Items
-.apdisk
-
-### macOS Patch ###
-# iCloud generated files
-*.icloud
-
-### Node ###
-# Logs
-logs
-*.log
-npm-debug.log*
-yarn-debug.log*
-yarn-error.log*
-lerna-debug.log*
-.pnpm-debug.log*
-
-# Diagnostic reports (https://nodejs.org/api/report.html)
-report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
-
-# Runtime data
-pids
-*.pid
-*.seed
-*.pid.lock
-
-# Directory for instrumented libs generated by jscoverage/JSCover
-lib-cov
-
-# Coverage directory used by tools like istanbul
-coverage
-*.lcov
-
-# nyc test coverage
-.nyc_output
-
-# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
-.grunt
-
-# Bower dependency directory (https://bower.io/)
-bower_components
-
-# node-waf configuration
-.lock-wscript
-
-# Compiled binary addons (https://nodejs.org/api/addons.html)
-build/Release
-
-# Dependency directories
-node_modules/
-jspm_packages/
-
-# Snowpack dependency directory (https://snowpack.dev/)
-web_modules/
-
-# TypeScript cache
-*.tsbuildinfo
-
-# Optional npm cache directory
-.npm
-
-# Optional eslint cache
-.eslintcache
-
-# Optional stylelint cache
-.stylelintcache
-
-# Microbundle cache
-.rpt2_cache/
-.rts2_cache_cjs/
-.rts2_cache_es/
-.rts2_cache_umd/
-
-# Optional REPL history
-.node_repl_history
-
-# Output of 'npm pack'
-*.tgz
-
-# Yarn Integrity file
-.yarn-integrity
-
-# dotenv environment variable files
-.env
-.env.development.local
-.env.test.local
-.env.production.local
-.env.local
-
-# parcel-bundler cache (https://parceljs.org/)
-.cache
-.parcel-cache
-
-# Next.js build output
-.next
-out
-
-# Nuxt.js build / generate output
-.nuxt
-dist
-
-# Gatsby files
-.cache/
-# Comment in the public line in if your project uses Gatsby and not Next.js
-# https://nextjs.org/blog/next-9-1#public-directory-support
-# public
-
-# vuepress build output
-.vuepress/dist
-
-# vuepress v2.x temp and cache directory
-.temp
-
-# Docusaurus cache and generated files
-.docusaurus
-
-# Serverless directories
-.serverless/
-
-# FuseBox cache
-.fusebox/
-
-# DynamoDB Local files
-.dynamodb/
-
-# TernJS port file
-.tern-port
-
-# Stores VSCode versions used for testing VSCode extensions
-.vscode-test
-
-# yarn v2
-.yarn/cache
-.yarn/unplugged
-.yarn/build-state.yml
-.yarn/install-state.gz
-.pnp.*
-
-### Node Patch ###
-# Serverless Webpack directories
-.webpack/
-
-# Optional stylelint cache
-
-# SvelteKit build / generate output
-.svelte-kit
-
-### Windows ###
-# Windows thumbnail cache files
-Thumbs.db
-Thumbs.db:encryptable
-ehthumbs.db
-ehthumbs_vista.db
-
-# Dump file
-*.stackdump
-
-# Folder config file
-[Dd]esktop.ini
-
-# Recycle Bin used on file shares
-$RECYCLE.BIN/
-
-# Windows Installer files
-*.cab
-*.msi
-*.msix
-*.msm
-*.msp
-
-# Windows shortcuts
-*.lnk
-
-#!dist/
-dist/*
-packages/frontend/dist
-packages/backend/dist
-#!dist/*.zip
-
-# End of https://www.toptal.com/developers/gitignore/api/node,macos,windows,linux

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2024 [Author]
+Copyright (c) 2024 [caterpii]
 
 Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 

caido.config.ts

@@ -1,18 +1,24 @@
-import { defineConfig } from "@caido-community/dev";
+import { defineConfig } from '@caido-community/dev';
 
 export default defineConfig({
-  id: "caido-oauth",
+  id: "oauth-vuln-detector",
-  name: "Caido OAuth",
+  name: "OAuth Vuln Detector",
-  description: "Plugin for OAuth",
+  description: "Detects OAuth misconfiguration.",
-  version: "0.0.0",
+  version: "0.0.1",
   author: {
-    name: "WHS Safe Us Team",
+    name: "caterpii",
+    email: "dlaha171@gmail.com",
+    url: "https://github.com/katerpii"
   },
   plugins: [
     {
       kind: "backend",
-      id: "backend",
+      id: "oauth-backend",
       root: "packages/backend",
     },
   ],
-});
+  watch: {
+    port: 8081, 
+  },
+}
+);

package.json

@@ -1,5 +1,5 @@
 {
-  "name": "caido-oauth",
+  "name": "caido-oauth-plugin",
   "version": "0.0.0",
   "private": true,
   "scripts": {
@@ -9,7 +9,7 @@
   },
   "devDependencies": {
     "@caido-community/dev": "^0.1.3",
-    "@caido/sdk-backend": "^0.48.1",
+    "@caido/sdk-backend": "^0.46.0",
     "typescript": "5.5.4"
   }
 }

