js · @mariozechner/pi-coding-agentHeads-up
@mariozechner/pi-coding-agent Race Condition in auth.json Write Path
A race condition in Pi's auth.json file write path could briefly expose stored credentials (API keys, OAuth tokens) to other local users before file permissions
What changed
A race condition in Pi's auth.json file write path could briefly expose stored credentials (API keys, OAuth tokens) to other local users before file permissions are tightened.
Who it affects
Users of @mariozechner/pi-coding-agent >=0.28.0 <=0.73.1 and @earendil-works/pi-coding-agent >=0.74.0 <0.78.1 on multi-user systems where the Pi agent configuration directory is readable by other local users.
What to do today
Upgrade to @earendil-works/pi-coding-agent version 0.78.1 or later, and rotate any potentially exposed credentials.
The trail
Collected→
Audited→
Written→
Published