Improper Link Resolution Before File Access ('Link Following')

Summary

Microsoft APM is an open-source, community-driven dependency manager for AI agents. In versions from 0.5.4 through 0.12.4, two primitive integrators in apm-cli enumerate package files with bare 'Path.glob()' / 'Path.rglob()' calls and read each match with 'Path.read_text()', transparently following symbolic links. A symlink committed inside a remote APM dependency under '.apm/prompts/<x>.prompt.md' or '.apm/agents/<x>.agent.md' is preserved verbatim into 'apm_modules/' on clone and then dereferenced during integration, with the resolved content written as a regular file into the project's deploy directories. The package 'content_hash', the pre-deploy SecurityGate scan, and apm audit do not flag this. The deploy roots are not added to the auto-generated '.gitignore', so the resulting files are staged by git add by default. This vulnerability is fixed in 0.13.0.