packages/backend/dist/index.js

@@ -0,0 +1,190 @@
+// packages/backend/src/controller/PKCECheck.ts
+import { RequestSpec } from "caido:utils";
+var PKCECheck = class {
+  async test(sdk, req) {
+    const method = req.getMethod();
+    if (method !== "GET") {
+      sdk.console.log("[PKCEDowngradeCheck] Not a GET request. Skipping.");
+      return false;
+    }
+    const query = req.getQuery();
+    const searchParams = new URLSearchParams(query);
+    const requiredKeys = ["client_id", "response_type", "code_challenge", "code_challenge_method"];
+    if (!requiredKeys.every((key) => searchParams.has(key))) {
+      sdk.console.log("[PKCEDowngradeCheck] Required PKCE parameters missing. Skipping.");
+      return false;
+    }
+    const url = req.getUrl();
+    const isOpenID = searchParams.get("scope")?.includes("openid") || url.includes("id_token");
+    const methodVal = searchParams.get("code_challenge_method");
+    const challengeVal = searchParams.get("code_challenge");
+    if (!methodVal || !challengeVal) {
+      sdk.console.log("[PKCEDowngradeCheck] code_challenge or method missing. Skipping.");
+      await sdk.findings.create({
+        title: isOpenID ? "[WARN] OpenID Flow PKCE Parameters Missing" : "[WARN] OAuth2 Flow PKCE Parameters Missing",
+        description: `PKCE parameters are missing or incomplete for ${url}. This may indicate a misconfiguration.`,
+        request: req,
+        reporter: "PKCE Checker"
+      });
+      return false;
+    }
+    if (methodVal === "plain") {
+      sdk.console.log("[PKCEDowngradeCheck] code_challenge_method is 'plain'. Skipping.");
+      await sdk.findings.create({
+        title: isOpenID ? "[WARN] OpenID Flow PKCE Method is 'plain'" : "[WARN] OAuth2 Flow PKCE Method is 'plain'",
+        description: `PKCE method is set to 'plain' for ${url}. This may indicate a downgrade vulnerability.`,
+        request: req,
+        reporter: "PKCE Checker"
+      });
+      return false;
+    }
+    searchParams.delete("code_challenge");
+    searchParams.delete("code_challenge_method");
+    const downgradedQuery = searchParams.toString();
+    const scheme = req.getUrl().startsWith("https") ? "https" : "http";
+    const downgradedUrl = `${scheme}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`;
+    sdk.console.log(`${req.getHost()} Original URL: ` + url);
+    sdk.console.log(`${req.getHost()} Downgraded URL: ` + downgradedUrl);
+    try {
+      const spec = new RequestSpec(downgradedUrl);
+      spec.setBody(req.getBody());
+      for (const [key, value] of Object.entries(req.getHeaders())) {
+        if (Array.isArray(value)) {
+          spec.setHeader(key, value.join(", "));
+        } else {
+          spec.setHeader(key, value);
+        }
+      }
+      spec.setHost(req.getHost());
+      spec.setMethod(req.getMethod());
+      spec.setPath(req.getPath());
+      spec.setQuery(downgradedQuery);
+      spec.setTls(req.getTls());
+      spec.setPort(req.getPort());
+      let sendDowngradedRequest = await sdk.requests.send(spec);
+      if (sendDowngradedRequest.response) {
+        let domain = spec.getHost();
+        let port = spec.getPort();
+        let path2 = spec.getPath();
+        let query2 = spec.getQuery();
+        let id = sendDowngradedRequest.response.getId();
+        let code = sendDowngradedRequest.response.getCode();
+        sdk.console.log(`REQ ${id}: ${domain}:${port}${path2}${query2} received a status code of ${code}`);
+      }
+      if (sendDowngradedRequest.response?.getCode() === 302) {
+        await sdk.findings.create({
+          title: isOpenID ? "[CRITICAL] OpenID Flow PKCE Downgrade Vulnerability" : "[CRITICAL] OAuth2 Flow PKCE Downgrade Vulnerability",
+          description: `The request to ${url} is vulnerable to a PKCE downgrade attack. This may indicate a configuration error.`,
+          request: req,
+          reporter: "PKCE Checker"
+        });
+      }
+    } catch (err) {
+      sdk.console.error(`PKCE downgrade check failed for ${url}: ${String(err)}`);
+    }
+    sdk.console.log("[PKCEDowngradeCheck] No PKCE downgrade detected.");
+    return false;
+  }
+};
+
+// packages/backend/src/controller/redirectUriCheck.ts
+import { promises as fs } from "fs";
+import * as path from "path";
+import os from "os";
+var redirectUriCheck = class {
+  requestMap = /* @__PURE__ */ new Map();
+  //   constructor(private sdk: SDK<any>) {}
+  async onRequest(sdk, req) {
+    try {
+      const urlString = req.getUrl();
+      const url = new URL(urlString);
+      sdk.console.log(`[OAuthPlugin] Intercepted request: ${urlString}`);
+      if (!url.pathname.includes("/authorize") && !url.pathname.includes("/auth")) return;
+      const params = new URLSearchParams(url.search);
+      const redirectUri = params.get("redirect_uri");
+      if (!redirectUri) return;
+      const reqId = req.getId();
+      this.requestMap.set(reqId, redirectUri);
+      const clientId = params.get("client_id") ?? "(missing)";
+      const responseType = params.get("response_type") ?? "(missing)";
+      const isScan = params.has("scan");
+      if (isScan) return;
+      const output = {
+        original_url: urlString,
+        client_id: clientId,
+        redirect_uri: redirectUri,
+        response_type: responseType
+      };
+      try {
+        const filePath = path.join(os.tmpdir(), "oauth-fuzz-input.json");
+        await fs.writeFile(filePath, JSON.stringify(output, null, 2));
+      } catch (err) {
+        await sdk.findings.create({
+          title: "[fs] Write Failed",
+          description: `Could not write to file: ${err}`,
+          request: req,
+          reporter: "oauth-open-redirect-detector"
+        });
+      }
+      await sdk.findings.create({
+        title: "[ ] OAuth2 Authorization Request Collected",
+        description: `client_id: ${clientId}
+redirect_uri: ${redirectUri}
+response_type: ${responseType}`,
+        request: req,
+        reporter: "oauth-open-redirect-detector"
+      });
+    } catch (err) {
+      sdk.console.error(`Error in onRequest: ${err}`);
+    }
+  }
+  async onResponse(sdk, req, resp) {
+    try {
+      const reqId = req.getId();
+      const url = new URL(req.getUrl());
+      const status = resp.getCode();
+      const location = resp.getHeader("location")?.[0];
+      const params = new URLSearchParams(url.search);
+      const isScan = params.has("scan");
+      if (!isScan) {
+        this.requestMap.delete(reqId);
+        return;
+      }
+      if (status >= 300 && status < 400 && location) {
+        const redirectUri = this.requestMap.get(reqId) ?? "(unknown)";
+        await sdk.findings.create({
+          title: "[+] Redirect URI Misconfiguration Detected",
+          description: `Status: ${status}
+Location: ${location}
+Request URL: ${url.href}
+Redirect URI: ${redirectUri}`,
+          request: req,
+          reporter: "oauth-open-redirect-detector"
+        });
+      }
+      this.requestMap.delete(reqId);
+    } catch (err) {
+      sdk.console.error(`Error in onResponse: ${err}`);
+    }
+  }
+};
+
+// packages/backend/src/index.ts
+var pkceCheckController = new PKCECheck();
+var redirectUriCheckController = new redirectUriCheck();
+function init(sdk) {
+  sdk.events.onInterceptRequest(
+    async (sdk2, req) => {
+      await redirectUriCheckController.onRequest(sdk2, req);
+    }
+  );
+  sdk.events.onInterceptResponse(
+    async (sdk2, req, resp) => {
+      await pkceCheckController.test(sdk2, req);
+      await redirectUriCheckController.onResponse(sdk2, req, resp);
+    }
+  );
+}
+export {
+  init
+};

