npm - circle-ir-ai - Versions diffs - 2.8.5 → 2.8.7 - Mend

circle-ir-ai 2.8.5 → 2.8.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/CHANGELOG.md +58 -0
package/package.json +2 -2

package/CHANGELOG.md CHANGED Viewed

@@ -5,6 +5,64 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [2.8.7] - 2026-06-10
+### Changed
+- **Upgrade `circle-ir` from `^3.27.1` to `^3.33.0`** — picks up
+  6 minor engine versions (3.28.0 through 3.33.0) published on
+  2026-06-10. Typecheck ✓, build ✓, 556/556 tests pass against the
+  new engine with no source changes required (no breaking API
+  surface in the bump).
+## [2.8.6] - 2026-06-10
+### Fixed
+- **#84 postmortem: parse-retry budget was entangled with HTTP retry
+  budget in v2.8.5.** Investigation after the v2.8.5 gemma3:12b
+  benchmark re-run showed an unchanged score (94/120, same 2 parse
+  errors). Inspection of the v2.8.5 verbose trail revealed:
+  ```
+  [LLM] JSON parse error (array) — parse-retry 1/1
+  [LLM] Error: This operation was aborted — retry 2/3 in 10s
+  [LLM] JSON parse error (array) — parse-retries exhausted
+  ```
+  The `parseRetries` counter in `benchmarks/runners/run-cwe-bench-java.ts`
+  was declared outside the `for (attempt...)` loop and was consumed by
+  the first parse error. When an AbortError subsequently triggered an
+  HTTP retry, the retry consumed an `attempt` slot but did not refresh
+  the parse-retry budget — so the next parse error had no budget left.
+  Fix: decoupled the two counters. Converted the loop to `while
+  (attempt <= MAX_RETRIES)` and now only HTTP-retry sites
+  (`attempt++`) consume the HTTP budget. Parse-retry `continue`
+  statements leave `attempt` untouched. Each error type now has its
+  own independent budget (max 4 HTTP attempts + 1 parse retry per
+  call). Maximum loop iterations bounded at 5.
+### Notes
+- The v2.8.6 gemma3:12b benchmark (re-run 2026-06-10) scored the
+  same 94/120 with 2 parse errors. The retry-logic fix is correct
+  but didn't recover the lost detection because gemma3:12b
+  consistently fails on the same 2 specific prompts under the
+  benchmark's actual conditions (sustained corpus load + cross-file
+  context augmentation). Standalone repros with `num_ctx=32768`
+  succeed 5/5 and 6/6 respectively, indicating the failure is
+  contextual to the runner's full augmented prompt + position in
+  the sequence rather than a logic bug.
+- The fix is the right semantic to ship regardless — removes a
+  latent bug from the retry path that would have masked any future
+  retry-recoverable failure.
+- For users seeking zero parse errors, recommend `qwen3-coder:30b`
+  (0/113 failures, 91/120 score, ~2x faster per call) over
+  `gemma3:12b` (2/109 failures, 94/120 score).
 ## [2.8.5] - 2026-06-09
 ### Fixed

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "circle-ir-ai",
-  "version": "2.8.5",
+  "version": "2.8.7",
   "description": "LLM-enhanced SAST analysis built on circle-ir",
   "main": "dist/index.js",
   "module": "dist/index.js",
@@ -94,7 +94,7 @@
   "dependencies": {
     "@ax-llm/ax": "^20.0.0",
     "@mastra/core": "^1.18.0",
-    "circle-ir": "^3.27.1",
+    "circle-ir": "^3.33.0",
     "minimatch": "^10.2.5",
     "p-queue": "^9.1.0"
   },