npm - @lcv-ideas-software/cross-review - Versions diffs - 4.0.5 → 4.0.7 - Mend

@lcv-ideas-software/cross-review 4.0.5 → 4.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -7,6 +7,53 @@ standard `v00.00.00`; npm package versions remain SemVer.
 ## [Unreleased]
+## [v04.00.07] — 2026-05-16
+**Patch — bounded npm registry fetch in the post-publish verifier.**
+Polishes the v4.0.6 verifier so a slow or unreachable npm registry
+surfaces as a deterministic abort instead of hanging the publish
+workflow until the job-level `timeout-minutes: 60` ceiling.
+### Fixed
+- **Registry verifier timeout** — `scripts/verify-registry-dist.mjs`
+  now passes `signal: AbortSignal.timeout(30_000)` to the
+  `https://registry.npmjs.org/<package>/<version>` `fetch` call. A
+  `TimeoutError` is mapped to an explicit
+  `"npm registry lookup for <spec> timed out after 30000 ms"` error;
+  other network failures are wrapped with the underlying message. No
+  change to the validated fields (`dist.shasum`, `dist.integrity`,
+  `dist.tarball`) or to the script's CLI/env contract.
+### Tests
+- Extended `registry_dist_metadata_verification_test` with the
+  `v4.0.7 / F2` invariant: the verifier source must contain both
+  `AbortSignal.timeout(` and the `FETCH_TIMEOUT_MS` constant, so a
+  future refactor cannot silently drop the explicit fetch bound.
+## [v04.00.06] — 2026-05-16
+**Patch — Windows-safe npm registry artifact verifier.** This release closes
+the v4.0.5 audit's LOW Windows finding without changing the public MCP tool
+surface.
+### Fixed
+- **Registry verifier on Windows** —
+  `scripts/verify-registry-dist.mjs` no longer spawns `npm.cmd` through
+  `execFileSync`. Newer Node.js builds reject that batch-file spawn path with
+  `spawnSync npm.cmd EINVAL` on Windows after the CVE-2024-27980 hardening,
+  which broke local `npm --registry=https://registry.npmjs.org run
+release:verify-registry` for Windows operators. The verifier now fetches
+  `https://registry.npmjs.org/<package>/<version>` directly and validates
+  `dist.shasum`, `dist.integrity`, and `dist.tarball` from the registry JSON.
+### Tests
+- Extended `registry_dist_metadata_verification_test` to pin the no-spawn
+  invariant and require direct npm registry metadata lookup.
 ## [v04.00.05] — 2026-05-15
 **Patch — hard-gate close-out for the Codex v4.0.4 audit.** This release