packages/backend/package.json

@@ -6,8 +6,5 @@
   "scripts": {
     "typecheck": "tsc --noEmit",
     "build": "vite build"
-  },
-  "devDependencies": {
-    "@caido/sdk-backend": "^0.46.0"
   }
 }

packages/backend/pnpm-lock.yaml

@@ -0,0 +1,35 @@
+lockfileVersion: '9.0'
+
+settings:
+  autoInstallPeers: true
+  excludeLinksFromLockfile: false
+
+importers:
+
+  .:
+    devDependencies:
+      '@caido/sdk-backend':
+        specifier: ^0.46.0
+        version: 0.46.0
+
+packages:
+
+  '@caido/quickjs-types@0.17.2':
+    resolution: {integrity: sha512-5kcucGORMNEbcdU91yKLYZG/TFDqsO6XmCZ1TnU6V48E61mmqrJg6kjrfOFP1WOugDm+ZcGd/Su3p3XkFXfaPg==}
+
+  '@caido/sdk-backend@0.46.0':
+    resolution: {integrity: sha512-peUKW/4Nrw9WVxIahc+6KrVtxA7vsbpuJqOoBxudxq7tQJ+cV9IEqzvYoFFo8KlnrTkeUQUJvd0W4WsM3HgxEg==}
+
+  '@caido/sdk-shared@0.1.1':
+    resolution: {integrity: sha512-JAV5ajUqxZdXYPTmDEvIKBZon8I5uHq44ATj0Nj3BVpllRDUGY9kcBd+PXMD50+3lv1CvhR3/f6q24T0+4aVJQ==}
+
+snapshots:
+
+  '@caido/quickjs-types@0.17.2': {}
+
+  '@caido/sdk-backend@0.46.0':
+    dependencies:
+      '@caido/quickjs-types': 0.17.2
+      '@caido/sdk-shared': 0.1.1
+
+  '@caido/sdk-shared@0.1.1': {}

packages/backend/src/controller/redirectUriCheck.ts

@@ -0,0 +1,95 @@
+// oauth-plugin.ts
+import type { SDK } from "caido:plugin";
+import type { Request, Response } from "caido:utils";
+import { promises as fs } from "fs";
+import * as path from "path";
+import os from "os";
+
+export class redirectUriCheck {
+  private requestMap = new Map<string, string>();
+
+//   constructor(private sdk: SDK<any>) {}
+
+  public async onRequest(sdk: SDK, req: Request) {
+    try {
+      const urlString = req.getUrl();
+      const url = new URL(urlString);
+      sdk.console.log(`[OAuthPlugin] Intercepted request: ${urlString}`);
+
+      if (!url.pathname.includes("/authorize") && !url.pathname.includes("/auth")) return;
+
+      const params = new URLSearchParams(url.search);
+      const redirectUri = params.get("redirect_uri");
+      if (!redirectUri) return;
+
+      const reqId = req.getId();
+      this.requestMap.set(reqId, redirectUri);
+
+      const clientId = params.get("client_id") ?? "(missing)";
+      const responseType = params.get("response_type") ?? "(missing)";
+      const isScan = params.has("scan");
+      if (isScan) return;
+
+      const output = {
+        original_url: urlString,
+        client_id: clientId,
+        redirect_uri: redirectUri,
+        response_type: responseType,
+      };
+
+      try {
+        const filePath = path.join(os.tmpdir(), "oauth-fuzz-input.json");
+        await fs.writeFile(filePath, JSON.stringify(output, null, 2));
+      } catch (err) {
+        await sdk.findings.create({
+          title: "[fs] Write Failed",
+          description: `Could not write to file: ${err}`,
+          request: req,
+          reporter: "oauth-open-redirect-detector"
+        });
+      }
+
+      await sdk.findings.create({
+        title: "[ ] OAuth2 Authorization Request Collected",
+        description: `client_id: ${clientId}\nredirect_uri: ${redirectUri}\nresponse_type: ${responseType}`,
+        request: req,
+        reporter: "oauth-open-redirect-detector"
+      });
+
+    } catch (err) {
+        sdk.console.error(`Error in onRequest: ${err}`);
+    }
+  }
+
+  public async onResponse(sdk: SDK, req: Request, resp: Response) {
+    try {
+      const reqId = req.getId();
+      const url = new URL(req.getUrl());
+      const status = resp.getCode();
+      const location = resp.getHeader("location")?.[0];
+
+      const params = new URLSearchParams(url.search);
+      const isScan = params.has("scan");
+
+      if (!isScan) {
+        this.requestMap.delete(reqId);
+        return;
+      }
+
+      if (status >= 300 && status < 400 && location) {
+        const redirectUri = this.requestMap.get(reqId) ?? "(unknown)";
+
+        await sdk.findings.create({
+          title: "[+] Redirect URI Misconfiguration Detected",
+          description: `Status: ${status}\nLocation: ${location}\nRequest URL: ${url.href}\nRedirect URI: ${redirectUri}`,
+          request: req,
+          reporter: "oauth-open-redirect-detector",
+        });
+      }
+
+      this.requestMap.delete(reqId);
+    } catch (err) {
+      sdk.console.error(`Error in onResponse: ${err}`);
+    }
+  }
+}

