alvin-bot 5.1.0 → 5.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +30 -0
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,36 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to Alvin Bot are documented here.
|
|
4
4
|
|
|
5
|
+
## [5.1.1] — 2026-05-13
|
|
6
|
+
|
|
7
|
+
### Audit baseline cleanup — 16 → 6 vulnerabilities via safe fixes
|
|
8
|
+
|
|
9
|
+
Ran `npm audit fix` (no `--force`) on the lockfile. Cleared 10 of 16 findings: the protobufjs top-level (axios pollution, basic-ftp CRLF, fast-uri path traversal, xmldom DoS, hono jsx/cache, ip-address XSS, postcss XSS, follow-redirects header leak, and the protobufjs vuln at the package root — but **not** the nested copy inside `libsignal-node`). No source-code changes; build + privacy clean; vitest passes 542/543 (one pre-existing flaky port-binding test, unrelated to this change).
|
|
10
|
+
|
|
11
|
+
### Remaining 6 — documented as known/deferred baseline
|
|
12
|
+
|
|
13
|
+
These are tracked, not blocking, with an honest paper trail in `.github/workflows/security-audit.yml`:
|
|
14
|
+
|
|
15
|
+
| Sev | Package | Why deferred |
|
|
16
|
+
|---|---|---|
|
|
17
|
+
| critical | `protobufjs@6.8.8` (nested) | Pinned by `@whiskeysockets/libsignal-node` (custom git fork). Forcing an `npm override` to newer protobufjs would touch Signal-Protocol parsing → high breakage risk. Awaits whiskeysockets upstream. **Only reachable with `WHATSAPP_ENABLED=true`** — dead code for the typical user. |
|
|
18
|
+
| high | `electron <=39.8.4` | devDependency only — affects the DMG-build path, not the npm-CLI runtime users. Major bump 35→42 = breaking, scheduled separately when DMG release is next prepared. |
|
|
19
|
+
| moderate × 4 | derived | `@anthropic-ai/sdk` + `claude-agent-sdk` await Anthropic minor; `baileys` + `libsignal-node` carry the protobufjs upstream lag. |
|
|
20
|
+
|
|
21
|
+
### CI audit workflow — documents the baseline
|
|
22
|
+
|
|
23
|
+
`.github/workflows/security-audit.yml` keeps `continue-on-error: true` on the audit step (PRs not blocked on the documented baseline), but the workflow header now spells out exactly what's tracked, why each is deferred, and what would unblock removal of the soft-fail flag.
|
|
24
|
+
|
|
25
|
+
### Stale Dependabot PRs closed
|
|
26
|
+
|
|
27
|
+
The 8 open Dependabot PRs (#10–#17) were opened against the pre-audit-fix lockfile state. Closed all with a redirect comment; Dependabot will reconsider against the cleaned-up baseline at its next scheduled Monday run. Closing them avoids tedious merge-conflict resolution on each.
|
|
28
|
+
|
|
29
|
+
### What didn't change
|
|
30
|
+
|
|
31
|
+
- No source code edits — pure dependency-tree pruning
|
|
32
|
+
- No npm audit fix `--force` — every applied bump is within existing semver ranges
|
|
33
|
+
- Bot runtime behavior identical to 5.1.0; verified on .75 (Pre-Flight green, all permissions detection works, bot online via launchd)
|
|
34
|
+
|
|
5
35
|
## [5.1.0] — 2026-05-13
|
|
6
36
|
|
|
7
37
|
### Permissions Wizard — guided one-and-done macOS setup
|