v0.2.2 — Security Hardening & Scraper Cleanup

Docs version: v0.1.11GitHub ReleasesCHANGELOG.md

RugbyClaw v0.2.2 strips ~15,000 lines of fragile HTML scraping code and hardens the codebase with 6 targeted fixes.

Changed

  • API-Sports is now the sole required data source for standings. The scraper cascade (all.rugby, premiershiprugby.com, stats.unitedrugby.com) has been completely removed. ESPN enrichment remains as a silent, optional layer for bonus point data.
  • Config and state files are now written with owner-only permissions (0o600), matching secrets.json.

Security

  • SSRF protectionRUGBYCLAW_PROXY_URL now validates HTTPS and blocks private/internal hosts (169.254.x, 10.x, 192.168.x, localhost, .internal, .local).
  • Cache path traversal fix — cache filenames are validated against a strict hex pattern before any filesystem operation. A corrupted index can no longer read or delete files outside the cache directory.
  • EPCR season fix — Champions Cup and Challenge Cup no longer return stale previous-season data during January–June. Season fallback logic now tries the current season first.

Fixed

  • --limit with non-numeric values now shows a clear error instead of silently returning empty output.
  • API error responses with nested objects now render as readable JSON instead of [object Object].

Removed

  • 3 HTML scraper providers: allrugby-standings, prem-standings, urc-standings
  • 10 HTML test fixture snapshots
  • 2 scraper-only test files

Stats

+239 lines / −15,318 lines. 103 tests passing across 35 test files.

Install / Update

npm install -g rugbyclaw@latest