packages/backend/src/index.ts

@@ -1,49 +1,55 @@
 import type { SDK, DefineAPI } from "caido:plugin";
-import type { Request } from "caido:utils";
+import type { Request, Response } from "caido:utils";
-import { ImplicitGrantController } from "./controller/implictGrant";
+// import { ImplicitGrantController } from "./controller/implictGrant";
-import { AuthZCodeGrantController } from "./controller/authZCodeGrant";
+// import { AuthZCodeGrantController } from "./controller/authZCodeGrant";
 import { PKCECheck } from "./controller/PKCECheck";
+import { redirectUriCheck } from "./controller/redirectUriCheck";
 
 export type API = DefineAPI<{}>;
 
-const implicitGrantController = new ImplicitGrantController();
+// const implicitGrantController = new ImplicitGrantController();
-const authZCodeGrantController = new AuthZCodeGrantController();
+// const authZCodeGrantController = new AuthZCodeGrantController();
 const pkceCheckController = new PKCECheck();
-
+const redirectUriCheckController = new redirectUriCheck();
-// function matchSSORequest(req: Request): boolean {
-//   const raw = req.getRaw().toString();
-
-//   // 조건 3: Raw request에 SAMLRequest 또는 SAMLResponse 포함
-//   if (raw.includes("SAMLRequest=") || raw.includes("SAMLResponse=")) {
-//     return true;
-//   }
-
-//   return false;
-// }
-
-// function matchAccessTokenResponse(resp: Response): boolean {
-//   const raw = resp.getRaw().toString();
-
-//   const match = /"access_token"\s*:\s*"([^"]+)"/.exec(raw);
-//   return !!match;
-// }
 
 export function init(sdk: SDK<API>) {
-  sdk.events.onInterceptRequest(async (sdk, req: Request) => {
+  // sdk.events.onInterceptRequest(async (sdk, req: Request) => {
-    const result =
+  //   const result = csrfCheck.checker(req);
-      authZCodeGrantController.testReq(req) ||
-      implicitGrantController.testReq(req);
 
-    if (result) {
+  //   if (result) {
+  //     await sdk.findings.create({
+  //       title: "Possible SSO Request Detected",
+  //       description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
+  //       request: req,
+  //       reporter: "",
+  //     });
+  //   }
+  // });
+  sdk.events.onInterceptRequest(
+    async(sdk: SDK<DefineAPI<{}>, {}>, req: Request) => {
+      await redirectUriCheckController.onRequest(sdk, req);
+    }
+  ); 
+
+  sdk.events.onInterceptResponse(
+    async (sdk: SDK<DefineAPI<{}>, {}>, req: Request, resp: Response) => {
       await pkceCheckController.test(sdk, req);
+      await redirectUriCheckController.onResponse(sdk, req, resp);
 
