reliability, batch transfer, and privacy#60
Merged
Conversation
added 13 commits
June 17, 2026 14:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Share more, with less friction — reliability, batch transfer, and privacy
This PR turns
easy-sharingfrom "share one file to a browser" into an all-around terminal↔phone tool, while fixing the #1 reason shares silently fail.Why
The tool is loved (1.8k★) but the magic moment — scan the QR, it just works — broke on common setups:
getNetworkAddress()returned the first non-internal IPv4, so on machines with Docker/VPN/WSL it advertised an unreachable address (the QR scans, the page never loads). That, plus a few table-stakes gaps (multi-file receive, folder download, one-flag privacy), is what this PR addresses.What's new
Reliability
--interface/-ito pin one and a startup hint listing other addresses./qrbrowser fallback page +--openfor terminals that can't render the QR (Windows / unicode).Transfer
--receive(finishes the long-standing multi-file request)..zip" link +/ziproute.Trust & lifetime
-Sauto-generates a self-signed cert (no more-C/-Krequired).--once(stop after first transfer) and--timeout 30s|10m|1h.--token(secret/unguessable link) and--secure(token + generated password + HTTPS in one flag); open shares now print a warning.Hardening
Upload is basename-only and rejects symlink/
..escapes and same-name clobbering;/zipis confined to the share root and skips symlinks; token is carried in the path (not the query); clipboard mode never serves the cwd.Compatibility
Fully backward compatible — existing flags and behavior unchanged. Adds
qrcode,archiver,selfsigned(lazy-required); engines bumped to>=14.17.Testing
Test suite extended 18 → 32, all passing (
npm test), covering interface ranking, multi-file/traversal/symlink safety,/zip,/qr,/text, the clipboard page, and token gating. Manually verified end-to-end across share, receive, zip, clipboard,--secure,--once, and HTTPS.