@lcv-ideas-software/cross-review 4.0.6 → 4.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +56 -0
- package/README.md +3 -1
- package/dist/scripts/smoke.js +5 -0
- package/dist/scripts/smoke.js.map +1 -1
- package/dist/src/core/config.d.ts +1 -1
- package/dist/src/core/config.js +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,62 @@ standard `v00.00.00`; npm package versions remain SemVer.
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [v04.00.08] — 2026-05-16
|
|
11
|
+
|
|
12
|
+
**Patch — eliminate the `js/file-access-to-http` CodeQL false positive
|
|
13
|
+
at the source.** Each prior release (v4.0.6, v4.0.7) re-triggered the
|
|
14
|
+
same medium-severity CodeQL alert (`scripts/verify-registry-dist.mjs`,
|
|
15
|
+
`fs.readFileSync(package.json)` → `fetch(<url with pkg.name/version>)`).
|
|
16
|
+
Three dismissals were filed (alerts #20, #21) — each new release shifted
|
|
17
|
+
the flagged line, so CodeQL filed a fresh alert. This release removes
|
|
18
|
+
the file-data → outbound-fetch flow entirely so future analyses do not
|
|
19
|
+
re-fire the rule.
|
|
20
|
+
|
|
21
|
+
### Changed
|
|
22
|
+
|
|
23
|
+
- **`scripts/verify-registry-dist.mjs`** no longer calls
|
|
24
|
+
`fs.readFileSync('package.json')`. The verifier now reads package name
|
|
25
|
+
and version from `PACKAGE_NAME` / `PACKAGE_VERSION` env vars exclusively,
|
|
26
|
+
with `npm_package_name` / `npm_package_version` (auto-injected by npm
|
|
27
|
+
when the script is invoked via `npm run release:verify-registry`) as
|
|
28
|
+
a transparent fallback. Both values are required; missing or non-string
|
|
29
|
+
values throw a clear error before any network call. The publish workflow
|
|
30
|
+
already passes both via job-level `env` (unchanged), so the registry
|
|
31
|
+
step continues to work end-to-end.
|
|
32
|
+
|
|
33
|
+
### Tests
|
|
34
|
+
|
|
35
|
+
- Added the `v4.0.8 / F3` invariant to
|
|
36
|
+
`registry_dist_metadata_verification_test`: the verifier source must
|
|
37
|
+
NOT contain `readFileSync` / `readFile(` AND must reference
|
|
38
|
+
`npm_package_name` / `npm_package_version`. Pins the no-file-read
|
|
39
|
+
contract so a future refactor cannot silently reintroduce the flow.
|
|
40
|
+
|
|
41
|
+
## [v04.00.07] — 2026-05-16
|
|
42
|
+
|
|
43
|
+
**Patch — bounded npm registry fetch in the post-publish verifier.**
|
|
44
|
+
Polishes the v4.0.6 verifier so a slow or unreachable npm registry
|
|
45
|
+
surfaces as a deterministic abort instead of hanging the publish
|
|
46
|
+
workflow until the job-level `timeout-minutes: 60` ceiling.
|
|
47
|
+
|
|
48
|
+
### Fixed
|
|
49
|
+
|
|
50
|
+
- **Registry verifier timeout** — `scripts/verify-registry-dist.mjs`
|
|
51
|
+
now passes `signal: AbortSignal.timeout(30_000)` to the
|
|
52
|
+
`https://registry.npmjs.org/<package>/<version>` `fetch` call. A
|
|
53
|
+
`TimeoutError` is mapped to an explicit
|
|
54
|
+
`"npm registry lookup for <spec> timed out after 30000 ms"` error;
|
|
55
|
+
other network failures are wrapped with the underlying message. No
|
|
56
|
+
change to the validated fields (`dist.shasum`, `dist.integrity`,
|
|
57
|
+
`dist.tarball`) or to the script's CLI/env contract.
|
|
58
|
+
|
|
59
|
+
### Tests
|
|
60
|
+
|
|
61
|
+
- Extended `registry_dist_metadata_verification_test` with the
|
|
62
|
+
`v4.0.7 / F2` invariant: the verifier source must contain both
|
|
63
|
+
`AbortSignal.timeout(` and the `FETCH_TIMEOUT_MS` constant, so a
|
|
64
|
+
future refactor cannot silently drop the explicit fetch bound.
|
|
65
|
+
|
|
10
66
|
## [v04.00.06] — 2026-05-16
|
|
11
67
|
|
|
12
68
|
**Patch — Windows-safe npm registry artifact verifier.** This release closes
|
package/README.md
CHANGED
|
@@ -21,7 +21,7 @@ npm install -g @lcv-ideas-software/cross-review
|
|
|
21
21
|
npm install -g @lcv-ideas-software/cross-review --registry=https://npm.pkg.github.com
|
|
22
22
|
```
|
|
23
23
|
|
|
24
|
-
**Status.** Stable. Current release: **v04.00.
|
|
24
|
+
**Status.** Stable. Current release: **v04.00.08** (npm package `4.0.8`). See
|
|
25
25
|
[CHANGELOG.md](./CHANGELOG.md) for the release history.
