@lcv-ideas-software/cross-review 4.0.7 → 4.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +31 -0
- package/README.md +2 -1
- package/dist/scripts/smoke.js +4 -0
- package/dist/scripts/smoke.js.map +1 -1
- package/dist/src/core/config.d.ts +1 -1
- package/dist/src/core/config.js +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,37 @@ standard `v00.00.00`; npm package versions remain SemVer.
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [v04.00.08] — 2026-05-16
|
|
11
|
+
|
|
12
|
+
**Patch — eliminate the `js/file-access-to-http` CodeQL false positive
|
|
13
|
+
at the source.** Each prior release (v4.0.6, v4.0.7) re-triggered the
|
|
14
|
+
same medium-severity CodeQL alert (`scripts/verify-registry-dist.mjs`,
|
|
15
|
+
`fs.readFileSync(package.json)` → `fetch(<url with pkg.name/version>)`).
|
|
16
|
+
Three dismissals were filed (alerts #20, #21) — each new release shifted
|
|
17
|
+
the flagged line, so CodeQL filed a fresh alert. This release removes
|
|
18
|
+
the file-data → outbound-fetch flow entirely so future analyses do not
|
|
19
|
+
re-fire the rule.
|
|
20
|
+
|
|
21
|
+
### Changed
|
|
22
|
+
|
|
23
|
+
- **`scripts/verify-registry-dist.mjs`** no longer calls
|
|
24
|
+
`fs.readFileSync('package.json')`. The verifier now reads package name
|
|
25
|
+
and version from `PACKAGE_NAME` / `PACKAGE_VERSION` env vars exclusively,
|
|
26
|
+
with `npm_package_name` / `npm_package_version` (auto-injected by npm
|
|
27
|
+
when the script is invoked via `npm run release:verify-registry`) as
|
|
28
|
+
a transparent fallback. Both values are required; missing or non-string
|
|
29
|
+
values throw a clear error before any network call. The publish workflow
|
|
30
|
+
already passes both via job-level `env` (unchanged), so the registry
|
|
31
|
+
step continues to work end-to-end.
|
|
32
|
+
|
|
33
|
+
### Tests
|
|
34
|
+
|
|
35
|
+
- Added the `v4.0.8 / F3` invariant to
|
|
36
|
+
`registry_dist_metadata_verification_test`: the verifier source must
|
|
37
|
+
NOT contain `readFileSync` / `readFile(` AND must reference
|
|
38
|
+
`npm_package_name` / `npm_package_version`. Pins the no-file-read
|
|
39
|
+
contract so a future refactor cannot silently reintroduce the flow.
|
|
40
|
+
|
|
10
41
|
## [v04.00.07] — 2026-05-16
|
|
11
42
|
|
|
12
43
|
**Patch — bounded npm registry fetch in the post-publish verifier.**
|
package/README.md
CHANGED
|
@@ -21,7 +21,7 @@ npm install -g @lcv-ideas-software/cross-review
|
|
|
21
21
|
npm install -g @lcv-ideas-software/cross-review --registry=https://npm.pkg.github.com
|
|
22
22
|
```
|
|
23
23
|
|
|
24
|
-
**Status.** Stable. Current release: **v04.00.
|
|
24
|
+
**Status.** Stable. Current release: **v04.00.08** (npm package `4.0.8`). See
|
|
25
25
|
[CHANGELOG.md](./CHANGELOG.md) for the release history.
