@discordjs/voice → prism-media → @discordjs/opus → @discordjs/node-pre-gyp
pins tar ^6.1.11. All tar <=7.5.10 are vulnerable (GHSA-34x7-hfp2-rc4v,
8qq5-rm4j-mr97, 83g3-92jg-28cx, qffp-2rhf-9h96, 9ppj-qmqm-q256,
r6q2-hw4h-h46w) with no fix available on the v6 line.
Use npm `overrides` to force tar ^7.5.15 across the dep tree. Verified:
- npm install: `found 0 vulnerabilities`
- docker build --no-cache: succeeds; @discordjs/opus prebuilt is still
extracted correctly by node-pre-gyp with tar v7
- npm run build: clean
The ts-cleaner step in the build script scans dist/ and crashes with
ENOENT if the directory doesn't exist (e.g. on a fresh clone or after
git clean). Previously README told users to 'mkdir -p dist' first,
but Dockerfile and CI didn't necessarily follow that. Prepend a small
node one-liner that mkdir's dist recursively before ts-cleaner runs,
and drop the now-redundant manual step from README.
- Logger.Timestamp now formats via Intl with timeZone Asia/Seoul, so
the timestamp is correct regardless of the container/host TZ. The
previous setHours(+9) hack assumed the system clock was UTC.
- Transcode.mp3BufferToPcmStream now attaches error/stderr handlers
to the ffmpeg child process and its streams, swallows EPIPE on
early downstream close, and force-kills on spawn error so failed
conversions can't leak processes. Log level bumped from 'quiet'
to 'error' so real ffmpeg errors surface.
- package.json homepage/bugs/repository pointed at github.com/tkrmagid/bot.ts
which doesn't reflect this repo. Repoint to the actual Gitea origin.
