@codyswann/lisa 1.60.5 → 1.60.7

package/package.json

@@ -72,7 +72,7 @@
     "axios": ">=1.13.5"
   },
   "name": "@codyswann/lisa",
-  "version": "1.60.5",
+  "version": "1.60.7",
   "description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
   "main": "dist/index.js",
   "exports": {

package/plugins/lisa/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa",
-  "version": "1.60.5",
+  "version": "1.60.7",
   "description": "Universal governance — agents, skills, commands, hooks, and rules for all projects",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa/rules/verfication.md

@@ -184,6 +184,14 @@ This layer catches errors that span multiple files or involve staged-but-not-yet
 
 This layer validates the complete changeset against the project's quality gates. It is the last automated checkpoint before code reaches the remote.
 
+**Handling Security Audit Failures:** If `git push` fails because the pre-push hook reports security vulnerabilities (GHSA advisories), follow these steps in order:
+
+1. Note the GHSA ID(s), affected package(s), and advisory URL from the error output.
+2. Check the advisory URL to determine if a patched version of the vulnerable package exists.
+3. If a patched version exists, add a resolution/override in `package.json` to force the patched version (add to both `"resolutions"` and `"overrides"` sections), then run the package manager install command to regenerate the lockfile, commit the changes, and retry the push.
+4. If no patched version exists and the vulnerability is safe for this project (e.g., transitive dependency with no untrusted input, devDeps only, or build tool only), add an exclusion entry to `audit.ignore.local.json` with the format: `{"id": "GHSA-xxx", "package": "pkg-name", "reason": "why this is safe for this project"}`, then commit and retry the push.
+5. Never use `--no-verify` to bypass the security audit.
+
 ### Regeneration Over Patching
 
 When the root cause of errors is architectural (wrong abstraction, incorrect data flow, fundamentally broken approach), delete and regenerate rather than incrementally patching. Incremental patches on a broken foundation accumulate tech debt faster than the self-correction loop can catch it.

package/plugins/lisa-cdk/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-cdk",
-  "version": "1.60.5",
+  "version": "1.60.7",
   "description": "AWS CDK-specific plugin",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-expo/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-expo",
-  "version": "1.60.5",
+  "version": "1.60.7",
   "description": "Expo/React Native-specific skills, agents, rules, and MCP servers",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-nestjs/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-nestjs",
-  "version": "1.60.5",
+  "version": "1.60.7",
   "description": "NestJS-specific skills (GraphQL, TypeORM)",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-rails/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-rails",
-  "version": "1.60.5",
+  "version": "1.60.7",
   "description": "Ruby on Rails-specific skills, rules, and conventions",
   "author": {
     "name": "Cody Swann"

package/plugins/lisa-typescript/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "lisa-typescript",
-  "version": "1.60.5",
+  "version": "1.60.7",
   "description": "TypeScript-specific hooks — Prettier formatting, ESLint linting, and ast-grep scanning on edit",
   "author": {
     "name": "Cody Swann"

package/plugins/src/base/rules/verfication.md

@@ -184,6 +184,14 @@ This layer catches errors that span multiple files or involve staged-but-not-yet
 
 This layer validates the complete changeset against the project's quality gates. It is the last automated checkpoint before code reaches the remote.
 
+**Handling Security Audit Failures:** If `git push` fails because the pre-push hook reports security vulnerabilities (GHSA advisories), follow these steps in order:
+
+1. Note the GHSA ID(s), affected package(s), and advisory URL from the error output.
+2. Check the advisory URL to determine if a patched version of the vulnerable package exists.
+3. If a patched version exists, add a resolution/override in `package.json` to force the patched version (add to both `"resolutions"` and `"overrides"` sections), then run the package manager install command to regenerate the lockfile, commit the changes, and retry the push.
+4. If no patched version exists and the vulnerability is safe for this project (e.g., transitive dependency with no untrusted input, devDeps only, or build tool only), add an exclusion entry to `audit.ignore.local.json` with the format: `{"id": "GHSA-xxx", "package": "pkg-name", "reason": "why this is safe for this project"}`, then commit and retry the push.
+5. Never use `--no-verify` to bypass the security audit.
+
 ### Regeneration Over Patching
 
 When the root cause of errors is architectural (wrong abstraction, incorrect data flow, fundamentally broken approach), delete and regenerate rather than incrementally patching. Incremental patches on a broken foundation accumulate tech debt faster than the self-correction loop can catch it.

package/typescript/copy-overwrite/audit.ignore.config.json

@@ -46,6 +46,11 @@
       "package": "fast-xml-parser",
       "reason": "Entity encoding bypass via regex injection — same path as GHSA-jmr7-xgp7-cmfj"
     },
+    {
+      "id": "GHSA-8gc5-j5rx-235r",
+      "package": "fast-xml-parser",
+      "reason": "Numeric entity expansion bypass (incomplete fix for CVE-2026-26278) — transitive via AWS SDK, no untrusted XML parsing"
+    },
     {
       "id": "GHSA-r6q2-hw4h-h46w",
       "package": "node-tar",