|
|
26
26
|
|
|
27
27
|
> **Project renamed 2026-05-15.** This project was previously published as
|
|
@@ -36,6 +36,8 @@ The version history at a glance:
|
|
|
36
36
|
|
|
37
37
|
| Release | Scope |
|
|
38
38
|
|---|---|
|
|
39
|
+
| **`v04.00.08`** | **Patch — eliminate the recurring `js/file-access-to-http` CodeQL false positive at the source.** `scripts/verify-registry-dist.mjs` no longer reads `package.json` from disk; package name and version come from `PACKAGE_NAME` / `PACKAGE_VERSION` env vars (with `npm_package_name` / `npm_package_version` auto-injected by npm as a transparent fallback when invoked via `npm run release:verify-registry`). Both inputs are required; missing values throw a clear error before any network call. Removing the `fs.readFileSync` → outbound-fetch flow stops future CodeQL analyses from re-filing the same alert on every release. |
|
|
40
|
+
| **`v04.00.07`** | **Patch — bounded npm registry fetch in the post-publish verifier.** `scripts/verify-registry-dist.mjs` now passes `signal: AbortSignal.timeout(30_000)` to the `https://registry.npmjs.org/<package>/<version>` `fetch` call so a slow or unreachable registry surfaces as a deterministic abort instead of hanging the publish workflow until its 60-minute ceiling. Timeouts map to an explicit `"npm registry lookup for <spec> timed out after 30000 ms"` error; the validated fields (`dist.shasum`, `dist.integrity`, `dist.tarball`) and the script CLI/env contract are unchanged. |
|
|
39
41
|
| **`v04.00.06`** | **Patch — Windows-safe registry verifier.** `scripts/verify-registry-dist.mjs` now queries `https://registry.npmjs.org` directly instead of spawning `npm.cmd`, closing the Windows Node hardening failure (`spawnSync npm.cmd EINVAL`) while preserving the post-publish validation of registry `dist.shasum`, `dist.integrity`, and `dist.tarball`. |
|
|
40
42
|
| **`v04.00.05`** | **Patch — hard-gate close-out for the Codex v4.0.4 audit.** Clears the 6 residual findings: StepSecurity `Source-Code-Overwritten` detections for generated `dist/*` publish artifacts are suppressed against the existing narrow post-rename rule; `docs/model-selection.md` now uses the post-v4 product name, removes misleading fallback wording, and links to the real historical v2 capability-smoke report; model-selection failure text now says it keeps the configured model pin instead of the old fallback phrase; Copilot/Gemini agent instructions preserve the `cross-review-v2` → `cross-review` rename history; local tag verification is expected to use fetched remote tags; the publish workflow now records npm registry `dist.shasum` / `dist.integrity` / `dist.tarball` metadata so audits do not confuse local `npm --registry=https://registry.npmjs.org pack --dry-run` output with the published artifact identity; and `grok-4-latest` model-match accepts provider-reported dot-release aliases such as `grok-4.3` without weakening true cross-family downgrade rejection. |
|
|
41
43
|
| **`v04.00.04`** | **Patch — restore prettier coverage of `src/` and `scripts/` (close audit on v4.0.3 hard-gate gap).** v4.0.3 added biome but also moved `src/**/*.ts`, `src/**/*.js`, `scripts/**/*.ts`, `scripts/**/*.js` into `.prettierignore` to dodge a biome↔prettier disagreement on dynamic-import call-style. Net effect: prettier ran against zero JS/TS under `src/`/`scripts/`, silently turning one of the four hard-gate checks into a no-op there. v4.0.4 restores full coverage and resolves the disagreement at the source — the 7 `scripts/smoke.ts` dynamic-import sites that triggered the wrap conflict were rewritten from destructure-from-call form to a 2-statement form (`const mod = await import("..."); const { A, B, C } = mod;`). Functionally identical; static type inference preserved. Both formatters now check the full JS/TS surface and pass simultaneously. |
|
package/dist/scripts/smoke.js
CHANGED
|
@@ -6209,6 +6209,11 @@ assert.equal(Object.hasOwn(metrics.decision_quality, "undefined"), false);
|
|
|
6209
6209
|
const verifyScript = fs.readFileSync(path.join(process.cwd(), "scripts", "verify-registry-dist.mjs"), "utf8");
|
|
6210
6210
|
assert.ok(!verifyScript.includes("node:child_process"), "v4.0.6 / F1: verify-registry-dist.mjs must not spawn npm/npm.cmd; Windows Node hardening rejects npm.cmd spawn.");
|
|
6211
6211
|
assert.ok(verifyScript.includes("https://registry.npmjs.org") && verifyScript.includes("fetch("), "v4.0.6 / F1: verify-registry-dist.mjs must query npm registry metadata directly.");
|
|
6212
|
+
assert.ok(verifyScript.includes("AbortSignal.timeout(") && verifyScript.includes("FETCH_TIMEOUT_MS"), "v4.0.7 / F2: verify-registry-dist.mjs must bound the npm registry fetch with an explicit AbortSignal.timeout so a slow registry surfaces as a deterministic abort instead of hanging the workflow.");
|
|
6213
|
+
assert.ok(!verifyScript.includes("readFileSync") &&
|
|
6214
|
+
!verifyScript.includes("readFile(") &&
|
|
6215
|
+
verifyScript.includes("npm_package_name") &&
|
|
6216
|
+
verifyScript.includes("npm_package_version"), "v4.0.8 / F3: verify-registry-dist.mjs must not read package.json from disk; PACKAGE_NAME/PACKAGE_VERSION come from env (or npm-script-injected npm_package_name/version). Removing the file-data → fetch flow kills the recurring js/file-access-to-http CodeQL false positive at the source.");
|
|
6212
6217
|
for (const required of ["dist", "shasum", "integrity", "tarball"]) {
|
|
6213
6218
|
assert.ok(verifyScript.includes(required), `v4.0.5 / AUDIT-6: verify-registry-dist.mjs must validate npm registry dist.${required}.`);
|
|
6214
6219
|
}
|