llm-cli-gateway 1.17.7 → 1.17.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +37 -0
- package/dist/index.js +15 -14
- package/npm-shrinkwrap.json +4359 -0
- package/package.json +3 -2
package/CHANGELOG.md
CHANGED
|
@@ -4,6 +4,43 @@ All notable changes to the llm-cli-gateway project.
|
|
|
4
4
|
|
|
5
5
|
## Unreleased
|
|
6
6
|
|
|
7
|
+
## [1.17.8] - 2026-06-04: release-audit integrity fix + shrinkwrap groundwork
|
|
8
|
+
|
|
9
|
+
Patch release fixing a masking bug in the release security audit and documenting
|
|
10
|
+
the consumer-side tar-stream@2.2.0 exposure honestly: `package.json#overrides`
|
|
11
|
+
only pins tar-stream 3.1.7 in this repo's own tree — npm overrides never
|
|
12
|
+
propagate to dependents, so `npm install llm-cli-gateway` still resolves
|
|
13
|
+
tar-stream@2.2.0 under better-sqlite3 → prebuild-install → tar-fs in the
|
|
14
|
+
consumer's tree. The canonical remedy, a published `npm-shrinkwrap.json`, is
|
|
15
|
+
currently **ignored by npm itself** (npm/cli#7977, verified empirically against
|
|
16
|
+
npm 11.12.1 with lockfileVersion 2 and 3): no mechanism available to this
|
|
17
|
+
package can pin a dependent's transitive resolution today.
|
|
18
|
+
|
|
19
|
+
### Fixed
|
|
20
|
+
|
|
21
|
+
- `scripts/release-security-audit.sh`: lockfile package names were derived with
|
|
22
|
+
`path.split('/node_modules/')`, which never matches top-level
|
|
23
|
+
`node_modules/<pkg>` entries — the packed-consumer-install check silently
|
|
24
|
+
passed 1.17.7 despite tar-stream@2.2.0 in the consumer tree. Names now derive
|
|
25
|
+
from a `node_modules/` split that handles top-level and nested entries.
|
|
26
|
+
|
|
27
|
+
### Added
|
|
28
|
+
|
|
29
|
+
- Ship `npm-shrinkwrap.json` (byte-identical copy of `package-lock.json`,
|
|
30
|
+
regenerated by `scripts/pre-release.sh`; the audit fails the release if the
|
|
31
|
+
two diverge). Inert today because of npm/cli#7977, but it becomes effective
|
|
32
|
+
the moment npm honours published shrinkwraps again — the audit detects that
|
|
33
|
+
flip and says so.
|
|
34
|
+
- Consumer-tree tar-stream 2.x is now a **documented advisory** in the audit
|
|
35
|
+
(warn, not fail): the exposure is upstream (better-sqlite3's install path),
|
|
36
|
+
install-time only (extracting the prebuilt binding fetched over HTTPS from
|
|
37
|
+
better-sqlite3's GitHub releases), and unfixable from this package until
|
|
38
|
+
npm/cli#7977 is resolved or better-sqlite3 drops `prebuild-install`. Any
|
|
39
|
+
other blocked version in the consumer tree still hard-fails.
|
|
40
|
+
- `scripts/pre-release.sh`: better-sqlite3 native-binding sanity check
|
|
41
|
+
(auto-`npm rebuild` when `npm install` re-lays the subtree without running
|
|
42
|
+
its install script) and deterministic shrinkwrap regeneration.
