🚀 Release: beta → master

[rajashish147]

🚀 Automated Release PR

This PR contains all changes from beta to master.

---

📦 Latest Changes

• fix(ci): infra guard regex + exclude verify-stabilization.sh
• fix(deploy): guard GITHUB_STEP_SUMMARY for set -u on VPS
• fix: ESM healthcheck + CI exec validation
• fix(docker): align HEALTHCHECK timing with liveness; robust healthcheck.js; deploy health debug

---

🧠 Notes

• Auto-managed PR
• Do not edit manually

To fix this, we should ensure that potentially user-influenced content in err cannot inject new log lines or otherwise confuse log consumers. The general approach is to sanitize any string representation of err before logging: strip \n and \r characters (and optionally other control characters) and ensure the log makes clear where user-controlled content starts.

The best minimal-change fix here is to change logErr so it does not pass the raw err object directly to console.error. Instead, we can derive a safe string representation (using String(err) or err.message and optionally err.stack), remove any newline and carriage-return characters from the message we log on a single line, and then log that single sanitized string. This keeps existing behavior (healthcheck still logs errors, still exits with the same codes) while preventing multi-line log spoofing. No external packages are needed; we can use built-in JS string methods.

Concretely, in healthcheck.js, we will replace the body of logErr (lines 20–22) with logic that:

• Converts err into a descriptive string (e.g., including name and message, and maybe a truncated/sanitized stack on a separate pass).
• Removes \r and \n from the parts that might contain attacker input.
• Logs a single, clearly delimited string via console.error.

We will not touch the rest of the file; all existing calls to logErr remain unchanged.