-      await sdk.findings.create({
+      // sdk.events.onInterceptRequest(async (sdk, req: Request) => {
-        title: "Possible SSO Request Detected",
+      //   const result =
-        description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
+      //     authZCodeGrantController.testReq(req) ||
-        request: req,
+      //     implicitGrantController.testReq(req);
-        reporter: "",
-      });
-    }
 
-  });
+      //   if (result) {
+      //     await pkceCheckController.test(sdk, req);
+
+      //     await sdk.findings.create({
+      //       title: "Possible SSO Request Detected",
+      //       description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
+      //       request: req,
+      //       reporter: "",
+      //     });
+    }
+  );
 }

packages/backend/tsconfig.json

@@ -2,6 +2,7 @@
   "extends": "../../tsconfig.json",
   "compilerOptions": {
     "types": ["@caido/sdk-backend"],
+    "lib": ["ESNext", "DOM"]
   },
   "include": ["./src/**/*.ts"]
 }

pnpm-lock.yaml

@@ -10,21 +10,20 @@ importers:
     devDependencies:
       '@caido-community/dev':
         specifier: ^0.1.3
-        version: 0.1.5(postcss@8.5.3)(typescript@5.5.4)
+        version: 0.1.6(postcss@8.5.3)(typescript@5.5.4)
+      '@caido/sdk-backend':
+        specifier: ^0.46.0
+        version: 0.46.0
       typescript:
         specifier: 5.5.4
         version: 5.5.4
 
-  packages/backend:
+  packages/backend: {}
-    devDependencies:
-      '@caido/sdk-backend':
-        specifier: ^0.46.0
-        version: 0.46.0
 
 packages:
 
-  '@caido-community/dev@0.1.5':
+  '@caido-community/dev@0.1.6':
-    resolution: {integrity: sha512-mM+komusTlKNViTlAR055KS9pQJk+jKzbFlUb+MKaFuopMG6qS93z6PSz/08uc7u7/i+U7YiiQvaa7c1IXvl6Q==}
+    resolution: {integrity: sha512-WAWmPdEahh4e24sO4crt+nvqZryhKsy4yP5QYGoyUKqEYVAct5S/lI9fHdoIRQPJDSds3ayB6jgMKAlifd8BAg==}
     engines: {node: '>=20', pnpm: '>=9'}
     hasBin: true
 
@@ -598,8 +597,8 @@ packages:
   jackspeak@3.4.3:
     resolution: {integrity: sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==}
 
-  jackspeak@4.1.0:
+  jackspeak@4.1.1:
-    resolution: {integrity: sha512-9DDdhb5j6cpeitCbvLO7n7J4IxnbM6hoF6O1g4HQ5TfhvvKN8ywDM7668ZhMHRqVmxqhps/F6syWK2KcPxYlkw==}
+    resolution: {integrity: sha512-zptv57P3GpL+O0I7VdMJNBZCu+BPHVQUk55Ft8/QCJjTVxrnJHuVuX/0Bl2A6/+2oyR/ZMEuFKwmzqqZ/U5nPQ==}
     engines: {node: 20 || >=22}
 
   jiti@2.4.2:
@@ -1056,7 +1055,7 @@ packages:
 
 snapshots:
 
-  '@caido-community/dev@0.1.5(postcss@8.5.3)(typescript@5.5.4)':
+  '@caido-community/dev@0.1.6(postcss@8.5.3)(typescript@5.5.4)':
     dependencies:
       '@caido/plugin-manifest': 0.3.0
       chalk: 5.4.1
@@ -1533,7 +1532,7 @@ snapshots:
   glob@11.0.1:
     dependencies:
       foreground-child: 3.3.1
-      jackspeak: 4.1.0
+      jackspeak: 4.1.1
       minimatch: 10.0.1
       minipass: 7.1.2
       package-json-from-dist: 1.0.1
@@ -1579,7 +1578,7 @@ snapshots:
     optionalDependencies:
       '@pkgjs/parseargs': 0.11.0
 
-  jackspeak@4.1.0:
+  jackspeak@4.1.1:
     dependencies:
       '@isaacs/cliui': 8.0.2