package/README.md CHANGED Viewed

@@ -21,7 +21,7 @@ npm install -g @lcv-ideas-software/cross-review
 npm install -g @lcv-ideas-software/cross-review --registry=https://npm.pkg.github.com
 ```
-**Status.** Stable. Current release: **v04.00.05** (npm package `4.0.5`). See
+**Status.** Stable. Current release: **v04.00.07** (npm package `4.0.7`). See
 [CHANGELOG.md](./CHANGELOG.md) for the release history.
 > **Project renamed 2026-05-15.** This project was previously published as
@@ -36,6 +36,8 @@ The version history at a glance:
 | Release | Scope |
 |---|---|
+| **`v04.00.07`** | **Patch — bounded npm registry fetch in the post-publish verifier.** `scripts/verify-registry-dist.mjs` now passes `signal: AbortSignal.timeout(30_000)` to the `https://registry.npmjs.org/<package>/<version>` `fetch` call so a slow or unreachable registry surfaces as a deterministic abort instead of hanging the publish workflow until its 60-minute ceiling. Timeouts map to an explicit `"npm registry lookup for <spec> timed out after 30000 ms"` error; the validated fields (`dist.shasum`, `dist.integrity`, `dist.tarball`) and the script CLI/env contract are unchanged. |
+| **`v04.00.06`** | **Patch — Windows-safe registry verifier.** `scripts/verify-registry-dist.mjs` now queries `https://registry.npmjs.org` directly instead of spawning `npm.cmd`, closing the Windows Node hardening failure (`spawnSync npm.cmd EINVAL`) while preserving the post-publish validation of registry `dist.shasum`, `dist.integrity`, and `dist.tarball`. |
 | **`v04.00.05`** | **Patch — hard-gate close-out for the Codex v4.0.4 audit.** Clears the 6 residual findings: StepSecurity `Source-Code-Overwritten` detections for generated `dist/*` publish artifacts are suppressed against the existing narrow post-rename rule; `docs/model-selection.md` now uses the post-v4 product name, removes misleading fallback wording, and links to the real historical v2 capability-smoke report; model-selection failure text now says it keeps the configured model pin instead of the old fallback phrase; Copilot/Gemini agent instructions preserve the `cross-review-v2` → `cross-review` rename history; local tag verification is expected to use fetched remote tags; the publish workflow now records npm registry `dist.shasum` / `dist.integrity` / `dist.tarball` metadata so audits do not confuse local `npm --registry=https://registry.npmjs.org pack --dry-run` output with the published artifact identity; and `grok-4-latest` model-match accepts provider-reported dot-release aliases such as `grok-4.3` without weakening true cross-family downgrade rejection. |
 | **`v04.00.04`** | **Patch — restore prettier coverage of `src/` and `scripts/` (close audit on v4.0.3 hard-gate gap).** v4.0.3 added biome but also moved `src/**/*.ts`, `src/**/*.js`, `scripts/**/*.ts`, `scripts/**/*.js` into `.prettierignore` to dodge a biome↔prettier disagreement on dynamic-import call-style. Net effect: prettier ran against zero JS/TS under `src/`/`scripts/`, silently turning one of the four hard-gate checks into a no-op there. v4.0.4 restores full coverage and resolves the disagreement at the source — the 7 `scripts/smoke.ts` dynamic-import sites that triggered the wrap conflict were rewritten from destructure-from-call form to a 2-statement form (`const mod = await import("..."); const { A, B, C } = mod;`). Functionally identical; static type inference preserved. Both formatters now check the full JS/TS surface and pass simultaneously. |
 | **`v04.00.00`** | **Major — project renamed to `cross-review`** (drops the `-v2` suffix after the companion `cross-review-v1` project was discontinued and archived 2026-05-15). Breaking: npm package `@lcv-ideas-software/cross-review-v2` → `@lcv-ideas-software/cross-review` (old name stays on npm at `3.7.5` for historical installs); binaries `cross-review-v2` / `cross-review-v2-dashboard` → `cross-review` / `cross-review-dashboard`; env-var prefix `CROSS_REVIEW_V2_*` → `CROSS_REVIEW_*` across all config knobs that previously carried the `V2` infix (e.g. `CROSS_REVIEW_DATA_DIR`, `CROSS_REVIEW_DISABLE_CACHE_ANTHROPIC`); API-key env vars unchanged; per-host identity env vars (`CROSS_REVIEW_CALLER_TOKEN`, `CROSS_REVIEW_REQUIRE_TOKEN`) unchanged. GitHub repo URL: `LCV-Ideas-Software/cross-review-v2` → `LCV-Ideas-Software/cross-review` (auto-redirected). GitHub Pages: `cross-review-v2.lcv.dev` → `cross-review.lcv.dev`. MCP server key in host configs: operators who declared `cross-review-v2` rename to `cross-review`; after reload, MCP tool prefix becomes `mcp__cross-review__*`. Data dir migration is manual: operators copy `${HOME}/.cross-review/data_v2/*` into the new default `${HOME}/.cross-review/data/` (or set `CROSS_REVIEW_DATA_DIR` to the legacy path) — the v4.0.0 runtime reads only `CROSS_REVIEW_DATA_DIR` and does not fall back to the `_v2` suffix automatically. Preserved when copied: persisted session data, `config.json`, `host-tokens.json`, `cache_manifest.json`, archived/corrupt session dirs. Wire shape of all MCP tools, event types, convergence semantics is unchanged; all capabilities, peers, models, security defenses carry over from v3.7.5 verbatim. 504 source/script/doc text substitutions across 26 files. |

package/dist/scripts/smoke.js CHANGED Viewed

@@ -6207,6 +6207,9 @@ assert.equal(Object.hasOwn(metrics.decision_quality, "undefined"), false);
     const script = String(pkg.scripts?.["release:verify-registry"] ?? "");
     assert.ok(script.includes("verify-registry-dist.mjs"), "v4.0.5 / AUDIT-6: package.json must expose release:verify-registry.");
     const verifyScript = fs.readFileSync(path.join(process.cwd(), "scripts", "verify-registry-dist.mjs"), "utf8");
+    assert.ok(!verifyScript.includes("node:child_process"), "v4.0.6 / F1: verify-registry-dist.mjs must not spawn npm/npm.cmd; Windows Node hardening rejects npm.cmd spawn.");
+    assert.ok(verifyScript.includes("https://registry.npmjs.org") && verifyScript.includes("fetch("), "v4.0.6 / F1: verify-registry-dist.mjs must query npm registry metadata directly.");
+    assert.ok(verifyScript.includes("AbortSignal.timeout(") && verifyScript.includes("FETCH_TIMEOUT_MS"), "v4.0.7 / F2: verify-registry-dist.mjs must bound the npm registry fetch with an explicit AbortSignal.timeout so a slow registry surfaces as a deterministic abort instead of hanging the workflow.");
     for (const required of ["dist", "shasum", "integrity", "tarball"]) {
         assert.ok(verifyScript.includes(required), `v4.0.5 / AUDIT-6: verify-registry-dist.mjs must validate npm registry dist.${required}.`);
     }