|
|
43
|
+
|
|
7
44
|
## [1.17.7] - 2026-06-04: Socket supply-chain score restoration
|
|
8
45
|
|
|
9
46
|
Patch release restoring the npm Socket supply-chain posture from 1.17.5
|
package/dist/index.js
CHANGED
|
@@ -1444,9 +1444,7 @@ export function prepareGrokRequest(params, runtime = resolveGatewayServerRuntime
|
|
|
1444
1444
|
args.push("--prompt-file", params.promptFile);
|
|
1445
1445
|
}
|
|
1446
1446
|
if (params.promptJson !== undefined) {
|
|
1447
|
-
const promptJsonValue = typeof params.promptJson === "string"
|
|
1448
|
-
? params.promptJson
|
|
1449
|
-
: JSON.stringify(params.promptJson);
|
|
1447
|
+
const promptJsonValue = typeof params.promptJson === "string" ? params.promptJson : JSON.stringify(params.promptJson);
|
|
1450
1448
|
if (!promptJsonValue.trim()) {
|
|
1451
1449
|
return createErrorResponse(params.operation, 1, "", corrId, new Error("promptJson: must be a non-empty JSON string or serializable value"));
|
|
1452
1450
|
}
|
|
@@ -3454,10 +3452,7 @@ export function createGatewayServer(deps = {}) {
|
|
|
3454
3452
|
.optional()
|
|
3455
3453
|
.describe("Grok --verbatim: send the prompt exactly as given. Also skips gateway optimizePrompt when true."),
|
|
3456
3454
|
agents: z
|
|
3457
|
-
.union([
|
|
3458
|
-
z.string().min(1),
|
|
3459
|
-
z.record(z.string(), z.record(z.string(), z.unknown())),
|
|
3460
|
-
])
|
|
3455
|
+
.union([z.string().min(1), z.record(z.string(), z.record(z.string(), z.unknown()))])
|
|
3461
3456
|
.optional()
|
|
3462
3457
|
.describe("Grok --agents <JSON>: inline subagent definitions (JSON string or name → { description, prompt, … } map)."),
|
|
3463
3458
|
promptFile: z
|
|
@@ -3478,10 +3473,16 @@ export function createGatewayServer(deps = {}) {
|
|
|
3478
3473
|
.boolean()
|
|
3479
3474
|
.optional()
|
|
3480
3475
|
.describe("Grok --experimental-memory: enable cross-session memory."),
|
|
3481
|
-
noAltScreen: z
|
|
3476
|
+
noAltScreen: z
|
|
3477
|
+
.boolean()
|
|
3478
|
+
.optional()
|
|
3479
|
+
.describe("Grok --no-alt-screen: run inline without alt screen."),
|
|
3482
3480
|
noMemory: z.boolean().optional().describe("Grok --no-memory: disable cross-session memory."),
|
|
3483
3481
|
noPlan: z.boolean().optional().describe("Grok --no-plan: disable plan mode."),
|
|
3484
|
-
noSubagents: z
|
|
3482
|
+
noSubagents: z
|
|
3483
|
+
.boolean()
|
|
3484
|
+
.optional()
|
|
3485
|
+
.describe("Grok --no-subagents: disable subagent spawning."),
|
|
3485
3486
|
oauth: z.boolean().optional().describe("Grok --oauth: use OAuth during authentication."),
|
|
3486
3487
|
restoreCode: z
|
|
3487
3488
|
.boolean()
|
|
@@ -4258,10 +4259,7 @@ export function createGatewayServer(deps = {}) {
|
|
|
4258
4259
|
.optional()
|
|
4259
4260
|
.describe("Grok --verbatim: send the prompt exactly as given. Also skips gateway optimizePrompt when true."),
|
|
4260
4261
|
agents: z
|
|
4261
|
-
.union([
|
|
4262
|
-
z.string().min(1),
|
|
4263
|
-
z.record(z.string(), z.record(z.string(), z.unknown())),
|
|
4264
|
-
])
|
|
4262
|
+
.union([z.string().min(1), z.record(z.string(), z.record(z.string(), z.unknown()))])
|
|
4265
4263
|
.optional()
|
|
4266
4264
|
.describe("Grok --agents <JSON>: inline subagent definitions (JSON string or name → { description, prompt, … } map)."),
|
|
4267
4265
|
promptFile: z
|
|
@@ -4286,7 +4284,10 @@ export function createGatewayServer(deps = {}) {
|
|
|
4286
4284
|
.boolean()
|
|
4287
4285
|
.optional()
|
|
4288
4286
|
.describe("Grok --no-alt-screen: run inline without alt screen."),
|
|
4289
|
-
noMemory: z
|
|
4287
|
+
noMemory: z
|
|
4288
|
+
.boolean()
|
|
4289
|
+
.optional()
|
|
4290
|
+
.describe("Grok --no-memory: disable cross-session memory."),
|
|
4290
4291
|
noPlan: z.boolean().optional().describe("Grok --no-plan: disable plan mode."),
|
|
4291
4292
|
noSubagents: z
|
|
4292
4293
|
.boolean()
|