@poolzin/pool-bot 2026.1.36 → 2026.1.38

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/CHANGELOG.md +28 -0
  2. package/dist/build-info.json +3 -3
  3. package/package.json +2 -4
package/CHANGELOG.md CHANGED
@@ -5,6 +5,34 @@ All notable changes to Pool Bot will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [2026.1.38] - 2026-02-07
9
+
10
+ ### 🔒 Security: Bump hono to fix 4 moderate CVEs
11
+
12
+ - **hono 4.11.4 → 4.11.8** — fixes GHSA-9r54-q6cx-xmh5 (XSS via ErrorBoundary), GHSA-6wqw-2p9w-4vw4 (cache middleware ignores Cache-Control: private), GHSA-r354-f388-2fhh (IPv4 validation bypass in IP restriction middleware), GHSA-w332-q679-j88p (arbitrary key read in serve-static Cloudflare adapter).
13
+ - npm audit: 10 → 6 vulnerabilities (4 moderate hono CVEs eliminated).
14
+
15
+ ---
16
+
17
+ ## [2026.1.37] - 2026-02-07
18
+
19
+ ### 🔒 Security: Remove node-llama-cpp, fix tar vulnerability
20
+
21
+ #### Vulnerabilities Fixed
22
+ - **tar ≤7.5.6 (5× HIGH):** Removed `node-llama-cpp` from `optionalDependencies`, eliminating the entire `tar → cmake-js → node-llama-cpp` vulnerability chain. Updated `tar` override from 7.5.4 → 7.5.7.
23
+
24
+ #### Changes
25
+ - Removed `node-llama-cpp` 3.15.0 from `optionalDependencies` (matching upstream openclaw approach). Local embeddings still work if users install `node-llama-cpp` manually — the dynamic `import()` fallback to OpenAI/Gemini remains unchanged.
26
+ - Fixed `extensions/memory-core/package.json` — added `poolbot` as `devDependency` to resolve `pnpm install` failure from `autoInstallPeers`.
27
+ - Lockfile: removed ~1,300 lines of native dependency entries (`node-llama-cpp`, `cmake-js`, `@node-llama-cpp/*` platform binaries).
28
+
29
+ #### Impact
30
+ - npm audit: 15 → 10 vulnerabilities (5 high eliminated)
31
+ - Install size reduced (no more cmake-js + native compilation toolchain)
32
+ - Zero code changes — all source files unchanged; only dependency configuration
33
+
34
+ ---
35
+
8
36
  ## [2026.1.35] - 2026-02-06
9
37
 
10
38
  ### 📦 Stability Snapshot
package/dist/build-info.json CHANGED
@@ -1,5 +1,5 @@
1
1
  {
2
- "version": "2026.1.36",
3
- "commit": "4ba77f299de746c0d8fdb7f3f3cdef24b8de4f3f",
4
- "builtAt": "2026-02-07T21:20:04.308Z"
2
+ "version": "2026.1.38",
3
+ "commit": "81a36d3e7fbb666876601f4843b977bdde5ddad5",
4
+ "builtAt": "2026-02-07T23:11:04.554Z"
5
5
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@poolzin/pool-bot",
3
- "version": "2026.1.36",
3
+ "version": "2026.1.38",
4
4
  "description": "🎱 Pool Bot - AI assistant with PLCODE integrations",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",
@@ -207,8 +207,7 @@
207
207
  "zod": "^4.3.6"
208
208
  },
209
209
  "optionalDependencies": {
210
- "@napi-rs/canvas": "^0.1.88",
211
- "node-llama-cpp": "3.15.0"
210
+ "@napi-rs/canvas": "^0.1.88"
212
211
  },
213
212
  "devDependencies": {
214
213
  "@grammyjs/types": "^3.23.0",
@@ -240,7 +239,6 @@
240
239
  "wireit": "^0.14.12"
241
240
  },
242
241
  "overrides": {
243
- "hono": "4.11.8",
244
242
  "tar": "7.5.7"
245
243
  },
246
244
  "pnpm": {