discord-ops 0.23.0 → 0.23.3

package/CHANGELOG.md

@@ -1,5 +1,41 @@
 # discord-ops
 
+## 0.23.3
+
+### Patch Changes
+
+- 4faf83d: fix(release): pin npm to 11.5.1 for OIDC trusted-publishing auth
+
+  The previous corepack-based install activated npm 10.9.7 (corepack's
+  `npm@latest` alias is stale), which supports `--provenance` for sigstore
+  attestation but lacks native trusted-publishing OIDC auth. The publish
+  PUT to the registry therefore went out unauthenticated and was rejected
+  with a misleading E404. Pinning to npm 11.5.1 ensures both provenance
+  signing and TP auth function correctly.
+
+## 0.23.2
+
+### Patch Changes
+
+- d227788: chore(deps): resolve npm audit findings via audit fix
+
+  Updates lockfile to clear 1 high-severity (fast-uri path traversal,
+  CVSS 7.5) and 7 moderate-severity transitive vulnerabilities in hono,
+  ip-address, postcss, and ws. No direct dependency changes; no behavioral
+  impact. Unblocks `prepublishOnly` audit gate for release pipeline.
+
+## 0.23.1
+
+### Patch Changes
+
+- 2f303d6: chore: migrate npm publishing to Trusted Publishing (OIDC)
+
+  Removes long-lived `NPM_TOKEN` dependency from CI publish workflow.
+  Authentication now happens via GitHub Actions OIDC token federation,
+  in response to the npm Mini Shai-Hulud token rotation event. No
+  behavioral changes for package consumers — sigstore provenance
+  attestation is preserved.
+
 ## 0.23.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "discord-ops",
-  "version": "0.23.0",
+  "version": "0.23.3",
   "description": "Agency-grade Discord MCP server with multi-guild project routing",
   "type": "module",
   "license": "MIT",