|
|
26
26
|
|
|
27
27
|
> **Project renamed 2026-05-15.** This project was previously published as
|
|
@@ -36,6 +36,7 @@ The version history at a glance:
|
|
|
36
36
|
|
|
37
37
|
| Release | Scope |
|
|
38
38
|
|---|---|
|
|
39
|
+
| **`v04.00.08`** | **Patch — eliminate the recurring `js/file-access-to-http` CodeQL false positive at the source.** `scripts/verify-registry-dist.mjs` no longer reads `package.json` from disk; package name and version come from `PACKAGE_NAME` / `PACKAGE_VERSION` env vars (with `npm_package_name` / `npm_package_version` auto-injected by npm as a transparent fallback when invoked via `npm run release:verify-registry`). Both inputs are required; missing values throw a clear error before any network call. Removing the `fs.readFileSync` → outbound-fetch flow stops future CodeQL analyses from re-filing the same alert on every release. |
|
|
39
40
|
| **`v04.00.07`** | **Patch — bounded npm registry fetch in the post-publish verifier.** `scripts/verify-registry-dist.mjs` now passes `signal: AbortSignal.timeout(30_000)` to the `https://registry.npmjs.org/<package>/<version>` `fetch` call so a slow or unreachable registry surfaces as a deterministic abort instead of hanging the publish workflow until its 60-minute ceiling. Timeouts map to an explicit `"npm registry lookup for <spec> timed out after 30000 ms"` error; the validated fields (`dist.shasum`, `dist.integrity`, `dist.tarball`) and the script CLI/env contract are unchanged. |
|
|
40
41
|
| **`v04.00.06`** | **Patch — Windows-safe registry verifier.** `scripts/verify-registry-dist.mjs` now queries `https://registry.npmjs.org` directly instead of spawning `npm.cmd`, closing the Windows Node hardening failure (`spawnSync npm.cmd EINVAL`) while preserving the post-publish validation of registry `dist.shasum`, `dist.integrity`, and `dist.tarball`. |
|
|
41
42
|
| **`v04.00.05`** | **Patch — hard-gate close-out for the Codex v4.0.4 audit.** Clears the 6 residual findings: StepSecurity `Source-Code-Overwritten` detections for generated `dist/*` publish artifacts are suppressed against the existing narrow post-rename rule; `docs/model-selection.md` now uses the post-v4 product name, removes misleading fallback wording, and links to the real historical v2 capability-smoke report; model-selection failure text now says it keeps the configured model pin instead of the old fallback phrase; Copilot/Gemini agent instructions preserve the `cross-review-v2` → `cross-review` rename history; local tag verification is expected to use fetched remote tags; the publish workflow now records npm registry `dist.shasum` / `dist.integrity` / `dist.tarball` metadata so audits do not confuse local `npm --registry=https://registry.npmjs.org pack --dry-run` output with the published artifact identity; and `grok-4-latest` model-match accepts provider-reported dot-release aliases such as `grok-4.3` without weakening true cross-family downgrade rejection. |
|
package/dist/scripts/smoke.js
CHANGED
|
@@ -6210,6 +6210,10 @@ assert.equal(Object.hasOwn(metrics.decision_quality, "undefined"), false);
|
|
|
6210
6210
|
assert.ok(!verifyScript.includes("node:child_process"), "v4.0.6 / F1: verify-registry-dist.mjs must not spawn npm/npm.cmd; Windows Node hardening rejects npm.cmd spawn.");
|
|
6211
6211
|
assert.ok(verifyScript.includes("https://registry.npmjs.org") && verifyScript.includes("fetch("), "v4.0.6 / F1: verify-registry-dist.mjs must query npm registry metadata directly.");
|
|
6212
6212
|
assert.ok(verifyScript.includes("AbortSignal.timeout(") && verifyScript.includes("FETCH_TIMEOUT_MS"), "v4.0.7 / F2: verify-registry-dist.mjs must bound the npm registry fetch with an explicit AbortSignal.timeout so a slow registry surfaces as a deterministic abort instead of hanging the workflow.");
|
|
6213
|
+
assert.ok(!verifyScript.includes("readFileSync") &&
|
|
6214
|
+
!verifyScript.includes("readFile(") &&
|
|
6215
|
+
verifyScript.includes("npm_package_name") &&
|
|
6216
|
+
verifyScript.includes("npm_package_version"), "v4.0.8 / F3: verify-registry-dist.mjs must not read package.json from disk; PACKAGE_NAME/PACKAGE_VERSION come from env (or npm-script-injected npm_package_name/version). Removing the file-data → fetch flow kills the recurring js/file-access-to-http CodeQL false positive at the source.");
|
|
6213
6217
|
for (const required of ["dist", "shasum", "integrity", "tarball"]) {
|
|
6214
6218
|
assert.ok(verifyScript.includes(required), `v4.0.5 / AUDIT-6: verify-registry-dist.mjs must validate npm registry dist.${required}.`);
|
|
6215
6219
|
}
|