https://github.com/lordofsunshine/monoforge
MonoForge helps you publish repositories, upload folders, read README files, discuss tasks and find public projects without a noisy interface.
https://github.com/lordofsunshine/monoforge
monoforge opensource-projects repository
Last synced: about 1 month ago
JSON representation
MonoForge helps you publish repositories, upload folders, read README files, discuss tasks and find public projects without a noisy interface.
- Host: GitHub
- URL: https://github.com/lordofsunshine/monoforge
- Owner: lordofsunshine
- License: agpl-3.0
- Created: 2026-05-14T15:28:53.000Z (2 months ago)
- Default Branch: main
- Last Pushed: 2026-05-21T11:09:40.000Z (about 2 months ago)
- Last Synced: 2026-05-21T19:39:35.806Z (about 2 months ago)
- Topics: monoforge, opensource-projects, repository
- Language: TypeScript
- Homepage: https://monoforge.org
- Size: 18.2 MB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: security/checklist.md
Awesome Lists containing this project
README
# MonoForge
A platform for public and private publication of open-source projects.
> [!NOTE]
> ***Not all files have been uploaded to GitHub*** due to some internal errors, so a ZIP archive with the full code has been uploaded to the repository. ( [download zip](https://github.com/lordofsunshine/monoforge/blob/main/monoforge-github-source.zip) )
A page is available on our website: https://monoforge.org/lordofsunshine/monoforge
## Security Updates
1. **Safer Markdown image handling**
Removed unsafe regex parsing for `
` tags in Markdown. Image handling now uses AST transformation with safer attribute parsing.
2. **Temporary file cleanup**
Fixed possible temporary file leaks in repository file updates and stream uploads. Temporary files are now cleaned up properly even when an error happens.
3. **Archive protection**
Added limits for ZIP archive generation, including file size rules, file count rules, and a concurrency slot to prevent heavy archive requests from overloading the service.
4. **Zstd decompression protection**
Added a byte limit during Zstd stream decompression based on the expected original size. This helps protect the service from oversized or malicious compressed files.
5. **Stronger file upload policy**
Expanded blocked secret paths and filenames, including examples like `.aws/credentials`, `.bash_history`, `.env.backup`, `*.key.txt`, and paths containing `tokens`, `secrets`, or `private`.
6. **Removed unsafe HTML rendering**
Removed `dangerouslySetInnerHTML` from the layout, repository page, preference script, and code viewer. Shiki code highlighting now renders through HAST to React instead of injecting raw HTML.