claude-threads 1.5.1 → 1.6.2

package/CHANGELOG.md

@@ -5,6 +5,50 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.6.2] - 2026-04-20
+
+### Fixed
+- **MCP server path resolution in bundled builds** - Fixes `__dirname` resolution when the project is bundled with `bun build` into a single `dist/index.js` (#316)
+- **CLAUDE_THREADS_INTERACTIVE forwarding to daemon subprocess** - Parent no longer falsely advertises a TTY to the piped-stdio child in daemon mode (#312, #317)
+- **Sticky message test regex** - Updated to match the actual header format (#319)
+- **Flaky permissions integration test** - Uses pattern-based waits instead of fixed post counts to tolerate intermittent CI 500s (#320)
+
+### Security
+- **Override path-to-regexp to >=8.4.0** - Fixes CVE-2026-4926 (HIGH severity DoS) pulled in transitively via @modelcontextprotocol/sdk → express → router (#318)
+- **Bump hono to 4.12.14** - Fixes GHSA-458j-xx4x-4375 (improper JSX attribute name handling in hono/jsx SSR) (#324)
+
+### Dependencies
+- **Bump production dependencies** - @hono/node-server, hono, @redactpii/node, react (#311, #326)
+- **Bump dev dependencies** - @types/yazl, @types/bun, @types/node, prettier, typescript-eslint (#310, #322)
+- **Bump CI actions** - actions/upload-pages-artifact 4 to 5 (#321)
+
+## [1.6.1] - 2026-04-07
+
+### Security
+- **Bump path-to-regexp to 8.4.0** - Fixes CVE-2026-4926 (DoS via malicious route patterns) (#303)
+
+### Dependencies
+- **Bump production dependencies** - @hono/node-server, @modelcontextprotocol/sdk, express-rate-limit, yauzl (#308)
+- **Bump dev dependencies** - TypeScript 5.9 to 6.0, @types/bun, @types/node, @types/react, lint-staged, typescript-eslint (#309)
+- **Bump CI actions** - actions/configure-pages 5 to 6, actions/deploy-pages 4 to 5, schneegans/dynamic-badges-action 1.7 to 1.8 (#304, #305, #306)
+
+## [1.6.0] - 2026-03-27
+
+### Added
+- **Windows compatibility** - Process spawning now works on Windows via Git Bash or WSL (#295)
+
+### Fixed
+- **False headless detection via daemon** - Bot no longer incorrectly activates headless mode when spawned by the auto-restart daemon. The daemon runs the child as a background job which stripped TTY assignment; now the parent's TTY status is forwarded via environment variable (#299, #300)
+
+### Security
+- **Override picomatch to >=2.3.2** - Fixes GHSA-c2c7-rcm5-vvqj (ReDoS via extglob quantifiers) in transitive dependencies (#302)
+- **Override flatted to >=3.4.0** - Fixes GHSA-25h7-pfq9-p65f
+
+### Dependencies
+- **Bump production dependencies** - hono, @hono/node-server, picomatch, and others (#289, #292, #297, #298)
+- **Bump dev dependencies** - eslint 9→10, typescript 5.7→5.9, typescript-eslint 8.50→8.57 (#301)
+- **Bump CI actions** - aquasecurity/trivy-action 0.35.0 (#288)
+
 ## [1.5.1] - 2026-03-09
 
 ### Fixed

package/bin/claude-threads-daemon

@@ -23,6 +23,9 @@
 # Environment variables:
 #   CLAUDE_THREADS_MAX_RESTARTS - Maximum restart attempts (default: unlimited)
 #   CLAUDE_THREADS_RESTART_DELAY - Delay between restarts in seconds (default: 2)
+#   CLAUDE_THREADS_INTERACTIVE - Set by index.ts when spawning the daemon to
+#                                indicate the parent had an interactive terminal.
+#                                Passed through to the child process.
 #
 
 set -e